funsec mailing list archives
RE: Thinking out loud: On the value of honeynets, trojans, botnets, etc.
From: "StyleWar" <stylewar () cox net>
Date: Mon, 5 Jun 2006 00:09:49 -0500
If you have the ability to install them, and the time to manage them, or want to use them as a training tool for detection and response personnel...I think they're still useful. A while back I was (relatively speaking to my peers anyways) of the opinion that honeynets were ultimately a waste of time because they generated more false positives, and pseudopositives (positives you can do nothing about) than they did positive positives (ya man ... thats the good stuff). I've since modified my opinion slightly. Whether it's the user interaction branch of the threat tree or otherwise, the threat agent is rare that can cherry pick. For those threat agents that *can* cherry pick, honey nets may be relatively useless... But I would challenge the assumption that trojans are more predominantly spread through unwitting install, rather than some other method, and suggest that they (honenets) still have value as tripwires along the path to the goodies... And I think "Iskorpitx" would probably agree with me....that is, if they woulda had some honeynets to help catch his Turkish a$$. - StyleWar "There are 3 kinds of people: Those who MAKE things happen, those who WATCH things happen, and those who wonder 'WHAT HAPPENED?'"
-----Original Message----- From: funsec-bounces () linuxbox org [mailto:funsec-bounces () linuxbox org] On Behalf Of Fergie Sent: Sunday, June 04, 2006 8:54 PM To: robert () servalens com Cc: funsec () linuxbox org Subject: Re: [funsec] Thinking out loud: On the value of honeynets, trojans, botnets, etc. The user-interaction angle in the one that I'm really talking anout here. Bots generally "spread" one of two ways: Either by actively infecting via scanning and infecting an unpatched OS flaw (e.g. the MS05-039 PnP vulnerrability/exploit), or via a user clicking on a dirty link & unwittingly installing the code (or a backdoor downloader which, in turn, can install the bot code itself). The latter, I think, is what we are seeing much more of these days, and to that end, I'm not really seeing that a honeynet is of much utility in that regard. Would love to hear opinions on this, however. :-) Cheers, - ferg -- Robert <robert () servalens com> wrote: Ferg, Sorry bout that. I thought I at least nicked it. I would argue that the user activation part be automated from a honeyclient. And yes I agree about droppers, life boats, etc. When I deploy honeyclients its on a fully instrumented network. So the dropper behavior can be picked up using: squid logs iptables traffic logs, pcaps windows firewall connection logging filesystem integrity checking etc,etc I'm a fan of correlating all the available information to get a picture of whats going on. I also think that a full OS is needed to get the secondary/tertiary events. Something like norman sandbox could provide the address the dropper might connect to, but I think you gotta let the program run and see what happens to get the full info. Everything above could be accomplished in a honeypot scenario unless techniques break out along vector lines which I think is happening. Closer this time? Robert Fergie wrote:Robert, That's great, but you really didn't adress my question(s). :-) - ferg -- Robert <robert () servalens com> wrote: Ferg, One outcropping of honeypots that I think helps address someof thesenew vectors is client-side honeypots aka honeymonkies orhoneyclients.<shameless plug>I'm presenting on honeyclients at SANSFIRE'06 in DC inJuly</plug> and Microsoft and Mitre have been doing a lot of work in this area. I guess I would also throw spyware crawlers in there too.Which don'tnecessarily act as honeypots and get infected/compromised,but they dooffer the ability to harvest some malware and characterize websites. Dan Hubbard at Websense has done great work in this area too. I was running a honeyclient project at StillSecure and I agree a big element (and one hard to automate and factor in) is the end-user behavior. I think a lot of studies so far have not takeninto accounthow many people get duped (fake anti-spyware alerts, etc). In my project I have a great time clicking OK on any popup thatarose (veryliberating). But automation methods are needed in honeyclients to automate the UI. Otherwise crawlers miss the rich malicious content. I'm a big believer in this area if anyone is interested indiscussingany of it. I had a full implementation in PERL that I was trying to GPL, but lost control of when I left StillSecure. I believeMitre willbe releasing a GPL honeyclient (not the honeyclient.org one)before too long.Cheers, Robert Fergie wrote:Just tossing some thoughts around earlier this evening. Would appreciate some feedback. How valuable, would you say, are honeynets now that most malware/crimeware seems to trojan downloader backdoor droppers that are "dropped" due to user activation (e.g. clicking on a link in an e-card), as opposed to trojan backdoors that are dropped via an OS exploit? Think about that for a moment. Serious feedback appreciated, - ferg p.s. This is _not_ to question the value of honeynets, per se, but more appropriately, to examine methodology in a broadercontext giventhe change in attack vector(s). -- "Fergie", a.k.a. Paul Ferguson Engineering Architecture for the Internet fergdawg () netzero net or fergdawg () sbcglobal net ferg's tech blog:http://fergdawg.blogspot.com/_______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
_______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Current thread:
- Re: Thinking out loud: On the value of honeynets, trojans, bo tnets, etc. Fergie (Jun 03)
- <Possible follow-ups>
- Re: Thinking out loud: On the value of honeynets, trojans, bo tnets, etc. Fergie (Jun 04)
- Re: Thinking out loud: On the value of honeynets, trojans, bo tnets, etc. Dude VanWinkle (Jun 04)
- RE: Thinking out loud: On the value of honeynets, trojans, botnets, etc. StyleWar (Jun 04)
- Re: Thinking out loud: On the value of honeynets, trojans, bo tnets, etc. Fergie (Jun 04)
- RE: Thinking out loud: On the value of honeynets, trojans, bo tnets, etc. Fergie (Jun 04)
- Re: Thinking out loud: On the value of honeynets, trojans, bo tnets, etc. Blue Boar (Jun 05)
- Re: Thinking out loud: On the value of honeynets, trojans, bo tnets, etc. Dude VanWinkle (Jun 05)
- Re: Thinking out loud: On the value of honeynets, trojans, bo tnets, etc. Valdis . Kletnieks (Jun 05)
- Re: Thinking out loud: On the value of honeynets, trojans, bo tnets, etc. Blue Boar (Jun 05)