Select Page

411XWBMDrIL._AA240_As you may know, Niels Provos and Thorsten Holz have written a book on malware, called “Virtual Honeypots: From Botnet Tracking to Intrusion Detection”.

Thorsten, along with Carsten Willems, was involved in the development of our very popular Sunbelt CWSandbox, which is used by many people involved in security research to analyze malware.

Security author Stephen Northcutt gives the book a great recommendation, calling the book a “breakthrough work”:

Simply put, this is the best security book I have read this year. A perfect blend of well researched information about honeypots as well as plenty of pragmatic how to do it. Well known respected authors that clearly know their stuff. A nice blend of network and system information to give the read the full picture. The reader will learn a lot of analysis and be exposed to a number of attack signatures. And the information is applicable. That was the huge eye opener for me! I thought honeypots were boutique at best, but the book shows clearly how to use them to augment your intrusion detection capability, to detect malware and to identify botnets. At the exact second the Storm botnet is raging, anti-malware products from Symantec, NAI, Trend Micro just are not getting the job done. A large organization with a low interaction honeypot like honeyd, collapsar or potemkin would be able to track what is happening in their network. In the same way, if you are running nepenthes or roleplayer you can identify (detect) the malware and understand how it is working.

Obviously the book cannot cover each tool in depth, Virtual Honeypots goes into detail for honeyd and nepenthes and serves as a manual to help you get started. This is thrilling reading to the very end, the final three chapters are case studies ( war stories ), tracking botnets and working with the CWSandbox. I absolutely recommend this book and expect that I will keep it near my workstation for the next few months. I read it the first time on airplanes, I live in Hawaii so each trip to the east coast is ten hours airplane time and it took about 20 hours for me to work through the book. I plan to read it at least one more time, but with a computer nearby to try to apply some of this. Hats off to the authors, Provos and Holz for sharing their knowledge with the community.

Thorsten tells us:

It’s worth noting that Chapter 12 deals with automated analysis of malware and the example is (of course) CWSandbox. Niels and I describe different techniques in that chapter and give several examples which are all based on CWSandbox output. Furthermore, the chapter on botnets could be interesting since many automated malware samples are bots. That chapter will be available shortly as free sample chapter. In general, the book is of course interesting 😉

You can find out more about the book at

Alex Eckelberry