Monkey.org Developments
Honeyd Mailing List

Honeyd Resources

Main - News - Forums 
Download Releases
General Information [Mirror]
Frequently Asked Questions
Sample Configurations
Tools - Service Scripts
Blog - New
Links, Press, etc.
Mailing List Archive
Acknowledgments


Honeyd Research

Immunization Against Worms
Understanding Spam
Performance

Honeypot Resources

Honeypot Background
Honeypot Concepts

Honeypot Books


Virtual Honeypots,
Niels Provos and Thorsten Holz

Happy Hacking

Reduce wishlists
Leave a tip with PayPal

Support Honeyd

Search:
Keywords:

Search Amazon

  		 

kfSubSeven: new honeypot emulation of the ever popular SubSeven trojan server

From: Tom Wright <tom_at_keyfocus.net>
Date: Tue, 11 Nov 2003 15:22:39 -0000



We have just released kfSubSeven, a honeypot emulation of the ever popular


SubSeven trojan server.



kfSubSeven behaves just like a real thing, but without the unpleasant


consequences.



It is a self contained application which is designed to work within a


honeypot system, it will not work by itself.


kfSubSeven is not part of the KFSensor system, but can be used to add to its


capabilities.


Unlike KFSensor, this application is released as open source under the GNU


General Public License.


kfSubSeven works well within KFSensor and should also work under Honeyd on


Windows.


If you want to use it on Linux or anything else, it will need a few changes


to the code.


Over 90% of the code is pure ANSI C, but there are a few Windows API calls


that will need replacing to make it portable.



Here are some of the kfSubSeven highlights:


    - Lets the client chat to the honeypot.


        SubSeven has a chat feature called 'The Matrix' that makes the


victim's machine behave like it does in the film where Neo is first


contacted. kfSubSeven quotes lines from the film back at the hacker. :-)


    - Lets the client browse the files on the computer


    - Lets the client upload files. These are placed in a secure area for


later analysis.


    - Lets the client download files. These are special honey token files


that you want people to see.


    - Lets the client obtain the systems passwords



Of course none of the data the client can access is genuine.



You can download both the pre-compiled exe, the source and all the


supporting from files by going to


http://www.keyfocus.net/kfsensor/


and then selecting the Extras sub-menu.



If you don't run you own honeypot then there is an attack log of a real


SubSeven attack that you might find interesting.


http://www.keyfocus.net/kfsensor/extras/subsevenexample1.php



We have a lot of fun with kfSubSeven, already we have captured 8 pieces of


malware with no anti-virus signature.



We would welcome any comments and code enhancements or attack logs.



- Tom Wright


www.keyfocus.net


Received on Tue Nov 11 2003 - 12:17:26 PST





















Search For Information











Google








 Search WWW  Search www.honeyd.org 



















NB: This is a filtered version of the Honeypots mailing list. Only posts that concern Honeyd are shown here. For more recent discussions visit the forums.

 











Last modified: June 13 2004 02:53:28 AM


Copyright (c) 1999-2004 by Niels Provos

Don't access my pirated music.