[Offtopic] The NZ Honeypot Project
stephen at melbpc.org.au
stephen at melbpc.org.au
Fri Sep 7 15:19:32 EST 2007
Malicious Web: Not just porn sites
<http://www.honeynet.org/papers/mws/>
Seven surprises from the Honeypot project show any content can sting,
and patching is your best defense. By Roger A. Grimes, August 31, 2007
<http://www.infoworld.com/article/07/08/31/35OPsecadvise-honeypots-
honeyclients-hpc_1.html>
The New Zealand Honeynet Project, which produced Capture-HPC, (and many
other free, excellent, security tools) <www.honeynet.org/tools/index.html>
also produced an excellent white paper about using Capture-HPC to identify
malicious Web servers. On the group's Web site, you'll find that paper,
the captured data, and the free tools for anyone to inspect and replicate.
The New Zealand Honeynet Project inspected more than 300,000 URLs (nearly
149,000 hosts) for three weeks and found 306 malicious URLs served from
194 malicious servers. Here are the most interesting points, to me:
1. The highest percentage of malicious Web servers were tied directly to
adult content. No surprise here. But all types of content (e.g. news or
sponsored links) were nearly as bad. It's not like you can just avoid
adult sites and be safe.
2. Many of the malicious Web sites turn non-malicious, and vice versa, all
the time. I've talked about this in previous columns, but essentially many
malware writers are taking great pains to make sure an infected Web site
serves up malicious content to any given IP address only once. That
strategy defeats additional inspection by anti-malware researchers and
honeyclients.
3. Only 12 percent of malicious URLs appeared on a blacklist.
Nevertheless, counterintuitive as it may seem, blacklists were highly
effective at blocking a large percentage of attacks. This is because the
blacklists often blocked the main back-end computers serving up most of
the malware. In todays Web-intertwined world, most of the infected Web
sites actually point to a smaller number of super server hosts. Block
them, and the original infected site is defanged.
4. Fully patched computers blocked 100 percent of the malicious attempts
(for the study, the project used Internet Explorer 6 SP2 instead of the
better-defended Internet Explorer 7).
5. The study includes analysis of several real Web sites and exploits.
6. Many of the exploits attempted to steal log-on names and passwords.
7. Most attacks used JavaScript to initiate the exploitation.
The paper ends with several defense recommendations, including:
* Keep fully patched, both OS and applications.
* Blacklists are effective.
* Dont run as root or admin in browser sessions.
* Host-based firewalls offer additional protection.
I encourage any computer security defender to download and read this
honeyclient paper. Roger A. Grimes is contributing editor of the InfoWorld
Test Center. He also writes the Security Adviser blog and the Security
Adviser column.
--
Cheers, people
Stephen Loosley
Victoria, Australia
More information about the offtopic
mailing list