Honeypots
IM and P2P HoneyClients Jul 26 2007 02:19PM
Andre Gironda (andre operations net) (1 replies)
Re: IM and P2P HoneyClients Jul 27 2007 07:22PM
Kathy Wang (knwang synacklabs net)
Andre,

On the Honeyclient Project (http://www.honeyclient.org/trac), we are working
on integrating P2P, DNS, and IM clients into our existing framework. Our
entire honeyclient architecture is modularized so that plug-ins for different
clients can easily be written. I don't know if you're interested in
contributing, but we're open-sourced, and could use additional help,
especially if you have Perl programming experience.

Our current honeyclient supports IE and Firefox, but I agree with you that
other non-web-based clients deserve a further look.

This project is also covered in Thorsten and Niels' book, if you're interested
in checking it out further. We're a fairly active project, so the information
in the book is probably already outdated, but feel free to contact me for
more details.

Kathy

On Thu, Jul 26, 2007 at 09:19:51AM -0500, Andre Gironda <andre (at) operations (dot) net [email concealed]> stated:
>With the new problems facing non-IRC botnets in the form of IM and P2P
>attack channels, what methods and tools can we use to understand these
>problems from the client-side?
>
>SpywareGuide recently blogged about, "Security Attacks On The Rise in
>IM and P2P Channels" as seen here:
>http://blog.spywareguide.com/2007/07/security_attacks_on_the_rise_i.htm
l
>
>For example, there are many tools to simulate a web or irc client
>(honeyclients) as well as many search tools for crawling and/or
>scraping both protocol channels.
>
>But nothing much exists for IM or P2P that I'm aware of. There are
>P2P search sites, but they don't include the capability to uncompress
>or execute the files, only search for their names.
>
>Recently, I've been seeing a trend towards what SpywareGuide called
>`multi-channel attacks'. They said, quote, "It is important to note
>with the rise of unified communications and Web 2.0 we can expect
>attacks along social vectors to become more subtle, creative and far
>more sophisticated".
>
>The age of these types of multi-channel attacks are upon us, so it
>would be wise to start investigating how they work. I think research
>in Cross Application Scripting goes back at least a few years, but
>with the recent URI Use and Abuse paper (described with PoC's here
>http://www.dhanjani.com/archives/2007/07/not_for_the_faint_of_heart_mul
.html
>), even Firefox is failing to provide protections against these sorts
>of attacks (Jesper's blog has a good explanation here -
>http://msinfluentials.com/blogs/jesper/archive/2007/07/20/hey-mozilla-q
uotes-are-not-legal-in-a-url.aspx
>).
>
>What I'd like to see are tools for crawling / scraping IM and P2P
>networks, and eventually, honeyclients to provide the ability to
>measure and report.
>
>I recently read Robert Danford's presentation on 2nd Generation Honeyclients
>available here -
>http://handlers.dshield.org/rdanford/pub/Honeyclients_Danford_SANSfire0
6.pdf
>
>I learned about Danford's presentation by reading the new book by
>Niels Provos and Thorsten Holz, "Virtual Honeypots" reminded me of the
>content and had some interesting ideas about crawling. On page 272,
>they discuss P2P honeyclients and crawlers, which is also mentioned in
>Danford's work.
>
>The best I can think of is to automate tests through meebo or p2p
>search sites using browser macro tools (iMacros, TestGen4Web, Watir,
>Selenium, Sahi, et al).
>
>Additionally, there is another need for this type of scraping, what
>with military and corporate secrets being accidentally (or
>purposefully) uploaded to P2P networks as noted in this recent
>research into the problem -
>http://cwflyris.computerworld.com/t/1850413/6725332/72531/2/
>
>Has anyone been working on this problem? SecuriTeam? SANS? HoneyNet
>Research Alliance?
>
>Cheers,
>Andre

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus