It's been awhile since I've covered anything to do with honeypots or honeyclients. But it's also been awhile since anything new came along.
Via Thorsten Holz at honeyblog: Sicherheit'08: "Monkey-Spider: Detecting Malicious Web Sites with Low-Interaction Honeyclients"
Monkey-Spider, not to be confused with SpiderMonkey, is a new honeyclient from Thorsten, Ali Ikinci, and Felix Freiling. Like HoneyC, it's a crawler-based client that detects web-based, client-side attacks. It was presented at Sicherheit in Germany in April. Fortunately, the whitepaper and documentation are in English.
After reading the whitepaper and playing with the code a little, the thing that occurs to me is that, while this is very cool, and still somewhat useful, what I really want for operationalizing a honeyclient in my enterprise is the ability to seed the honeyclient from firewall/proxy logs. That way the honeyclient is analyzing my web traffic, not off looking for random malicious sites to add to already big blacklists.
Likely you already read this, but in http://monkeyspider.sourceforge.net/documentation.html there is this blurb:
ReplyDeleteStep 1 Seeding:
The Heritrix crawler starts crawling with a plain text file called seeds.txt inside of the standard crawl profile. There are four different methods to generate starting seeds for the crawler:
Manual URL addition: URL entries can be added manually during the crawl configuration or directly to the seeds.txt file if we want to analyze a known predefined set of Web sites.
So, modifying seeds.txt of the crawler component is the first place to try. Alternatively, you could just use Malware Domain List, http://www.malwaredomainlist.com/ , and Wepawet, http://wepawet.iseclab.org/ , to correlate and analyze your web traffic. Submittal to Virustotal and CWSandbox, http://www.sunbeltsoftware.com/Malware-Research-Analysis-Tools/Sunbelt-CWSandbox/ , wouldn't hurt either.