Client-Side Honeypots
Wednesday, December 17. 2008
A client-side honeypot is a type of honeypots that is designed to collect information about client-side attacks. Typically such a honeypot uses Internet Explorer and continuously surfs the Web in an automated way. During the surfing, the system activity is closely monitored for changes such a new files on the hard disk or new processes since such changes indicate a successful drive-by download. In such a case, a malicious website has compromised the web browser by just visiting the site. Examples of client-side honeypots are Capture-HPC and the MITRE Honeyclient.
We run several client-side honeypots in our lab and find new malicious website frequently. At the moment, we find quite often sites that use malicious PDF files to exploit our browser. In such an attack, a vulnerability in the Adobe Acrobat Reader is exploited in order to execute code on the victim's machine. To illustrate such an exploit, I created a quick movie that shows a live exploit. In the future, I hope to cover client-side exploits more frequently. With exploits such as the current MS08-078 vulnerability I'm sure that we will observe more malicious sites in the future...
We run several client-side honeypots in our lab and find new malicious website frequently. At the moment, we find quite often sites that use malicious PDF files to exploit our browser. In such an attack, a vulnerability in the Adobe Acrobat Reader is exploited in order to execute code on the victim's machine. To illustrate such an exploit, I created a quick movie that shows a live exploit. In the future, I hope to cover client-side exploits more frequently. With exploits such as the current MS08-078 vulnerability I'm sure that we will observe more malicious sites in the future...
