Re: Thinking out loud: On the value of honeynets, trojans, botnets, etc.

[Nick FitzGerald <nick () virus-l demon co uk>]

Fergie wrote:

> Just tossing some thoughts around earlier this evening.
>
> Would appreciate some feedback.
>
> How valuable, would you say, are honeynets now that most
> malware/crimeware seems to trojan downloader backdoor droppers
> that are "dropped" due to user activation (e.g. clicking on a
> link in an e-card), as opposed to trojan backdoors that are
> dropped via an OS exploit?
>
> Think about that for a moment.

I never saw honeypots/nets as much of an important part of identifying 
"outbreak" scale events, as there were always other means of noticing 
such things (though hoenypots could be useful for capturing early 
samples), so if your intended comparison is "honeypots are not as 
useful as they once were" I suspect we may disagree on the assessment 
of how useful they were...  

Anyway, although a lot of contemporary malware depends, as you say, on 
the active involvement of the victim user, a lot of that malware 
_still_ has _secondary_ spread mechanisms of share-crawling, service 
exploiting, crawling through other bots backdoors, etc, etc.  As some 
(and an increasing amount?) of this malware is only "narrow-banded" in 
its initial deliberate distribution (often through somewhat targeted 
spamming), honeypots/nets may be the best way we have of (efficiently 
and somewhat quickly) getting samples of the increasing amount of much 
less wide-spread malware.  


Regards,

Nick FitzGerald

_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.