Honeypots mailing list archives

Previous By Date Next
Previous By Thread Next

IM and P2P HoneyClients

From: "Andre Gironda" <andre () operations net>
Date: Thu, 26 Jul 2007 09:19:51 -0500
With the new problems facing non-IRC botnets in the form of IM and P2P
attack channels, what methods and tools can we use to understand these
problems from the client-side?

SpywareGuide recently blogged about, "Security Attacks On The Rise in
IM and P2P Channels" as seen here:
http://blog.spywareguide.com/2007/07/security_attacks_on_the_rise_i.html

For example, there are many tools to simulate a web or irc client
(honeyclients) as well as many search tools for crawling and/or
scraping both protocol channels.

But nothing much exists for IM or P2P that I'm aware of.  There are
P2P search sites, but they don't include the capability to uncompress
or execute the files, only search for their names.

Recently, I've been seeing a trend towards what SpywareGuide called
`multi-channel attacks'.  They said, quote, "It is important to note
with the rise of unified communications and Web  2.0 we can expect
attacks along social vectors to become more subtle, creative and far
more sophisticated".

The age of these types of multi-channel attacks are upon us, so it
would be wise to start investigating how they work.  I think research
in Cross Application Scripting goes back at least a few years, but
with the recent URI Use and Abuse paper (described with PoC's here
http://www.dhanjani.com/archives/2007/07/not_for_the_faint_of_heart_mul.html
), even Firefox is failing to provide protections against these sorts
of attacks (Jesper's blog has a good explanation here -
http://msinfluentials.com/blogs/jesper/archive/2007/07/20/hey-mozilla-quotes-are-not-legal-in-a-url.aspx
).

What I'd like to see are tools for crawling / scraping IM and P2P
networks, and eventually, honeyclients to provide the ability to
measure and report.

I recently read Robert Danford's presentation on 2nd Generation Honeyclients
available here -
http://handlers.dshield.org/rdanford/pub/Honeyclients_Danford_SANSfire06.pdf

I learned about Danford's presentation by reading the new book by
Niels Provos and Thorsten Holz, "Virtual Honeypots" reminded me of the
content and had some interesting ideas about crawling.  On page 272,
they discuss P2P honeyclients and crawlers, which is also mentioned in
Danford's work.

The best I can think of is to automate tests through meebo or p2p
search sites using browser macro tools (iMacros, TestGen4Web, Watir,
Selenium, Sahi, et al).

Additionally, there is another need for this type of scraping, what
with military and corporate secrets being accidentally (or
purposefully) uploaded to P2P networks as noted in this recent
research into the problem -
http://cwflyris.computerworld.com/t/1850413/6725332/72531/2/

Has anyone been working on this problem?  SecuriTeam? SANS? HoneyNet
Research Alliance?

Cheers,
Andre
Previous By Date Next
Previous By Thread Next

Current thread: