At the end of February, I posted about honeypots and honeyclients and promised a follow-up on Christian Seifert's HoneyC honeyclient.
If you want an intro to HoneyC and how it works, then visit here.
I installed HoneyC on OpenBSD 4.0 (my home firewall), but you can run it on just about anything since it's 100% Ruby. HoneyC relies on Snort-like signatures to detect web client attacks or malware. So the first step is to load it up with some signatures. I hacked up the web-client.rules file that comes free with Snort for starters. An example rule would be:
Original Snort rule:
Modified HoneyC rule:
The next step is to give HoneyC someplace to go looking for signature matches. There are two options for this. You can feed HoneyC a list of URLs to visit, or you can feed it a search term and it will search Yahoo and then crawl and analyze the results. The second option is a lot more interesting, and if you use your imagination, you can think of some easy search terms that will yield results (think keygen, lyrics, etc.) However, feeding HoneyC a list of URLs from, say, a proxy server log is a whole lot more relevant. For kicks I took a day's work of logs where the URL ended in .EXE and ran those through HoneyC. Sure enough, there were a couple of hits. But as you might have guessed, these were also found via traditional IDS. But unlike the IDS, I now have a sample of the malware to analyze.
In recent honeyclient news, Niels Provos, one of the monkey.org supergeniuses has released SpyBye. SpyBye is a proxy that analyzes pages for browser exploits. You can run and install it locally or you may use the proxy that Niels has set up at spybye.org. Very cool.