Honeypots mailing list archives
Re: collecting spyware with a honeypot
From: George <george.p123 () gmail com>
Date: Mon, 18 Sep 2006 16:52:14 +0300
On 9/18/06, Jamie Riden <jamesr () europe com> wrote:
On 17/09/06, George <george.p123 () gmail com> wrote: > Hello! > I wold like to setup a honeypot for collecting spyware and adware. As > you know, spayware require user action, so i can't use the classic > honeypot method to connect it on the internet and let the "bad guys" > attack it. > > I google a little bit on this project and i didn't find a point of > starting this project. Can you help me with some ideas or some links > about how can i deploy this kind of honeypot in a such way that it > should receive fresh spayware and adware? I've been wondering about this myself - I think the main steps would be: * mechanism to trawl URLs - e.g. crawl everything that you get in your spam
The main problem is how can i made a list of url to crawl?Most of the spam url i have are sending to sites that do not have malware. I've seen some spyware hided on porn websites and also a lot of spyware on warez web site. But there is a public blacklist of sites that keeping spyware? Can i find a way to find that kind of links automatically? The main target of this project is to expose some honeypot e-mail addresses on a machine infected with spyware/adware applications that was designate to collect email addresses from compromised host.
* detection of compromise, and analysis You could do this in a VM and use snort to alert when the thing gets compromised and do a manual analysis. There are also low interaction solutions - here are a couple of references: http://en.wikipedia.org/wiki/Client_honeypot_/_honeyclient http://honeyc.sourceforge.net/ http://capture-hpc.sourceforge.net/ http://conference.hackinthebox.org/hitbsecconf2006kl/index.php?page_id=75 http://pi1.informatik.uni-mannheim.de/diplomas/show/27
Intresting links. Searching on them i also find something on the same target: http://research.microsoft.com/csm/strider/
cheers, Jamie -- Jamie Riden, CISSP / jamesr () europe com / jamie.riden () gmail com NZ Honeynet project - http://www.nz-honeynet.org/
Current thread:
- collecting spyware with a honeypot George (Sep 17)
- RE: collecting spyware with a honeypot Robert D. Holtz - Lists (Sep 18)
- Re: collecting spyware with a honeypot Jamie Riden (Sep 18)
- Re: collecting spyware with a honeypot George (Sep 18)
- Re: collecting spyware with a honeypot Kathy Wang (Sep 18)
- Re: collecting spyware with a honeypot Tillmann Werner (Sep 18)
- Re: collecting spyware with a honeypot mat (Sep 18)