Re: IM and P2P HoneyClients

[Kathy Wang <knwang () synacklabs net>]

Andre,

On the Honeyclient Project (http://www.honeyclient.org/trac), we are working
on integrating P2P, DNS, and IM clients into our existing framework. Our
entire honeyclient architecture is modularized so that plug-ins for different
clients can easily be written. I don't know if you're interested in 
contributing, but we're open-sourced, and could use additional help, 
especially if you have Perl programming experience.

Our current honeyclient supports IE and Firefox, but I agree with you that
other non-web-based clients deserve a further look.

This project is also covered in Thorsten and Niels' book, if you're interested
in checking it out further. We're a fairly active project, so the information
in the book is probably already outdated, but feel free to contact me for
more details.

Kathy


On Thu, Jul 26, 2007 at 09:19:51AM -0500, Andre Gironda <andre () operations net> stated:
> With the new problems facing non-IRC botnets in the form of IM and P2P
> attack channels, what methods and tools can we use to understand these
> problems from the client-side?
>
> SpywareGuide recently blogged about, "Security Attacks On The Rise in
> IM and P2P Channels" as seen here:
> http://blog.spywareguide.com/2007/07/security_attacks_on_the_rise_i.html
>
> For example, there are many tools to simulate a web or irc client
> (honeyclients) as well as many search tools for crawling and/or
> scraping both protocol channels.
>
> But nothing much exists for IM or P2P that I'm aware of.  There are
> P2P search sites, but they don't include the capability to uncompress
> or execute the files, only search for their names.
>
> Recently, I've been seeing a trend towards what SpywareGuide called
> `multi-channel attacks'.  They said, quote, "It is important to note
> with the rise of unified communications and Web  2.0 we can expect
> attacks along social vectors to become more subtle, creative and far
> more sophisticated".
>
> The age of these types of multi-channel attacks are upon us, so it
> would be wise to start investigating how they work.  I think research
> in Cross Application Scripting goes back at least a few years, but
> with the recent URI Use and Abuse paper (described with PoC's here
> http://www.dhanjani.com/archives/2007/07/not_for_the_faint_of_heart_mul.html
> ), even Firefox is failing to provide protections against these sorts
> of attacks (Jesper's blog has a good explanation here -
> http://msinfluentials.com/blogs/jesper/archive/2007/07/20/hey-mozilla-quotes-are-not-legal-in-a-url.aspx
> ).
>
> What I'd like to see are tools for crawling / scraping IM and P2P
> networks, and eventually, honeyclients to provide the ability to
> measure and report.
>
> I recently read Robert Danford's presentation on 2nd Generation Honeyclients
> available here -
> http://handlers.dshield.org/rdanford/pub/Honeyclients_Danford_SANSfire06.pdf
>
> I learned about Danford's presentation by reading the new book by
> Niels Provos and Thorsten Holz, "Virtual Honeypots" reminded me of the
> content and had some interesting ideas about crawling.  On page 272,
> they discuss P2P honeyclients and crawlers, which is also mentioned in
> Danford's work.
>
> The best I can think of is to automate tests through meebo or p2p
> search sites using browser macro tools (iMacros, TestGen4Web, Watir,
> Selenium, Sahi, et al).
>
> Additionally, there is another need for this type of scraping, what
> with military and corporate secrets being accidentally (or
> purposefully) uploaded to P2P networks as noted in this recent
> research into the problem -
> http://cwflyris.computerworld.com/t/1850413/6725332/72531/2/
>
> Has anyone been working on this problem?  SecuriTeam? SANS? HoneyNet
> Research Alliance?
>
> Cheers,
> Andre