The Nepenthes Platform: An Efficient Approach to Collect Malware

  • Paul Baecher
  • Markus Koetter
  • Thorsten Holz
  • Maximillian Dornseif
  • Felix Freiling
Part of the Lecture Notes in Computer Science book series (LNCS, volume 4219)


Up to now, there is little empirically backed quantitative and qualitative knowledge about self-replicating malware publicly available. This hampers research in these topics because many counter-strategies against malware, e.g., network- and host-based intrusion detection systems, need hard empirical data to take full effect.

We present the nepenthes platform, a framework for large-scale collection of information on self-replicating malware in the wild. The basic principle of nepenthes is to emulate only the vulnerable parts of a service. This leads to an efficient and effective solution that offers many advantages compared to other honeypot-based solutions. Furthermore, nepenthes offers a flexible deployment solution, leading to even better scalability. Using the nepenthes platform we and several other organizations were able to greatly broaden the empirical basis of data available about self-replicating malware and provide thousands of samples of previously unknown malware to vendors of host-based IDS/anti-virus systems. This greatly improves the detection rate of this kind of threat.


Honeypots Intrusion Detection Systems Malware 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Anagnostakis, K., Sidiroglou, S., Akritidis, P., Xinidis, K., Markatos, E., Keromytis, A.: Detecting Targeted Attacks Using Shadow Honeypots. In: Proceedings of the 14th USENIX Security Symposium (2005)Google Scholar
  2. 2.
    Bailey, M., Cooke, E., Jahanian, F., Nazario, J., Watson, D.: The Internet Motion Sensor: A Distributed Blackhole Monitoring System. In: Proceedings of the 12th Annual Network and Distributed System Security Symposium (NDSS 2005) (2005)Google Scholar
  3. 3.
    Balas, E., Viecco, C.: Towards a Third Generation Data Capture Architecture for Honeynets. In: Proceeedings of the 6th IEEE Information Assurance Workshop, West Point. IEEE, Los Alamitos (2005)Google Scholar
  4. 4.
    Team Cymru: The Darknet Project. Internet (accessed 2006),
  5. 5.
    Dagon, D., Zou, C., Lee, W.: Modeling Botnet Propagation Using Time Zones. In: Proceedings of the 13th Annual Network and Distributed System Security Symposium (NDSS 2006) (2006)Google Scholar
  6. 6.
    Freiling, F.C., Holz, T., Wicherski, G.: Botnet Tracking: Exploring a Root-Cause Methodology to Prevent Distributed Denial-of-Service Attacks. In: di Vimercati, S.d.C., Syverson, P.F., Gollmann, D. (eds.) ESORICS 2005. LNCS, vol. 3679, pp. 319–335. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  7. 7.
    Holz, T.: A Short Visit to the Bot Zoo. IEEE Security & Privacy 3(3), 76–79 (2005)CrossRefGoogle Scholar
  8. 8.
    Holz, T.: Spying With Bots. USENIX; login 30(6), 18–23 (2005)Google Scholar
  9. 9.
    Jiang, X., Xu, D.: Collapsar: A vm-based architecture for network attack detention center. In: Proceedings of 13th USENIX Security Symposium (2004)Google Scholar
  10. 10.
    McCarty, B.: Automated Identity Theft. IEEE Security & Privacy 1(5), 89–92 (2003)CrossRefGoogle Scholar
  11. 11.
    Moore, D., Shannon, C., Voelker, G.M., Savage, S.: Network Telescopes. Technical Report TR-2004-04, CAIDA (2004)Google Scholar
  12. 12.
    Moore, D., Voelker, G.M., Savage, S.: Inferring Internet Denial-of-Service Activity. In: Proceedings of the 10th USENIX Security Symposium (August 2001)Google Scholar
  13. 13.
    Portokalidis, G.: Argos: An Emulator for Capturing Zero-Day Attacks. Internet (accessed 2006),
  14. 14.
    Provos, N.: A Virtual Honeypot Framework. In: Proceedings of 13th USENIX Security Symposium, pp. 1–14 (2004)Google Scholar
  15. 15.
    Rajab, M.A., Terzis, A.: On the Effectiveness of Distributed Worm Monitoring. In: Proceedings of the 14th USENIX Security Symposium (2005)Google Scholar
  16. 16.
    Shinoda, Y., Ikai, K., Itoh, M.: Vulnerabilities of Passive Internet Threat Monitors. In: Proceedings of the 14th USENIX Security Symposium (2005)Google Scholar
  17. 17.
    Staniford, S., Moore, D., Paxson, V., Weaver, N.: The Top Speed of Flash Worms. In: ACM Workshop on Rapid Malcode (WORM) (2004)Google Scholar
  18. 18.
    Symantec. Mantrap. Internet (accessed, 2006),
  19. 19.
    Vanderavero, N., Brouckaert, X., Bonaventure, O., Le Charlier, B.: The HoneyTank: a scalable approach to collect malicious Internet traffic. In: Proceedings of the International Infrastructure Survivability Workshop (2004)Google Scholar
  20. 20.
    Vrable, M., Ma, J., Chen, J., Moore, D., Vandekieft, E., Snoeren, A.C., Voelker, G.M., Savage, S.: Scalability, Fidelity, and Containment in the Potemkin Virtual Honeyfarm. In: Proceedings of the ACM Symposium on Operating System Principles (SOSP) (2005)Google Scholar
  21. 21.
    Wang, K.: Honeyclient. Internet (accessed, 2006),
  22. 22.
    Wang, Y.-M., Beck, D., Verbowski, C., Chen, S., King, S., Jiang, X., Roussev, R.: Automated web patrol with strider honeymonkeys: Finding web sites that exploit browser vulnerabilities. In: Proceedings of the 13th Network and Distributed System Security Symposium (NDSS 2006) (2006)Google Scholar
  23. 23.
    Yegneswaran, V., Barford, P., Plonka, D.: On the Design and Use of Internet Sinks for Network Abuse Monitoring. In: Jonsson, E., Valdes, A., Almgren, M. (eds.) RAID 2004. LNCS, vol. 3224, pp. 146–165. Springer, Heidelberg (2004)CrossRefGoogle Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2006

Authors and Affiliations

  • Paul Baecher
    • 1
  • Markus Koetter
    • 1
  • Thorsten Holz
    • 2
  • Maximillian Dornseif
    • 2
  • Felix Freiling
    • 2
  1. 1.Nepenthes Development Team 
  2. 2.Laboratory for Dependable Distributed SystemsUniversity of Mannheim 

Personalised recommendations