Honeypots mailing list archives
IM and P2P HoneyClients
From: "Andre Gironda" <andre () operations net>
Date: Thu, 26 Jul 2007 09:19:51 -0500
With the new problems facing non-IRC botnets in the form of IM and P2P attack channels, what methods and tools can we use to understand these problems from the client-side? SpywareGuide recently blogged about, "Security Attacks On The Rise in IM and P2P Channels" as seen here: http://blog.spywareguide.com/2007/07/security_attacks_on_the_rise_i.html For example, there are many tools to simulate a web or irc client (honeyclients) as well as many search tools for crawling and/or scraping both protocol channels. But nothing much exists for IM or P2P that I'm aware of. There are P2P search sites, but they don't include the capability to uncompress or execute the files, only search for their names. Recently, I've been seeing a trend towards what SpywareGuide called `multi-channel attacks'. They said, quote, "It is important to note with the rise of unified communications and Web 2.0 we can expect attacks along social vectors to become more subtle, creative and far more sophisticated". The age of these types of multi-channel attacks are upon us, so it would be wise to start investigating how they work. I think research in Cross Application Scripting goes back at least a few years, but with the recent URI Use and Abuse paper (described with PoC's here http://www.dhanjani.com/archives/2007/07/not_for_the_faint_of_heart_mul.html ), even Firefox is failing to provide protections against these sorts of attacks (Jesper's blog has a good explanation here - http://msinfluentials.com/blogs/jesper/archive/2007/07/20/hey-mozilla-quotes-are-not-legal-in-a-url.aspx ). What I'd like to see are tools for crawling / scraping IM and P2P networks, and eventually, honeyclients to provide the ability to measure and report. I recently read Robert Danford's presentation on 2nd Generation Honeyclients available here - http://handlers.dshield.org/rdanford/pub/Honeyclients_Danford_SANSfire06.pdf I learned about Danford's presentation by reading the new book by Niels Provos and Thorsten Holz, "Virtual Honeypots" reminded me of the content and had some interesting ideas about crawling. On page 272, they discuss P2P honeyclients and crawlers, which is also mentioned in Danford's work. The best I can think of is to automate tests through meebo or p2p search sites using browser macro tools (iMacros, TestGen4Web, Watir, Selenium, Sahi, et al). Additionally, there is another need for this type of scraping, what with military and corporate secrets being accidentally (or purposefully) uploaded to P2P networks as noted in this recent research into the problem - http://cwflyris.computerworld.com/t/1850413/6725332/72531/2/ Has anyone been working on this problem? SecuriTeam? SANS? HoneyNet Research Alliance? Cheers, Andre
Current thread:
- IM and P2P HoneyClients Andre Gironda (Jul 26)
- Re: IM and P2P HoneyClients Kathy Wang (Jul 27)