Honeypots mailing list archives

Re: SF new column announcement: Time to Dump IE

From: Ryan Barnett <RCBarnett () hushmail com>
Date: 23 Jun 2004 04:08:03 -0000

In-Reply-To: <82AEE40F-C087-11D8-A255-000A95B25656 () honeynet org>

From: Lance Spitzner <lance () honeynet org>
MODERATORS NOTE:
What would be interesting is using a 'client' honeypot.  Take a clean 
install of a Win32 system, then have IE on it connect to hundreds of 
random websites.  See if any of the websites makes 'unauthorized' 
modifications to your 'client' honeypot :)


Ahh yes, the HoneyStick idea - http://www.securityfocus.com/archive/119/289303/2004-06-19/2004-06-25/2

Good idea.  Anyone have any ideas for automating/randomizing IE to connect to sites?

I know that I have been dealing with clients at work who accidently go to websites that have trojans such as Debeski - 
(http://vil.nai.com/vil/content/v_101057.htm).  Once my security team is notified on this type of virus/trojan issues, 
we use VMware Windows desktops with IE to connect to these same sites and let it infect us to study it.

Now the question here is to automate this process and let it act as a spider/robot and let it out on the web to see 
what sites are doing this type of exploitation...

-Ryan

Current thread:

SF new column announcement: Time to Dump IE Lance Spitzner (Jun 17)
- <Possible follow-ups>
- Re: SF new column announcement: Time to Dump IE Ryan Barnett (Jun 22)
  - Re: SF new column announcement: Time to Dump IE Borja Marcos (Jun 23)
  - Re: SF new column announcement: Time to Dump IE Patrick Diebold (Jun 23)
  - Re: SF new column announcement: Time to Dump IE Nightslave (Jun 24)
- RE: SF new column announcement: Time to Dump IE Andy Streule (Jun 23)