[funsec] Thinking out loud: On the value of honeynets, trojans, botnets, etc.

Mon Jun 5 00:09:49 CDT 2006

If you have the ability to install them, and the time to manage them, or
want to use them as a training tool for detection and response personnel...I
think they're still useful.

A while back I was (relatively speaking to my peers anyways) of the opinion
that honeynets were ultimately a waste of time because they generated more
false positives, and pseudopositives (positives you can do nothing about)
than they did positive positives (ya man ... thats the good stuff). 

I've since modified my opinion slightly. Whether it's the user interaction
branch of the threat tree or otherwise, the threat agent is rare that can
cherry pick. For those threat agents that *can* cherry pick, honey nets may
be relatively useless... But I would challenge the assumption that trojans
are more predominantly spread through unwitting install, rather than some
other method, and suggest that they (honenets) still have value as tripwires
along the path to the goodies...

And I think "Iskorpitx" would probably agree with me....that is, if they
woulda had some honeynets to help catch his Turkish a$$.

-

StyleWar

"There are 3 kinds of people: Those who MAKE things
happen, those who WATCH things happen, and those who
wonder 'WHAT HAPPENED?'" 

> -----Original Message-----
> From: funsec-bounces at linuxbox.org 
> [mailto:funsec-bounces at linuxbox.org] On Behalf Of Fergie
> Sent: Sunday, June 04, 2006 8:54 PM
> To: robert at servalens.com
> Cc: funsec at linuxbox.org
> Subject: Re: [funsec] Thinking out loud: On the value of 
> honeynets, trojans, botnets, etc.
> 
> The user-interaction angle in the one that I'm really talking 
> anout here.
> 
> Bots generally "spread" one of two ways: Either by actively 
> infecting via scanning and infecting an unpatched OS flaw (e.g.
> the MS05-039 PnP vulnerrability/exploit), or via a user 
> clicking on a dirty link & unwittingly installing the code 
> (or a backdoor downloader which, in turn, can install the bot 
> code itself).
> 
> The latter, I think, is what we are seeing much more of these 
> days, and to that end, I'm not really seeing that a honeynet 
> is of much utility in that regard.
> 
> Would love to hear opinions on this, however. :-)
> 
> Cheers,
> 
> - ferg
> 
> 
> -- Robert <robert at servalens.com> wrote:
> Ferg,
> 
> Sorry bout that. I thought I at least nicked it.
> I would argue that the user activation part be automated from 
> a honeyclient.
> And yes I agree about droppers, life boats, etc. When I 
> deploy honeyclients its on a fully instrumented network.
> So the dropper behavior can be picked up using:
> squid logs
> iptables traffic logs,
> pcaps
> windows firewall connection logging
> filesystem integrity checking
> etc,etc
> 
> I'm a fan of correlating all the available information to get 
> a picture of whats going on.
> I also think that a full OS is needed to get the 
> secondary/tertiary events. Something like norman sandbox 
> could provide the address the dropper might connect to, but I 
> think you gotta let the program run and see what happens to 
> get the full info.
> 
> Everything above could be accomplished in a honeypot scenario 
> unless techniques break out along vector lines which I think 
> is happening.
> Closer this time?
> 
> Robert
> 
> Fergie wrote:
> 
> >Robert,
> >
> >That's great, but you really didn't adress my question(s). :-)
> >
> >- ferg
> >
> >
> >-- Robert <robert at servalens.com> wrote:
> >Ferg,
> >
> >One outcropping of honeypots that I think helps address some 
> of these 
> >new vectors is client-side honeypots aka honeymonkies or 
> honeyclients.
> ><shameless plug>I'm presenting on honeyclients at SANSFIRE 
> '06 in DC in 
> >July</plug> and Microsoft and Mitre have been doing a lot of work in 
> >this area.
> >I guess I would also throw spyware crawlers in there too. 
> Which don't 
> >necessarily act as honeypots and get infected/compromised, 
> but they do 
> >offer the ability to harvest some malware and characterize websites. 
> >Dan Hubbard at Websense has done great work in this area too.
> >
> >I was running a honeyclient project at StillSecure and I agree a big 
> >element (and one hard to automate and factor in) is the end-user 
> >behavior. I think a lot of studies so far have not taken 
> into account 
> >how many people get duped (fake anti-spyware alerts, etc). In my 
> >project I have a great time clicking OK on any popup that 
> arose (very 
> >liberating). But automation methods are needed in honeyclients to 
> >automate the UI. Otherwise crawlers miss the rich malicious content.
> >
> >I'm a big believer in this area if anyone is interested in 
> discussing 
> >any of it. I had a full implementation in PERL that I was trying to 
> >GPL, but lost control of when I left StillSecure. I believe 
> Mitre will 
> >be releasing a GPL honeyclient (not the honeyclient.org one) 
> before too long.
> >
> >Cheers,
> >
> >Robert
> >
> >Fergie wrote:
> >
> >  
> >
> >>Just tossing some thoughts around earlier this evening.
> >>
> >>Would appreciate some feedback.
> >>
> >>How valuable, would you say, are honeynets now that most 
> >>malware/crimeware seems to trojan downloader backdoor droppers that 
> >>are "dropped" due to user activation (e.g. clicking on a link in an 
> >>e-card), as opposed to trojan backdoors that are dropped via an OS 
> >>exploit?
> >>
> >>Think about that for a moment.
> >>
> >>Serious feedback appreciated,
> >>
> >>- ferg
> >>
> >>p.s. This is _not_ to question the value of honeynets, per se, but 
> >>more appropriately, to examine methodology in a broader 
> context given 
> >>the change in attack vector(s).
> >>
> >>--
> >>"Fergie", a.k.a. Paul Ferguson
> >>Engineering Architecture for the Internet fergdawg at netzero.net or 
> >>fergdawg at sbcglobal.net ferg's tech blog: 
> http://fergdawg.blogspot.com/
> >>    
> >>
> 
> 
> 
> _______________________________________________
> Fun and Misc security discussion for OT posts.
> https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
> Note: funsec is a public and open mailing list.
> 