< Honeypot Compromise: SSH Bruteforcing | Fun With Botnets >

Low-Interaction Honeyclient

I think I did not blog about this project yet, so here some news from our lab and the German Honeynet Project. Ali Ikinci implements as part of his diploma thesis a low-interaction honeyclient that is capable of detecting malicious websites based on signatures. The basic idea is to crawl the Web and then examine the downloaded files with different kinds of mechanisms. We start with simple heuristics like the output of common AV engines, but we plan to also integrate more advanced analysis methods, e.g., with the help of CWSandbox. In addition, we will extend the honeyclient with other input mechanisms like e-mails.

Crawling the Web is fun, especially with a big pipe and a one terrabyte ethernet disk. Some stats from preliminary tests: we downloaded more than 175,000 URIs in about one hour. The download itself runs with a couple of hundred KB/sec on average and we collected more than 4 GB of data during this span of time. We already detected some malware in this data, more stats will follow in the next few weeks.
This entry was posted by Thorsten Holz on Friday, November 10. 2006 at 00:27. and is filed under honeynets. You can leave a response, or trackback from your own blog. All new comments are subject to moderation before being displayed.

Trackbacks

Trackback specific URI for this entry

    No Trackbacks

Comments

Display comments as (Linear | Threaded)

    No comments


Add Comment


Enclosing asterisks marks text as bold (*word*), underscore are made via _word_.
E-Mail addresses will not be displayed and will only be used for E-Mail notifications

To prevent automated Bots from commentspamming, please enter the string you see in the image below in the appropriate input box. Your comment will only be submitted if the strings match. Please ensure that your browser supports and accepts cookies, or your comment cannot be verified correctly.
CAPTCHA
 
Submitted comments will be subject to moderation before being displayed.