Andre,
On the Honeyclient Project (http://www.honeyclien
t.org/trac), we are working
on integrating P2P, DNS, and IM clients into our existing
framework. Our
entire honeyclient architecture is modularized so that
plug-ins for different
clients can easily be written. I don't know if you're
interested in
contributing, but we're open-sourced, and could use
additional help,
especially if you have Perl programming experience.
Our current honeyclient supports IE and Firefox, but I agree
with you that
other non-web-based clients deserve a further look.
This project is also covered in Thorsten and Niels' book, if
you're interested
in checking it out further. We're a fairly active project,
so the information
in the book is probably already outdated, but feel free to
contact me for
more details.
Kathy
On Thu, Jul 26, 2007 at 09:19:51AM -0500, Andre Gironda
<andre operations.net> stated:
>With the new problems facing non-IRC botnets in the form
of IM and P2P
>attack channels, what methods and tools can we use to
understand these
>problems from the client-side?
>
>SpywareGuide recently blogged about, "Security
Attacks On The Rise in
>IM and P2P Channels" as seen here:
>http://blog.spywareguide.com/2007/07/sec
urity_attacks_on_the_rise_i.html
>
>For example, there are many tools to simulate a web or
irc client
>(honeyclients) as well as many search tools for crawling
and/or
>scraping both protocol channels.
>
>But nothing much exists for IM or P2P that I'm aware of.
There are
>P2P search sites, but they don't include the capability
to uncompress
>or execute the files, only search for their names.
>
>Recently, I've been seeing a trend towards what
SpywareGuide called
>`multi-channel attacks'. They said, quote, "It is
important to note
>with the rise of unified communications and Web 2.0 we
can expect
>attacks along social vectors to become more subtle,
creative and far
>more sophisticated".
>
>The age of these types of multi-channel attacks are upon
us, so it
>would be wise to start investigating how they work. I
think research
>in Cross Application Scripting goes back at least a few
years, but
>with the recent URI Use and Abuse paper (described with
PoC's here
>http://www.dhanjani.com/archives/200
7/07/not_for_the_faint_of_heart_mul.html
>), even Firefox is failing to provide protections
against these sorts
>of attacks (Jesper's blog has a good explanation here -
>http://m
sinfluentials.com/blogs/jesper/archive/2007/07/20/hey-mozill
a-quotes-are-not-legal-in-a-url.aspx
>).
>
>What I'd like to see are tools for crawling / scraping
IM and P2P
>networks, and eventually, honeyclients to provide the
ability to
>measure and report.
>
>I recently read Robert Danford's presentation on 2nd
Generation Honeyclients
>available here -
>http://handlers.dshield.org/rdanford
/pub/Honeyclients_Danford_SANSfire06.pdf
>
>I learned about Danford's presentation by reading the
new book by
>Niels Provos and Thorsten Holz, "Virtual
Honeypots" reminded me of the
>content and had some interesting ideas about crawling.
On page 272,
>they discuss P2P honeyclients and crawlers, which is
also mentioned in
>Danford's work.
>
>The best I can think of is to automate tests through
meebo or p2p
>search sites using browser macro tools (iMacros,
TestGen4Web, Watir,
>Selenium, Sahi, et al).
>
>Additionally, there is another need for this type of
scraping, what
>with military and corporate secrets being accidentally
(or
>purposefully) uploaded to P2P networks as noted in this
recent
>research into the problem -
>http://cwflyris.computerworld.com/t/1850413/6725332/
72531/2/
>
>Has anyone been working on this problem? SecuriTeam?
SANS? HoneyNet
>Research Alliance?
>
>Cheers,
>Andre
|