Re: Thinking out loud: On the value of honeynets, trojans, botnets, etc.

[Robert <robert () servalens com>]

Ferg,

One outcropping of honeypots that I think helps address some of these 
new vectors is client-side honeypots aka honeymonkies or honeyclients.
<shameless plug>I'm presenting on honeyclients at SANSFIRE '06 in DC in 
July</plug> and Microsoft and Mitre have been doing a lot of work in 
this area.
I guess I would also throw spyware crawlers in there too. Which don't 
necessarily act as honeypots and get infected/compromised, but they do 
offer the ability to harvest some malware and characterize websites. Dan 
Hubbard at Websense has done great work in this area too.

I was running a honeyclient project at StillSecure and I agree a big 
element (and one hard to automate and factor in) is the end-user 
behavior. I think a lot of studies so far have not taken into account 
how many people get duped (fake anti-spyware alerts, etc). In my project 
I have a great time clicking OK on any popup that arose (very 
liberating). But automation methods are needed in honeyclients to 
automate the UI. Otherwise crawlers miss the rich malicious content.

I'm a big believer in this area if anyone is interested in discussing 
any of it. I had a full implementation in PERL that I was trying to GPL, 
but lost control of when I left StillSecure. I believe Mitre will be 
releasing a GPL honeyclient (not the honeyclient.org one) before too long.

Cheers,

Robert

Fergie wrote:

> Just tossing some thoughts around earlier this evening.
>
> Would appreciate some feedback.
>
> How valuable, would you say, are honeynets now that most
> malware/crimeware seems to trojan downloader backdoor droppers
> that are "dropped" due to user activation (e.g. clicking on a
> link in an e-card), as opposed to trojan backdoors that are
> dropped via an OS exploit?
>
> Think about that for a moment.
>
> Serious feedback appreciated,
>
> - ferg
>
> p.s. This is _not_ to question the value of honeynets, per se,
> but more appropriately, to examine methodology in a broader
> context given the change in attack vector(s).
>
> --
> "Fergie", a.k.a. Paul Ferguson
> Engineering Architecture for the Internet
> fergdawg () netzero net or fergdawg () sbcglobal net
> ferg's tech blog: http://fergdawg.blogspot.com/
>
>
> _______________________________________________
> Fun and Misc security discussion for OT posts.
> https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
> Note: funsec is a public and open mailing list.
>
>  
_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.