HoneyBow Sensor
HoneyBow Sensor
Release Notes
The Chinese Honeynet Project is proud to announce the release of HoneyBow sensor v0.1.0, a malware collection tool based on the high interaction honeypot principle, published under GPL license. HoneyBow sensor is released under the name of mwcollect.org, and it can be integrated with nepenthes (based on the low interaction honeypot principle) and the mwcollect Alliance’s GOTEK architecture, to achieve a most integrated malware collection solution.
HoneyBow's value on collection of zero-day malware has been demonstrated through practical deployment and in-the-wild malware collection by Chinese Honeynet Project. For instance, last year’s Dasher.B and the latest Mocbot have successfully been caught.
Components
HoneyBow sensor consists of the following three components:
1. MwWatcher malware collection tool
MwWatcher is a program which monitors honeypot file system changes in real time and catches potential malware. It currently only runs on a Win32 guest system.
2. MwFetcher malware collection tool
MwFetcher is a program which extracts potential malware from a VMware virtual disk (or physical disk) by comparing the infected file list with the clean file list. It currently only runs on Linux.
3. MwSubmitter malware submit tool
MwSubmitter is a program which submits potential malware samples collected by MwWatcher and MwFetcher to the mwcollect Alliance using the G.O.T.E.K. protocol. It currently only runs on Linux.
Download
Check out the latest version from our svn
or download packages from SourceForge.
Deployment
HoneyBow can be easily deployed with VMware honeypots, following this HOWTO document. It also can be deployed with Physical honeypots, but it's more complicated and need a complex recovery procedure to achieve automatic malware collection solution. The Chinese Honeynet Project is working on PotManager honeypot management tool, and we will release it as an open source tool in the near future.
