Orange County Security SIG

Notes and comments of a Special Interest Group on computer security.

November 04, 2007

 

Interpretting a honeypot report

Honeypot.org has been trying to learn more about computer security and active exploits for years. Recently they had a browser in a Virtual Machine visit 300,000 URLs and record what happened. A honeypot is a network that pretends to be vulnerable and collects data about what is being done maliciously. This is done to see what exploits are being used today and what kind of defenses are effective. First they scanned with IE6 SP2. Then they surfed the "most malicious" of the URLs (about 30,000) with Firefox 1.5 and Opera 8.0. But Firefox or Opera was never infected. They attributed Firefox's exploit resistance to its built-in patching mechanism which makes it harder to exploit (shorter vulnerability window), and therefore also a less popular target. They also used black lists from MVPS.ORG and STOPBADWARE.ORG to see if they made a difference. A black list is a list of bad web-sites and they are used by many Anti-Spyware programs to alert you when you visit a site known to host malware. For years black lists have been scorned as ineffective since there were so many and they changed so rapidly. What this study found was that they did work. While the lists only identified about 12% of the sites as malicious, the majority of them called another site to download the actual malware. Most of those sites were on the lists. Most infections came from
  1. adult sites (57%)
  2. links in spam (16%)
  3. warez sites
  4. typos (e.g. googel.com instead of google.com)
  5. news sites,
  6. user content sites (blogs,...)
  7. music sharing
The two most malicious site was a fan site for the musician Kieth Jarret (www dot keithjarrett dot it) and a social netword (www dot anyboard dot com) because of the actions of a poster. Jarret's fan site In anyboard(dot)com, a user posted malicious javascript to call an exploit from an exploit server when then faked a security scan and tried to get your credit card information. Their recommendations a comment from a poster at GRC.COM (Al) "Couldn't VISA or AMEX designate a certain group of "valid credit card numbers" that would only be given out to law enforcement and recognized security professionals for use on these sites? Then see who submits the cc numbers for reimbursement" My comments The original report is at:
http://www.honeynet.org/papers/kye.html
Comments: Post a Comment

Links to this post:

Create a Link



<< Home

Experience the computer club and all it's SIG group that meet at Chapman university, California on the 1st Sunday of every month.

SECSIG meets in the Science building 203 at 11:15 am.

By attending the SECSIG you can ask questions and open discussions about troubling situations you are having now.

The RSS feed address is http://ocsecsig.blogspot.com/atom.xml

Dave Keays, SIG leader

This page is powered by Blogger. Isn't yours?