Experiences with the NoAH Honeynet Testbed to Detect new Internet Worms

Recently, major advances have been made in the area of honeypot technologies. These include the development of very accurate and reliable detection methods for unknown attacks targeted at memory corruption vulnerabilities and the design of efficient network architectures. These architectures allow to monitor a large network of IP addresses applying advanced detection methods for zero-day exploits and new Internet worms. Such an advanced architecture and detection method was developed by the NoAH research project funded by the Sixth EUpsilas Framework Programme for Research and Technological Development. A pilot testbed was set up to demonstrate its effectiveness to detect well-known as well as new attacks on the Internet. While the technical components are well-understood, the interpretation and analysis of the resulting information is to the best of our knowledge still not fully explored by research projects. For the NoAH pilot testbed, a critical test to demonstrate its effectiveness arose with the appearance of the W32.Conficker worm in November 2008. In this paper we present the experimental results of this testbed focusing on the detection and analysis of the W32.Conficker worm which is still widely spread and an ongoing threat to the Internet. In detail, we introduce the detection process starting with the first suspicion of a new Internet worm towards its analysis and capture of malware.