funsec mailing list archives
Re: Thinking out loud: On the value of honeynets, trojans, bo tnets, etc.
From: "Fergie" <fergdawg () netzero net>
Date: Mon, 5 Jun 2006 01:53:44 GMT
The user-interaction angle in the one that I'm really talking anout here. Bots generally "spread" one of two ways: Either by actively infecting via scanning and infecting an unpatched OS flaw (e.g. the MS05-039 PnP vulnerrability/exploit), or via a user clicking on a dirty link & unwittingly installing the code (or a backdoor downloader which, in turn, can install the bot code itself). The latter, I think, is what we are seeing much more of these days, and to that end, I'm not really seeing that a honeynet is of much utility in that regard. Would love to hear opinions on this, however. :-) Cheers, - ferg -- Robert <robert () servalens com> wrote: Ferg, Sorry bout that. I thought I at least nicked it. I would argue that the user activation part be automated from a honeyclient. And yes I agree about droppers, life boats, etc. When I deploy honeyclients its on a fully instrumented network. So the dropper behavior can be picked up using: squid logs iptables traffic logs, pcaps windows firewall connection logging filesystem integrity checking etc,etc I'm a fan of correlating all the available information to get a picture of whats going on. I also think that a full OS is needed to get the secondary/tertiary events. Something like norman sandbox could provide the address the dropper might connect to, but I think you gotta let the program run and see what happens to get the full info. Everything above could be accomplished in a honeypot scenario unless techniques break out along vector lines which I think is happening. Closer this time? Robert Fergie wrote:
Robert, That's great, but you really didn't adress my question(s). :-) - ferg -- Robert <robert () servalens com> wrote: Ferg, One outcropping of honeypots that I think helps address some of these new vectors is client-side honeypots aka honeymonkies or honeyclients. <shameless plug>I'm presenting on honeyclients at SANSFIRE '06 in DC in July</plug> and Microsoft and Mitre have been doing a lot of work in this area. I guess I would also throw spyware crawlers in there too. Which don't necessarily act as honeypots and get infected/compromised, but they do offer the ability to harvest some malware and characterize websites. Dan Hubbard at Websense has done great work in this area too. I was running a honeyclient project at StillSecure and I agree a big element (and one hard to automate and factor in) is the end-user behavior. I think a lot of studies so far have not taken into account how many people get duped (fake anti-spyware alerts, etc). In my project I have a great time clicking OK on any popup that arose (very liberating). But automation methods are needed in honeyclients to automate the UI. Otherwise crawlers miss the rich malicious content. I'm a big believer in this area if anyone is interested in discussing any of it. I had a full implementation in PERL that I was trying to GPL, but lost control of when I left StillSecure. I believe Mitre will be releasing a GPL honeyclient (not the honeyclient.org one) before too long. Cheers, Robert Fergie wrote:Just tossing some thoughts around earlier this evening. Would appreciate some feedback. How valuable, would you say, are honeynets now that most malware/crimeware seems to trojan downloader backdoor droppers that are "dropped" due to user activation (e.g. clicking on a link in an e-card), as opposed to trojan backdoors that are dropped via an OS exploit? Think about that for a moment. Serious feedback appreciated, - ferg p.s. This is _not_ to question the value of honeynets, per se, but more appropriately, to examine methodology in a broader context given the change in attack vector(s). -- "Fergie", a.k.a. Paul Ferguson Engineering Architecture for the Internet fergdawg () netzero net or fergdawg () sbcglobal net ferg's tech blog: http://fergdawg.blogspot.com/
_______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Current thread:
- Re: Thinking out loud: On the value of honeynets, trojans, bo tnets, etc. Fergie (Jun 03)
- <Possible follow-ups>
- Re: Thinking out loud: On the value of honeynets, trojans, bo tnets, etc. Fergie (Jun 04)
- Re: Thinking out loud: On the value of honeynets, trojans, bo tnets, etc. Dude VanWinkle (Jun 04)
- RE: Thinking out loud: On the value of honeynets, trojans, botnets, etc. StyleWar (Jun 04)
- Re: Thinking out loud: On the value of honeynets, trojans, bo tnets, etc. Fergie (Jun 04)
- RE: Thinking out loud: On the value of honeynets, trojans, bo tnets, etc. Fergie (Jun 04)
- Re: Thinking out loud: On the value of honeynets, trojans, bo tnets, etc. Blue Boar (Jun 05)
- Re: Thinking out loud: On the value of honeynets, trojans, bo tnets, etc. Dude VanWinkle (Jun 05)
- Re: Thinking out loud: On the value of honeynets, trojans, bo tnets, etc. Valdis . Kletnieks (Jun 05)
- Re: Thinking out loud: On the value of honeynets, trojans, bo tnets, etc. Blue Boar (Jun 05)