IM and P2P HoneyClients Jul 26 2007 02:19PM
Andre Gironda (andre operations net) (1 replies)
Re: IM and P2P HoneyClients Jul 27 2007 07:22PM
Kathy Wang (knwang synacklabs net)

On the Honeyclient Project (http://www.honeyclient.org/trac), we are working
on integrating P2P, DNS, and IM clients into our existing framework. Our
entire honeyclient architecture is modularized so that plug-ins for different
clients can easily be written. I don't know if you're interested in
contributing, but we're open-sourced, and could use additional help,
especially if you have Perl programming experience.

Our current honeyclient supports IE and Firefox, but I agree with you that
other non-web-based clients deserve a further look.

This project is also covered in Thorsten and Niels' book, if you're interested
in checking it out further. We're a fairly active project, so the information
in the book is probably already outdated, but feel free to contact me for
more details.


On Thu, Jul 26, 2007 at 09:19:51AM -0500, Andre Gironda <andre (at) operations (dot) net [email concealed]> stated:
>With the new problems facing non-IRC botnets in the form of IM and P2P
>attack channels, what methods and tools can we use to understand these
>problems from the client-side?
>SpywareGuide recently blogged about, "Security Attacks On The Rise in
>IM and P2P Channels" as seen here:
>For example, there are many tools to simulate a web or irc client
>(honeyclients) as well as many search tools for crawling and/or
>scraping both protocol channels.
>But nothing much exists for IM or P2P that I'm aware of. There are
>P2P search sites, but they don't include the capability to uncompress
>or execute the files, only search for their names.
>Recently, I've been seeing a trend towards what SpywareGuide called
>`multi-channel attacks'. They said, quote, "It is important to note
>with the rise of unified communications and Web 2.0 we can expect
>attacks along social vectors to become more subtle, creative and far
>more sophisticated".
>The age of these types of multi-channel attacks are upon us, so it
>would be wise to start investigating how they work. I think research
>in Cross Application Scripting goes back at least a few years, but
>with the recent URI Use and Abuse paper (described with PoC's here
>), even Firefox is failing to provide protections against these sorts
>of attacks (Jesper's blog has a good explanation here -
>What I'd like to see are tools for crawling / scraping IM and P2P
>networks, and eventually, honeyclients to provide the ability to
>measure and report.
>I recently read Robert Danford's presentation on 2nd Generation Honeyclients
>available here -
>I learned about Danford's presentation by reading the new book by
>Niels Provos and Thorsten Holz, "Virtual Honeypots" reminded me of the
>content and had some interesting ideas about crawling. On page 272,
>they discuss P2P honeyclients and crawlers, which is also mentioned in
>Danford's work.
>The best I can think of is to automate tests through meebo or p2p
>search sites using browser macro tools (iMacros, TestGen4Web, Watir,
>Selenium, Sahi, et al).
>Additionally, there is another need for this type of scraping, what
>with military and corporate secrets being accidentally (or
>purposefully) uploaded to P2P networks as noted in this recent
>research into the problem -
>Has anyone been working on this problem? SecuriTeam? SANS? HoneyNet
>Research Alliance?

[ reply ]


Privacy Statement
Copyright 2010, SecurityFocus