Wednesday, April 4, 2007

HoneyC Follow-Up

At the end of February, I posted about honeypots and honeyclients and promised a follow-up on Christian Seifert's HoneyC honeyclient.

If you want an intro to HoneyC and how it works, then visit here.

I installed HoneyC on OpenBSD 4.0 (my home firewall), but you can run it on just about anything since it's 100% Ruby. HoneyC relies on Snort-like signatures to detect web client attacks or malware. So the first step is to load it up with some signatures. I hacked up the web-client.rules file that comes free with Snort for starters. An example rule would be:

Original Snort rule:

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Javascript document.domain attempt"; flow:to_client,established; content:"document.domain|28|"; nocase; reference:bugtraq,5346; reference:cve,2002-0815; classtype:attempted-user; sid:1840; rev:7;)

Modified HoneyC rule:

alert tcp any any <> any any (msg:"WEB-CLIENT Javascript document.domain attempt"; flow:to_client,established; content:"document.domain|28|"; nocase; reference:bugtraq,5346; reference:cve,2002-0815; classtype:attempted-user; sid:1840; rev:7;)


The next step is to give HoneyC someplace to go looking for signature matches. There are two options for this. You can feed HoneyC a list of URLs to visit, or you can feed it a search term and it will search Yahoo and then crawl and analyze the results. The second option is a lot more interesting, and if you use your imagination, you can think of some easy search terms that will yield results (think keygen, lyrics, etc.) However, feeding HoneyC a list of URLs from, say, a proxy server log is a whole lot more relevant. For kicks I took a day's work of logs where the URL ended in .EXE and ran those through HoneyC. Sure enough, there were a couple of hits. But as you might have guessed, these were also found via traditional IDS. But unlike the IDS, I now have a sample of the malware to analyze.

In my opinion, HoneyC has some shortcomings. First, by being signature based, it misses a lot. And the whole point of using a honeypot or a honeyclient is to find bad stuff you don't already know about. So you may be able to luck up and find some new malware using old browser exploits, but since HoneyC doesn't parse JavaScript, or even automatically download URLs that look like malware (.EXE, .VBS, .CMD), you still have to do most of the heavy lifting. Getting it to run is really easy. But getting from there to having exploits and binaries to analyze is still a lot of work.

In recent honeyclient news, Niels Provos, one of the monkey.org supergeniuses has released SpyBye. SpyBye is a proxy that analyzes pages for browser exploits. You can run and install it locally or you may use the proxy that Niels has set up at spybye.org. Very cool.

2 comments:

Nishant Burte said...

I am behind proxy with authentication required .i.e. no direct internet access.
How can I use HoneyC in this case? I read, HoneyC requires direct internet connection.
Thanks

Nishant Burte said...

I have got the answer. Actually, latest version of honeyC provide the support for proxy authentication. just grep for 'proxy' and you will get some files with proxy entry facility in it. Edit those and done.
One more question, does anyone have more snort signatures? I copied the signatures from web-client.rules file as the blog said. But it could not detect any malicious site. Paul, which search strings you used to get some positive results?
Thanks