Botnet reasearch. Isolation?

[machinelou]

There's an interesting article on slashdot today about how the honeypot project has been collecting data on bot nets. As most people who run ssh know, it is possible to see hundreds of guest:guest or test:test attempted logins a month. There have been previous posts on suggestions about reducing the number of attempted logins using rules or filters or changing the default ssh port however, as the article points out, it might be possible to attempt to reverse engineer the bots to get information about the their structure / communication protocol / etc... This information is probably useful.

With this in mind, I've been thinking about how to catch a bot in a way that it can be observed, its access to the outside world can be limited (by just bandwidth) and sniffed, and so that it is unlikely to be able to affect the "host" machine or other machines on my network. I'm considering running vmware to install a stripped down version of gentoo on top of my current gentoo install (the "host" machine). The idea being that I create a test:test account in the vmware install, turn on ssh to the outside world, and wait. Once I find out that a botnet has been installed, I try to track down any recent files that have been created and/or begin sniffing. Using vmware seems like the cleanest and safest way to go about this however, I'm open to simplier alternatives. What about creating a test:test account whose shell locks it into a chrooted subdirectory? How would I control bandwidth? I wouldn't want to take part in a DDos attack or anything so I'd need a way to isolate a specific user from the network. Is that even possible?

Also, I'd like to hear any suggestions or comments you might have about this plan. Thanks

[puck3d]

I read that paper also and it was mentioned that some bots detect virtual computers and don't install on them. But if you were going to do this I would use windows and setup a honeywall. This is used to capture traffic going to and from the honeypot computer. Very effective.

There are quite a few papers on this in google
http://www.google.com/search?hl=en&lr=&safe=off&client=firefox&rls=org.mozilla%3Aen-US%3Aunofficial&q=linux+honeywall&btnG=Search

I really want to setup my own also, but can't right now do to my internet setup in school.

[machinelou]

Thanks! I hadn't quite decided on a toolset yet but that's one I haven't seen so far browsing through honeynet.org. It looks very capable and relatively straight forward. I want to stay with linux because the target I'm trying to catch is relatively specific. That is, I'm not trying to setup a honeypot to catch any old hacker, I'm specifically targeting the so-called ssh worm that people here have mentioned and that has been hitting my computer since summer (if they are indeed the same thing). You brought up a good point though about some bots not installing on virtual machines. I guess the only way to find out is to try though.