[Offtopic] The NZ Honeypot Project

Fri Sep 7 15:19:32 EST 2007

Malicious Web: Not just porn sites 

<http://www.honeynet.org/papers/mws/>

Seven surprises from the Honeypot project show any content can sting,
and patching is your best defense. By Roger A. Grimes, August 31, 2007
<http://www.infoworld.com/article/07/08/31/35OPsecadvise-honeypots-
honeyclients-hpc_1.html>

The New Zealand Honeynet Project, which produced Capture-HPC, (and many 
other free, excellent, security tools) <www.honeynet.org/tools/index.html> 
also produced an excellent white paper about using Capture-HPC to identify 
malicious Web servers. On the group's Web site, you'll find that paper, 
the captured data, and the free tools for anyone to inspect and replicate. 

The New Zealand Honeynet Project inspected more than 300,000 URLs (nearly 
149,000 hosts) for three weeks and found 306 malicious URLs served from 
194 malicious servers. Here are the most interesting points, to me: 

1. The highest percentage of malicious Web servers were tied directly to 
adult content. No surprise here. But all types of content (e.g. news or 
sponsored links) were nearly as bad.  It's not like you can just avoid 
adult sites and be safe. 

2. Many of the malicious Web sites turn non-malicious, and vice versa, all 
the time. I've talked about this in previous columns, but essentially many 
malware writers are taking great pains to make sure an infected Web site 
serves up malicious content to any given IP address only once. That 
strategy defeats additional inspection by anti-malware researchers and 
honeyclients. 

3. Only 12 percent of malicious URLs appeared on a blacklist. 
Nevertheless, counterintuitive as it may seem, blacklists were highly 
effective at blocking a large percentage of attacks. This is because the 
blacklists often blocked the main back-end computers serving up most of 
the malware. In today’s Web-intertwined world, most of the infected Web 
sites actually point to a smaller number of “super server” hosts. Block 
them, and the original infected site is defanged. 

4. Fully patched computers blocked 100 percent of the malicious attempts 
(for the study, the project used Internet Explorer 6 SP2 instead of the 
better-defended Internet Explorer 7). 

5. The study includes analysis of several real Web sites and exploits.

6. Many of the exploits attempted to steal log-on names and passwords.

7. Most attacks used JavaScript to initiate the exploitation.

The paper ends with several defense recommendations, including:

* Keep fully patched, both OS and applications.
* Blacklists are effective.
* Don’t run as root or admin in browser sessions.
* Host-based firewalls offer additional protection. 

I encourage any computer security defender to download and read this 
honeyclient paper. Roger A. Grimes is contributing editor of the InfoWorld 
Test Center. He also writes the Security Adviser blog and the Security 
Adviser column.
--

Cheers, people
Stephen Loosley
Victoria, Australia