funsec mailing list archives
Re: Thinking out loud: On the value of honeynets, trojans, bo tnets, etc.
From: "Fergie" <fergdawg () netzero net>
Date: Mon, 5 Jun 2006 04:41:59 GMT
Well, I kinda-sorta think I know at least a part of the answer. Maybe. :-) What would be _really_ nice is an automated way to have, what I would call, a "malware-sink" -- which is not just an unpatched honeypot, but perhaps an automated to way to collect malware samples which are the result (malware) clicked-links, either embedded on "bad" web pages or contained in e-mail (to include surrepticious attachements, enbedded links, etc.)... I've seen some great methods to do this, but not in an automated fashion. Just thinking out loud again. :-) - ferg -- "Dude VanWinkle" <dudevanwinkle () gmail com> wrote: On 6/4/06, Fergie <fergdawg () netzero net> wrote:
The user-interaction angle in the one that I'm really talking anout here. Bots generally "spread" one of two ways: Either by actively infecting via scanning and infecting an unpatched OS flaw (e.g. the MS05-039 PnP vulnerrability/exploit), or via a user clicking on a dirty link & unwittingly installing the code (or a backdoor downloader which, in turn, can install the bot code itself). The latter, I think, is what we are seeing much more of these days, and to that end, I'm not really seeing that a honeynet is of much utility in that regard. Would love to hear opinions on this, however. :-)
Sounds like you already know the answer. Some exploits are found by honeymonkies, some expoits are found by honeypots. It would be pretty nifty if someone would come up with a honeymonkey that would use the cache if the local dns server as a list of "to be browsed". You could then analyze what the honeymonkies found and see if any users brought malware into your network that day. /babble -JP -- "Fergie", a.k.a. Paul Ferguson Engineering Architecture for the Internet fergdawg () netzero net or fergdawg () sbcglobal net ferg's tech blog: http://fergdawg.blogspot.com/ _______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Current thread:
- Re: Thinking out loud: On the value of honeynets, trojans, bo tnets, etc. Fergie (Jun 03)
- <Possible follow-ups>
- Re: Thinking out loud: On the value of honeynets, trojans, bo tnets, etc. Fergie (Jun 04)
- Re: Thinking out loud: On the value of honeynets, trojans, bo tnets, etc. Dude VanWinkle (Jun 04)
- RE: Thinking out loud: On the value of honeynets, trojans, botnets, etc. StyleWar (Jun 04)
- Re: Thinking out loud: On the value of honeynets, trojans, bo tnets, etc. Fergie (Jun 04)
- RE: Thinking out loud: On the value of honeynets, trojans, bo tnets, etc. Fergie (Jun 04)
- Re: Thinking out loud: On the value of honeynets, trojans, bo tnets, etc. Blue Boar (Jun 05)
- Re: Thinking out loud: On the value of honeynets, trojans, bo tnets, etc. Dude VanWinkle (Jun 05)
- Re: Thinking out loud: On the value of honeynets, trojans, bo tnets, etc. Valdis . Kletnieks (Jun 05)
- Re: Thinking out loud: On the value of honeynets, trojans, bo tnets, etc. Blue Boar (Jun 05)