funsec mailing list archives
Re: Thinking out loud: On the value of honeynets, trojans, bo tnets, etc.
From: "Fergie" <fergdawg () netzero net>
Date: Sat, 3 Jun 2006 18:21:34 GMT
Robert, That's great, but you really didn't adress my question(s). :-) - ferg -- Robert <robert () servalens com> wrote: Ferg, One outcropping of honeypots that I think helps address some of these new vectors is client-side honeypots aka honeymonkies or honeyclients. <shameless plug>I'm presenting on honeyclients at SANSFIRE '06 in DC in July</plug> and Microsoft and Mitre have been doing a lot of work in this area. I guess I would also throw spyware crawlers in there too. Which don't necessarily act as honeypots and get infected/compromised, but they do offer the ability to harvest some malware and characterize websites. Dan Hubbard at Websense has done great work in this area too. I was running a honeyclient project at StillSecure and I agree a big element (and one hard to automate and factor in) is the end-user behavior. I think a lot of studies so far have not taken into account how many people get duped (fake anti-spyware alerts, etc). In my project I have a great time clicking OK on any popup that arose (very liberating). But automation methods are needed in honeyclients to automate the UI. Otherwise crawlers miss the rich malicious content. I'm a big believer in this area if anyone is interested in discussing any of it. I had a full implementation in PERL that I was trying to GPL, but lost control of when I left StillSecure. I believe Mitre will be releasing a GPL honeyclient (not the honeyclient.org one) before too long. Cheers, Robert Fergie wrote:
Just tossing some thoughts around earlier this evening. Would appreciate some feedback. How valuable, would you say, are honeynets now that most malware/crimeware seems to trojan downloader backdoor droppers that are "dropped" due to user activation (e.g. clicking on a link in an e-card), as opposed to trojan backdoors that are dropped via an OS exploit? Think about that for a moment. Serious feedback appreciated, - ferg p.s. This is _not_ to question the value of honeynets, per se, but more appropriately, to examine methodology in a broader context given the change in attack vector(s). -- "Fergie", a.k.a. Paul Ferguson Engineering Architecture for the Internet fergdawg () netzero net or fergdawg () sbcglobal net ferg's tech blog: http://fergdawg.blogspot.com/
_______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Current thread:
- Re: Thinking out loud: On the value of honeynets, trojans, bo tnets, etc. Fergie (Jun 03)
- <Possible follow-ups>
- Re: Thinking out loud: On the value of honeynets, trojans, bo tnets, etc. Fergie (Jun 04)
- Re: Thinking out loud: On the value of honeynets, trojans, bo tnets, etc. Dude VanWinkle (Jun 04)
- RE: Thinking out loud: On the value of honeynets, trojans, botnets, etc. StyleWar (Jun 04)
- Re: Thinking out loud: On the value of honeynets, trojans, bo tnets, etc. Fergie (Jun 04)
- RE: Thinking out loud: On the value of honeynets, trojans, bo tnets, etc. Fergie (Jun 04)
- Re: Thinking out loud: On the value of honeynets, trojans, bo tnets, etc. Blue Boar (Jun 05)
- Re: Thinking out loud: On the value of honeynets, trojans, bo tnets, etc. Dude VanWinkle (Jun 05)
- Re: Thinking out loud: On the value of honeynets, trojans, bo tnets, etc. Valdis . Kletnieks (Jun 05)
- Re: Thinking out loud: On the value of honeynets, trojans, bo tnets, etc. Blue Boar (Jun 05)