Re: SF new column announcement: Time to Dump IE

[Patrick Diebold <p.diebold () arcor de>]

Hi Ryan,

Maybe it's a bit like shooting sparrows with cannons, but "Rational 
Suite-Testsuite" allows to script the users behaviour - open IE and type url 
and click buttons etc.
The data filled into boxes e.g. can be read from a database (which could 
contain your URLs) even randomly.
You still need a detection mechanism for changes of the system.

Probably there are similar Test-Suite that is cheaper?

- Patrick


Am Mittwoch, 23. Juni 2004 06:08 schrieb Ryan Barnett:
> In-Reply-To: <82AEE40F-C087-11D8-A255-000A95B25656 () honeynet org>
>
> > From: Lance Spitzner <lance () honeynet org>
> > MODERATORS NOTE:
> > What would be interesting is using a 'client' honeypot.  Take a clean
> > install of a Win32 system, then have IE on it connect to hundreds of
> > random websites.  See if any of the websites makes 'unauthorized'
> > modifications to your 'client' honeypot :)
>
> Ahh yes, the HoneyStick idea -
> http://www.securityfocus.com/archive/119/289303/2004-06-19/2004-06-25/2
>
> Good idea.  Anyone have any ideas for automating/randomizing IE to connect
> to sites?
>
> I know that I have been dealing with clients at work who accidently go to
> websites that have trojans such as Debeski -
> (http://vil.nai.com/vil/content/v_101057.htm).  Once my security team is
> notified on this type of virus/trojan issues, we use VMware Windows
> desktops with IE to connect to these same sites and let it infect us to
> study it.
>
> Now the question here is to automate this process and let it act as a
> spider/robot and let it out on the web to see what sites are doing this
> type of exploitation...
>
> -Ryan