[nepenthes] New malware coming in
I just wondering why my ClamAV did not detect the fetched malware as "malware", instead just OK. But then since nepenthes already classified it as "suspicious binary".. and why would a binary being sent to my honeypot anyway?
I also create a cron job to ensure that ClamAV updates its definition, sixth times per day.
This is the first time I was being alerted by the malware submission after I enabled the submit_norman.so line.
my very own 1st automated malware submission
The other links was being redirected to joebox.. it just shows this stuffs along with the zip file contains reports of the analyzed malware:
I just wondering why my ClamAV did not detect the fetched malware as "malware", instead just OK. But then since nepenthes already classified it as "suspicious binary".. and why would a binary being sent to my honeypot anyway?
I also create a cron job to ensure that ClamAV updates its definition, sixth times per day.
This is the first time I was being alerted by the malware submission after I enabled the submit_norman.so line.
my very own 1st automated malware submission
The other links was being redirected to joebox.. it just shows this stuffs along with the zip file contains reports of the analyzed malware:
The attached zip document contains all kind of behaviour information which Joebox has detected.
Please note that Joebox currently only analyse file system, registry system and process system behaviour.
Analysis information about network, services and thread activities will be added in the next months.
The analysis machine which executes your submitted binaries has no access to the internet.
An all time available internet connection is a too high risk either to be detected (via dns) or to be controlled by malware (we use real machines for analysis) which bypasses our used disk protection tools.
Best regards
Joe Security
Please note that Joebox currently only analyse file system, registry system and process system behaviour.
Analysis information about network, services and thread activities will be added in the next months.
The analysis machine which executes your submitted binaries has no access to the internet.
An all time available internet connection is a too high risk either to be detected (via dns) or to be controlled by malware (we use real machines for analysis) which bypasses our used disk protection tools.
Best regards
Joe Security
Hehe.. nice ;) .. you know that, this submission alert was received after the power trip/network problem here was resolved. It means, I should get this alert earlier..
It seems that this network segment contains a lot of "harta karun" or "hidden treasure" which unexplored.... looking at this ClamAV scan, 3 binaries yet to be defined..
root@nuvox:/var/lib/nepenthes/binaries# clamscan *
0c6734accaf1d500a388f690a1ef3a76: OK
381dd5ff2ef3993bd92923626ee7948a: OK
3d39a29913a2fe54009d491b89b01ab4: W32.Virut.ca FOUND
8e072862754ef6e80831d2fd50376b43: Trojan.DsBot-15 FOUND
ba106399aad8b515319f52fac4794a73: OK
c2f699282a7a16ecf554cfbaa2724204: W32.Virut.ci FOUND
----------- SCAN SUMMARY -----------
Known viruses: 309947
Engine version: 0.92.1
Scanned directories: 0
Scanned files: 6
Infected files: 3
Data scanned: 0.25 MB
Time: 12.340 sec (0 m 12 s)
Comments