17/09/06, George <george.p123 (AT) gmail (DOT) comwrote:
Hello!
I wold like to setup a honeypot for collecting spyware and adware. As
you know, spayware require user action, so i can't use the classic
honeypot method to connect it on the internet and let the "bad guys"
attack it.

I google a little bit on this project and i didn't find a point of
starting this project. Can you help me with some ideas or some links
about how can i deploy this kind of honeypot in a such way that it
should receive fresh spayware and adware?

I've been wondering about this myself - I think the main steps would be:

* mechanism to trawl URLs - e.g. crawl everything that you get in your spam
* detection of compromise, and analysis

You could do this in a VM and use snort to alert when the thing gets
compromised and do a manual analysis. There are also low interaction
solutions - here are a couple of references:

http://honeyc.sourceforge.net/

cheers,
Jamie

9/18/06, Jamie Riden <jamesr (AT) europe (DOT) comwrote:
17/09/06, George <george.p123 (AT) gmail (DOT) comwrote:
Hello!
I wold like to setup a honeypot for collecting spyware and adware. As
you know, spayware require user action, so i can't use the classic
honeypot method to connect it on the internet and let the "bad guys"
attack it.

I google a little bit on this project and i didn't find a point of
starting this project. Can you help me with some ideas or some links
about how can i deploy this kind of honeypot in a such way that it
should receive fresh spayware and adware?

I've been wondering about this myself - I think the main steps would be:

* mechanism to trawl URLs - e.g. crawl everything that you get in your spam

The main problem is how can i made a list of url to crawl?Most of the
spam url i have are sending to sites that do not have malware. I've
seen some spyware hided on porn websites and also a lot of spyware on
warez web site. But there is a public blacklist of sites that keeping
spyware? Can i find a way to find that kind of links automatically?

The main target of this project is to expose some honeypot e-mail
addresses on a machine infected with spyware/adware applications that
was designate to collect email addresses from compromised host.

* detection of compromise, and analysis

You could do this in a VM and use snort to alert when the thing gets
compromised and do a manual analysis. There are also low interaction
solutions - here are a couple of references:

http://honeyc.sourceforge.net/

Intresting links. Searching on them i also find something on the same target:

cheers,
Jamie

Marc Samendinger :
Mon, Sep 18, 2006 at 03:52:14PM +0200, George wrote:
>9/18/06, Jamie Riden <jamesr (AT) europe (DOT) comwrote:

Hi George,

I've been wondering about this myself - I think the main steps would be:

* mechanism to trawl URLs - e.g. crawl everything that you get in your spam
>The main problem is how can i made a list of url to crawl?Most of the
>spam url i have are sending to sites that do not have malware. I've
>seen some spyware hided on porn websites and also a lot of spyware on
>warez web site. But there is a public blacklist of sites that keeping
>spyware? Can i find a way to find that kind of links automatically?

There was a talk on this topic at 22c3 in Berlin last December by
Krisztian Piller and Sebastian Wolfgarten.

They have/had the same problem you are raising, gaining a list of
urls to crawl. of their idea was to set up a wiki with urls where
malware was found. But I have no idea how far they have come with
setting up a wiki like this.

They are also saying, that they have contacted Microsoft several times
asking if Microsoft would share their list of urls. But looks like the
HoneyMonkey project by Microsoft is not interested in sharing this list.
(If there is one)

Besides, the guys at stopbadware.org (Google & Co) would have their own
list of urls. Example:

Are also they reluctant to share their findings?

09/10/06, Marc Samendinger <marc.samendinger (AT) sp-online (DOT) dewrote:

They have/had the same problem you are raising, gaining a list of
urls to crawl. of their idea was to set up a wiki with urls where
malware was found. But I have no idea how far they have come with
setting up a wiki like this.

There should be plenty of these in spam.

Someone suggested setting up a secondary MX - spammers tend to prefer
secondaries as they often have no or limited filtering.

You could also set up a spam honeypot (
%28computing%29#Spam_honeypots )
like Jackpot and use the results from there.

I seem to remember Messenger spam containing lots of dodgy links, look
for UDP packets going to ports 1025-1030 or so.

cheers,
Jamie