Honeypots mailing list archives

Re: collecting spyware with a honeypot

From: Tillmann Werner <tillmann.werner () gmx de>
Date: Mon, 18 Sep 2006 16:23:40 +0200

George,

I wold like to setup a honeypot for collecting spyware and adware. As
you know, spayware require user action, so i can't use the classic
honeypot method to connect it on the internet and let the "bad guys"
attack it.


You don't necessarily need user interaction. Lots of ad/spyware is installed 
after a bot infection. Samples can be collected with tools like honeytrap or 
nepenthes and then run in a controlled environment, e.g. a vm protected by a 
honeywall.

You then need some kind of automatism to initialize a clean image, place and 
start a sample and log changes as downloaded files.You can also use a 
hardware card that restores a clean system without the changes since the last 
reboot if you prefer a non-virtual installation. Such a setup should be able 
to process about one executable in 10 minutes.

Tillmann

Current thread:

collecting spyware with a honeypot George (Sep 17)
- RE: collecting spyware with a honeypot Robert D. Holtz - Lists (Sep 18)
- Re: collecting spyware with a honeypot Jamie Riden (Sep 18)
  - Re: collecting spyware with a honeypot George (Sep 18)
  - Re: collecting spyware with a honeypot Kathy Wang (Sep 18)
- Re: collecting spyware with a honeypot Tillmann Werner (Sep 18)
- Re: collecting spyware with a honeypot mat (Sep 18)