Honeypots are forensic tools that have become indispensable to computer security experts monitoring online crime. They are used to gather statistics about popular attacks, to grab copies of malicious programs that carry out the attacks and to get a detailed understanding of how these attacks work.
To the malicious programs scouring the web these honeypots look like any other PC. But in the background the machines use a variety of forensic tools to log what happens to them.
Perhaps one indicator of how useful these tools have become is seen in the fact that the most sophisticated attackers make their malicious programs able to recognise when they have trespassed on a honeypot.
The BBC honeypot was a standard PC running Windows XP Pro that was made as secure as possible. This ran a software program called VMWare which allows it to host another "virtual" PC inside the host. Via VMWare we installed an unprotected version of Windows XP Home configured like any domestic PC.
VMWare is useful as it makes it easy to pause the "virtual" PC or roll it back to an earlier configuration. This proved essential when recovering from an infection.
SEVEN HOURS OF ATTACKS
36 warnings that pop-up via Windows Messenger
11 separate visits by Blaster worm
3 separate attacks by Slammer worm
1 attack aimed at Microsoft IIS Server
2-3 "port scans" seeking weak spots in Windows software
This guest machine, once armed with some forensic software, became the honeypot.
When we put this machine online it was, on average, hit by a potential security assault every 15 minutes. None of these attacks were solicited, merely putting the machine online was enough to attract them. The fastest an attack struck was mere seconds and it was never longer than 15 minutes before the honeypot logged an attempt to subvert it.
The majority of these incidents were merely nuisances. Many were announcements for fake security products that use vulnerabilities in Windows Messenger to make their messages pop-up. Others were made to look like security warnings to trick people into downloading the bogus file.
However, at least once an hour, on average, the BBC honeypot was hit by an attack that could leave an unprotected machine unusable or turn it into a platform for attacking other PCs.
Story from BBC NEWS:
http://news.bbc.co.uk/go/pr/fr/-/2/hi/technology/5414502.stm
[Editor's note - this is a little beyond our usual schtick, but it is valuable information for the average 'net user today. Do not use the web without oodles of 'protection'! - Dr C]
[Proofreader's note: this article was edited for spelling and typos on October 11, 2006]
Note: http://news.bbc.co.uk/g...
Tracking Down Hi-Tech Crime
Posted on Monday, October 09 at 11:49 by jensonjContributed By
Topic
Article Rating
(0 votes)
Options
Stumble It!Comments
view comments in forum
Page 1
Anyone not using at the very least a software firewall like ZoneAlarm or other such programs is just asking to have their system turned into a remote controlled zombie box run by someone other than the computer's legitimate owner.
Also, ALWAYS have your computer's anti-virus software on and updated,
Also, please, Please, PLEASE, never Ever EVER open emails with attachments on them from people or organizations you have never heard of. More than likely they're emails with "trojan horse" virus' in them and are sent in the hope that you, the intended victim, are stupid enough to open them.
If anyone here thinks it's ok to have someone snooping around their computer because "I don't have anything on their worth taking", they should consider this: It is just as easy to put things on your hard-drive as it is to remove or read them.
If you think that someone malicious enough to essentially steal your computer also isn't malicious enough to put "kiddie porn" (or other materials guarenteed to ruin your reputaton and give the local RCMP a real hard-on for your ass) on it and then report you to the cops, then feel free to leave the door open.
---
"and the knowledge they fear is a weapon to be used against them"
"The Weapon" - Rush
<br />
A free Antivirus (very good!)<br />
<br />
<a href="http://www.clamwin.com/">http://www.clamwin.com/</a><br />
<br />
Open source firewall, for those not using Win 2k (SP4) or XP<br />
<br />
<a href="http://www.ntndis.com/w&p.php?id=26">http://www.ntndis.com/w&p.php?id=26</a><br />
<br />
or <br />
<br />
<a href="http://winsockfirewall.sourceforge.net/">http://winsockfirewall.sourceforge.net/</a><br />
<br />
and Adware/Trojan blocker (like an antivirus, but for the less harmful but still annoying stuff)<br />
<br />
<a href="http://www-spybot.net/">http://www-spybot.net/</a><br />
<br />
and an email filter:<br />
<br />
<a href="http://spambayes.sourceforge.net/">http://spambayes.sourceforge.net/</a><br />
<br />
People need to run *all* of these types of programs, and keep them updated at least weekly (along with running Windows Update!).<br />
<br />
<p>---<br>"I think it's important to always carry enough technology to restart civilization, should it be necessary." Mark Tilden<br />
At home Ive run bareback since before there was a web and have never had a problem.
Had it covered, but thanks.
Ad-Aware, Ewido, Spybot S&D, all good products for getting rid of spyware.
AVG Free, great anti-virus software by Grisoft. Been using it for the past 4-5 years.
---
"and the knowledge they fear is a weapon to be used against them"
"The Weapon" - Rush
At home Ive run bareback since before there was a web and have never had a problem."
If you've been bareback as you say, then without actually running both anti-spyware, or anti-virus software, you wouldn't know if you were infected or not.
And a really good virus builder would make their code completely seamless so that the perceived operation of your system wouldn't be slowed down enough to notice.
Also, did you know that it is now possible for unprotected computers running older versions of IE to pick up bugs while surfing sites designed to spread virus'?
The last person I spoke to who made that particular claim had 87 different virus' on their computer. I also have friends who are techs who have found HUNDREDS in a single system that was brought in.
The most virus' I myself have ever found on a PC was on a friends P4: 137
Also, I'd like to know what kind of connection you run (dial up, DSL, cable etc), and whether or not your behind a router.
---
"and the knowledge they fear is a weapon to be used against them"
"The Weapon" - Rush
<br />
<a href="http://news.bbc.co.uk/2/hi/technology/5414502.stm">http://news.bbc.co.uk/2/hi/technology/5414502.stm</a><br />
<br />
Download and install Spybot (above) and run it. The results will surprise you. If it doesn't install, you definitely are.<br />
<br />
Of course, this is all assuming you're running Windows.<p>---<br>"I think it's important to always carry enough technology to restart civilization, should it be necessary." Mark Tilden<br />
And of course its all "vintage". Its P1 133 Win95 and dialup. Theres nothing on the machine except the basic OS, Dialup networking, Internet Exploder and Notepad. I do not intend to upgrade, so the software options are limited to vintage apps. Nothing but net. Email I do thru web-based forms at other locations. Any downloads I burn off to cdrw for migration to other systems. The machine is a sacrificial lamb in that I have a disc image and I can nuke it if I need to. But I havent ever needed to. There are no files on it that I didnt put there AFAIK.
Its not like I think it cant or wont happen, it just never has. Most of my serious surfing I do at work, which is firewalled up the wazoo
When Norton does find a virus, good luck finding the cure because their web site sucks too.
After I finally had enough of Norton, I uninstalled Norton and installed AVG. AVG immediately found 8 viruses that my always updated Norton did not know existed.
Also, I've always kind of suspected that Norton and McAfee et al are partially responsible for the massive virus plague that exists but you didn't hear if from me.
---
Everybody got to deviate from the norm