Re: collecting spyware with a honeypot

["Jamie Riden" <jamesr () europe com>]

On 17/09/06, George <george.p123 () gmail com> wrote:
> Hello!
> I wold like to setup a honeypot for collecting spyware and adware. As
> you know, spayware require user action, so i can't use the classic
> honeypot method to connect it on the internet and let the "bad guys"
> attack it.
>
> I google a little bit on this project and i didn't find a point of
> starting this project. Can you help me with some ideas or some links
> about how can i deploy this kind of honeypot in a such way that it
> should receive fresh spayware and adware?

I've been wondering about this myself - I think the main steps would be:

* mechanism to trawl URLs - e.g. crawl everything that you get in your spam
* detection of compromise, and analysis

You could do this in a VM and use snort to alert when the thing gets
compromised and do a manual analysis.  There are also low interaction
solutions - here are a couple of references:

http://en.wikipedia.org/wiki/Client_honeypot_/_honeyclient
http://honeyc.sourceforge.net/
http://capture-hpc.sourceforge.net/
http://conference.hackinthebox.org/hitbsecconf2006kl/index.php?page_id=75
http://pi1.informatik.uni-mannheim.de/diplomas/show/27

cheers,
Jamie
--
Jamie Riden, CISSP / jamesr () europe com / jamie.riden () gmail com
NZ Honeynet project - http://www.nz-honeynet.org/