Re: Thinking out loud: On the value of honeynets, trojans, bo tnets, etc.

["Fergie" <fergdawg () netzero net>]

The user-interaction angle in the one that I'm really talking
anout here.

Bots generally "spread" one of two ways: Either by actively
infecting via scanning and infecting an unpatched OS flaw (e.g.
the MS05-039 PnP vulnerrability/exploit), or via a user clicking
on a dirty link & unwittingly installing the code (or a backdoor
downloader which, in turn, can install the bot code itself).

The latter, I think, is what we are seeing much more of these
days, and to that end, I'm not really seeing that a honeynet
is of much utility in that regard.

Would love to hear opinions on this, however. :-)

Cheers,

- ferg


-- Robert <robert () servalens com> wrote:
Ferg,

Sorry bout that. I thought I at least nicked it.
I would argue that the user activation part be automated from a honeyclient.
And yes I agree about droppers, life boats, etc. When I deploy 
honeyclients its on a fully instrumented network.
So the dropper behavior can be picked up using:
squid logs
iptables traffic logs,
pcaps
windows firewall connection logging
filesystem integrity checking
etc,etc

I'm a fan of correlating all the available information to get a picture 
of whats going on.
I also think that a full OS is needed to get the secondary/tertiary 
events. Something like norman sandbox could provide the address the 
dropper might connect to, but I think you gotta let the program run and 
see what happens to get the full info.

Everything above could be accomplished in a honeypot scenario unless 
techniques break out along vector lines which I think is happening.
Closer this time?

Robert

Fergie wrote:

> Robert,
>
> That's great, but you really didn't adress my question(s). :-)
>
> - ferg
>
>
> -- Robert <robert () servalens com> wrote:
> Ferg,
>
> One outcropping of honeypots that I think helps address some of these 
> new vectors is client-side honeypots aka honeymonkies or honeyclients.
> <shameless plug>I'm presenting on honeyclients at SANSFIRE '06 in DC in 
> July</plug> and Microsoft and Mitre have been doing a lot of work in 
> this area.
> I guess I would also throw spyware crawlers in there too. Which don't 
> necessarily act as honeypots and get infected/compromised, but they do 
> offer the ability to harvest some malware and characterize websites. Dan 
> Hubbard at Websense has done great work in this area too.
>
> I was running a honeyclient project at StillSecure and I agree a big 
> element (and one hard to automate and factor in) is the end-user 
> behavior. I think a lot of studies so far have not taken into account 
> how many people get duped (fake anti-spyware alerts, etc). In my project 
> I have a great time clicking OK on any popup that arose (very 
> liberating). But automation methods are needed in honeyclients to 
> automate the UI. Otherwise crawlers miss the rich malicious content.
>
> I'm a big believer in this area if anyone is interested in discussing 
> any of it. I had a full implementation in PERL that I was trying to GPL, 
> but lost control of when I left StillSecure. I believe Mitre will be 
> releasing a GPL honeyclient (not the honeyclient.org one) before too long.
>
> Cheers,
>
> Robert
>
> Fergie wrote:
>
>  
>
> > Just tossing some thoughts around earlier this evening.
> >
> > Would appreciate some feedback.
> >
> > How valuable, would you say, are honeynets now that most
> > malware/crimeware seems to trojan downloader backdoor droppers
> > that are "dropped" due to user activation (e.g. clicking on a
> > link in an e-card), as opposed to trojan backdoors that are
> > dropped via an OS exploit?
> >
> > Think about that for a moment.
> >
> > Serious feedback appreciated,
> >
> > - ferg
> >
> > p.s. This is _not_ to question the value of honeynets, per se,
> > but more appropriately, to examine methodology in a broader
> > context given the change in attack vector(s).
> >
> > --
> > "Fergie", a.k.a. Paul Ferguson
> > Engineering Architecture for the Internet
> > fergdawg () netzero net or fergdawg () sbcglobal net
> > ferg's tech blog: http://fergdawg.blogspot.com/
> >    



_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.