collecting spyware with a honeypot

Hello!
I wold like to setup a honeypot for collecting spyware and
adware. As
you know, spayware require user action, so i can't use the
classic
honeypot method to connect it on the internet and let the
"bad guys"
attack it.

I google a little bit on this project and i didn't find a
point of
starting this project. Can you help me with some ideas or
some links
about how can i deploy this kind of honeypot in a such way
that it
should receive fresh spayware and adware?

Thanks in advice!
George

Just put an unpatched Windows box on the 'net. You should
collect plenty. 

8^)

-----Original Message-----
From: listbouncesecurityfocus.com [mailto:listbouncesecurityfocus.com] On
Behalf Of George
Sent: Saturday, September 16, 2006 5:04 PM
To: honeypotssecurityfocus.com
Subject: collecting spyware with a honeypot

Hello!
I wold like to setup a honeypot for collecting spyware and
adware. As
you know, spayware require user action, so i can't use the
classic
honeypot method to connect it on the internet and let the
"bad guys"
attack it.

I google a little bit on this project and i didn't find a
point of
starting this project. Can you help me with some ideas or
some links
about how can i deploy this kind of honeypot in a such way
that it
should receive fresh spayware and adware?

Thanks in advice!
George

On 17/09/06, George <george.p123gmail.com> wrote:
> Hello!
> I wold like to setup a honeypot for collecting spyware
and adware. As
> you know, spayware require user action, so i can't use
the classic
> honeypot method to connect it on the internet and let
the "bad guys"
> attack it.
>
> I google a little bit on this project and i didn't
find a point of
> starting this project. Can you help me with some ideas
or some links
> about how can i deploy this kind of honeypot in a such
way that it
> should receive fresh spayware and adware?

I've been wondering about this myself - I think the main
steps would be:

* mechanism to trawl URLs - e.g. crawl everything that you
get in your spam
* detection of compromise, and analysis

You could do this in a VM and use snort to alert when the
thing gets
compromised and do a manual analysis.  There are also low
interaction
solutions - here are a couple of references:

http://en.wikipedia.org/wiki/Client_honeypot_/_honeycl
ient
http://honeyc.sourcefo
rge.net/
http://capture-hp
c.sourceforge.net/
http://conference.hackinthebox.org/hitb
secconf2006kl/index.php?page_id=75
http://pi1.informatik.uni-mannheim.de/diplomas/show/27

cheers,
 Jamie
-- 
Jamie Riden, CISSP / jamesreurope.com /
jamie.ridengmail.com
NZ Honeynet project - http://www.nz-honeynet.or
g/

On 9/18/06, Jamie Riden <jamesreurope.com> wrote:
> On 17/09/06, George <george.p123gmail.com> wrote:
> > Hello!
> > I wold like to setup a honeypot for collecting
spyware and adware. As
> > you know, spayware require user action, so i
can't use the classic
> > honeypot method to connect it on the internet and
let the "bad guys"
> > attack it.
> >
> > I google a little bit on this project and i
didn't find a point of
> > starting this project. Can you help me with some
ideas or some links
> > about how can i deploy this kind of honeypot in a
such way that it
> > should receive fresh spayware and adware?
>
> I've been wondering about this myself - I think the
main steps would be:
>
> * mechanism to trawl URLs - e.g. crawl everything that
you get in your spam

The main problem is how can i made a list of url to
crawl?Most of the
spam url i have are sending to sites that do not have
malware. I've
seen some spyware hided on porn websites and also a lot of
spyware on
warez web site. But there is a public blacklist of sites
that keeping
spyware? Can i find a way to find that kind of links
automatically?


The main target of this project is to expose some honeypot
e-mail
addresses on a machine infected with spyware/adware
applications that
was designate to collect email addresses from compromised
host.



> * detection of compromise, and analysis
>
> You could do this in a VM and use snort to alert when
the thing gets
> compromised and do a manual analysis.  There are also
low interaction
> solutions - here are a couple of references:
>
> http://en.wikipedia.org/wiki/Client_honeypot_/_honeycl
ient
> http://honeyc.sourcefo
rge.net/
> http://capture-hp
c.sourceforge.net/
> http://conference.hackinthebox.org/hitb
secconf2006kl/index.php?page_id=75
> http://pi1.informatik.uni-mannheim.de/diplomas/show/27
>


Intresting links. Searching on them i also find something on
the same target:

http://res
earch.microsoft.com/csm/strider/






> cheers,
>  Jamie
> --
> Jamie Riden, CISSP / jamesreurope.com /
jamie.ridengmail.com
> NZ Honeynet project - http://www.nz-honeynet.or
g/
>

George,

> I wold like to setup a honeypot for collecting spyware
and adware. As
> you know, spayware require user action, so i can't use
the classic
> honeypot method to connect it on the internet and let
the "bad guys"
> attack it.

You don't necessarily need user interaction. Lots of
ad/spyware is installed 
after a bot infection. Samples can be collected with tools
like honeytrap or 
nepenthes and then run in a controlled environment, e.g. a
vm protected by a 
honeywall.

You then need some kind of automatism to initialize a clean
image, place and 
start a sample and log changes as downloaded files.You can
also use a 
hardware card that restores a clean system without the
changes since the last 
reboot if you prefer a non-virtual installation. Such a
setup should be able 
to process about one executable in 10 minutes.

Tillmann

George,

You could also try googling 'honeyclient' or 'client-side
honeypot'
for even more references and starting points.

Kathy

On Mon, Sep 18, 2006 at 02:42:25PM +1200, Jamie Riden
<jamesreurope.com> stated:
>On 17/09/06, George <george.p123gmail.com> wrote:
>>Hello!
>>I wold like to setup a honeypot for collecting
spyware and adware. As
>>you know, spayware require user action, so i can't
use the classic
>>honeypot method to connect it on the internet and
let the "bad guys"
>>attack it.
>>
>>I google a little bit on this project and i didn't
find a point of
>>starting this project. Can you help me with some
ideas or some links
>>about how can i deploy this kind of honeypot in a
such way that it
>>should receive fresh spayware and adware?
>
>I've been wondering about this myself - I think the
main steps would be:
>
>* mechanism to trawl URLs - e.g. crawl everything that
you get in your spam
>* detection of compromise, and analysis
>
>You could do this in a VM and use snort to alert when
the thing gets
>compromised and do a manual analysis.  There are also
low interaction
>solutions - here are a couple of references:
>
>http://en.wikipedia.org/wiki/Client_honeypot_/_honeycl
ient
>http://honeyc.sourcefo
rge.net/
>http://capture-hp
c.sourceforge.net/
>http://conference.hackinthebox.org/hitb
secconf2006kl/index.php?page_id=75
>http://pi1.informatik.uni-mannheim.de/diplomas/show/27
>
>cheers,
>Jamie
>-- 
>Jamie Riden, CISSP / jamesreurope.com /
jamie.ridengmail.com
>NZ Honeynet project - http://www.nz-honeynet.or
g/

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

George, I have been doing this for a while now.  There are
clients you
can set up on honeypots which automate vulnerabilities and
download the
files which are trying to be inserted into the computer.
Specifically I
have been using nepenthes (http://nepenthes.mwco
llect.org/) also, also,
you can check out honeyclient which 'crawls through' web
pages, when you
give it an initial one.  Its a set of perl scripts which
look though a
web page source and try and enumerate all possible links,
then visits
them, and so on.  Hope this helps.

Mat


George wrote:
> Hello!
> I wold like to setup a honeypot for collecting spyware
and adware. As
> you know, spayware require user action, so i can't use
the classic
> honeypot method to connect it on the internet and let
the "bad guys"
> attack it.
> 
> I google a little bit on this project and i didn't
find a point of
> starting this project. Can you help me with some ideas
or some links
> about how can i deploy this kind of honeypot in a such
way that it
> should receive fresh spayware and adware?
> 
> Thanks in advice!
> George

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.3 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org


iD8DBQFFDrMc47s/xIwy7o0RAqxQAJ9e6W8arfShSRs+4HMCj1EVMlJ0KACf
fofZ
00MT4xfNkQdi9ryzxLXW+gQ=
=y5DA
-----END PGP SIGNATURE-----

On Mon, Sep 18, 2006 at 03:52:14PM +0200, George wrote:
> On 9/18/06, Jamie Riden <jamesreurope.com> wrote:

Hi George,

> > I've been wondering about this myself - I think
the main steps would be:
> >
> > * mechanism to trawl URLs - e.g. crawl everything
that you get in your spam
> 
> The main problem is how can i made a list of url to
crawl?Most of the
> spam url i have are sending to sites that do not have
malware. I've
> seen some spyware hided on porn websites and also a lot
of spyware on
> warez web site. But there is a public blacklist of
sites that keeping
> spyware? Can i find a way to find that kind of links
automatically?

There was a talk on this topic at 22c3 in Berlin last
December by
Krisztian Piller and Sebastian Wolfgarten.
http://cha
osradio.ccc.de/22c3_m4v_871.html

They have/had the same problem you are raising, gaining a
list of
urls to crawl. One of their idea was to set up a wiki with
urls where
malware was found. But I have no idea how far they have come
with
setting up a wiki like this.

They are also saying, that they have contacted Microsoft
several times
asking if Microsoft would share their list of urls. But
looks like the
HoneyMonkey project by Microsoft is not interested in
sharing this list.
(If there is one)

Regards,
Marc

Marc Samendinger escribió:
> On Mon, Sep 18, 2006 at 03:52:14PM +0200, George wrote:
>> On 9/18/06, Jamie Riden <jamesreurope.com> wrote:
> 
> Hi George,
> 
>>> I've been wondering about this myself - I think
the main steps would be:
>>>
>>> * mechanism to trawl URLs - e.g. crawl
everything that you get in your spam
>> The main problem is how can i made a list of url to
crawl?Most of the
>> spam url i have are sending to sites that do not
have malware. I've
>> seen some spyware hided on porn websites and also a
lot of spyware on
>> warez web site. But there is a public blacklist of
sites that keeping
>> spyware? Can i find a way to find that kind of
links automatically?
> 
> There was a talk on this topic at 22c3 in Berlin last
December by
> Krisztian Piller and Sebastian Wolfgarten.
> http://cha
osradio.ccc.de/22c3_m4v_871.html
> 
> They have/had the same problem you are raising, gaining
a list of
> urls to crawl. One of their idea was to set up a wiki
with urls where
> malware was found. But I have no idea how far they have
come with
> setting up a wiki like this.
> 
> They are also saying, that they have contacted
Microsoft several times
> asking if Microsoft would share their list of urls. But
looks like the
> HoneyMonkey project by Microsoft is not interested in
sharing this list.
> (If there is one)

Besides, the guys at stopbadware.org (Google & Co) would
have their own
list of urls. Example:
http://www.google.com/inte
rstitial?url=http://www.purecheats.com/index.php/top50sitesz


Are also they reluctant to share their findings?

-- 
David Barroso Berrueta                       I+D+i (R&D)
Phone: (+34)943317330                        Grupo S21sec
Gestión, S.A.
'Not one day goes by that I don't ride, 'til the infinite,
the horse of
my imagination'

On 09/10/06, Marc Samendinger <marc.samendingersp-online.de> wrote:

> They have/had the same problem you are raising, gaining
a list of
> urls to crawl. One of their idea was to set up a wiki
with urls where
> malware was found. But I have no idea how far they have
come with
> setting up a wiki like this.

There should be plenty of these in spam.

Someone suggested setting up a secondary MX - spammers tend
to prefer
secondaries as they often have no or limited filtering.

You could also set up a spam honeypot (
http://en.wikipedia.org/wiki/Honeypot_%28com
puting%29#Spam_honeypots )
like Jackpot and use the results from there.

I seem to remember Messenger spam containing lots of dodgy
links, look
for UDP packets going to ports 1025-1030 or so.

cheers,
 Jamie
-- 
Jamie Riden, CISSP / jamesreurope.com /
jamie.ridengmail.com
NZ Honeynet project - http://www.nz-honeynet.or
g/