Re: Thinking out loud: On the value of honeynets, trojans, bo tnets, etc.

["Dude VanWinkle" <dudevanwinkle () gmail com>]

On 6/4/06, Fergie <fergdawg () netzero net> wrote:
> The user-interaction angle in the one that I'm really talking
> anout here.
>
> Bots generally "spread" one of two ways: Either by actively
> infecting via scanning and infecting an unpatched OS flaw (e.g.
> the MS05-039 PnP vulnerrability/exploit), or via a user clicking
> on a dirty link & unwittingly installing the code (or a backdoor
> downloader which, in turn, can install the bot code itself).
>
> The latter, I think, is what we are seeing much more of these
> days, and to that end, I'm not really seeing that a honeynet
> is of much utility in that regard.
>
> Would love to hear opinions on this, however. :-)


Sounds like you already know the answer. Some exploits are found by
honeymonkies, some expoits are found by honeypots.

It would be pretty nifty if someone would come up with a honeymonkey
that would use the cache if the local dns server as a list of "to be
browsed". You could then analyze what the honeymonkies found and see
if any users brought malware into your network that day.

/babble

-JP
_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.