Honeypots mailing list archives
Re: IM and P2P HoneyClients
From: Kathy Wang <knwang () synacklabs net>
Date: Fri, 27 Jul 2007 15:22:25 -0400
Andre, On the Honeyclient Project (http://www.honeyclient.org/trac), we are working on integrating P2P, DNS, and IM clients into our existing framework. Our entire honeyclient architecture is modularized so that plug-ins for different clients can easily be written. I don't know if you're interested in contributing, but we're open-sourced, and could use additional help, especially if you have Perl programming experience. Our current honeyclient supports IE and Firefox, but I agree with you that other non-web-based clients deserve a further look. This project is also covered in Thorsten and Niels' book, if you're interested in checking it out further. We're a fairly active project, so the information in the book is probably already outdated, but feel free to contact me for more details. Kathy On Thu, Jul 26, 2007 at 09:19:51AM -0500, Andre Gironda <andre () operations net> stated:
With the new problems facing non-IRC botnets in the form of IM and P2P attack channels, what methods and tools can we use to understand these problems from the client-side? SpywareGuide recently blogged about, "Security Attacks On The Rise in IM and P2P Channels" as seen here: http://blog.spywareguide.com/2007/07/security_attacks_on_the_rise_i.html For example, there are many tools to simulate a web or irc client (honeyclients) as well as many search tools for crawling and/or scraping both protocol channels. But nothing much exists for IM or P2P that I'm aware of. There are P2P search sites, but they don't include the capability to uncompress or execute the files, only search for their names. Recently, I've been seeing a trend towards what SpywareGuide called `multi-channel attacks'. They said, quote, "It is important to note with the rise of unified communications and Web 2.0 we can expect attacks along social vectors to become more subtle, creative and far more sophisticated". The age of these types of multi-channel attacks are upon us, so it would be wise to start investigating how they work. I think research in Cross Application Scripting goes back at least a few years, but with the recent URI Use and Abuse paper (described with PoC's here http://www.dhanjani.com/archives/2007/07/not_for_the_faint_of_heart_mul.html ), even Firefox is failing to provide protections against these sorts of attacks (Jesper's blog has a good explanation here - http://msinfluentials.com/blogs/jesper/archive/2007/07/20/hey-mozilla-quotes-are-not-legal-in-a-url.aspx ). What I'd like to see are tools for crawling / scraping IM and P2P networks, and eventually, honeyclients to provide the ability to measure and report. I recently read Robert Danford's presentation on 2nd Generation Honeyclients available here - http://handlers.dshield.org/rdanford/pub/Honeyclients_Danford_SANSfire06.pdf I learned about Danford's presentation by reading the new book by Niels Provos and Thorsten Holz, "Virtual Honeypots" reminded me of the content and had some interesting ideas about crawling. On page 272, they discuss P2P honeyclients and crawlers, which is also mentioned in Danford's work. The best I can think of is to automate tests through meebo or p2p search sites using browser macro tools (iMacros, TestGen4Web, Watir, Selenium, Sahi, et al). Additionally, there is another need for this type of scraping, what with military and corporate secrets being accidentally (or purposefully) uploaded to P2P networks as noted in this recent research into the problem - http://cwflyris.computerworld.com/t/1850413/6725332/72531/2/ Has anyone been working on this problem? SecuriTeam? SANS? HoneyNet Research Alliance? Cheers, Andre
Current thread:
- IM and P2P HoneyClients Andre Gironda (Jul 26)
- Re: IM and P2P HoneyClients Kathy Wang (Jul 27)