New Zealand’s Honeynet Alliance is offering a free service for webmasters. The local project is part of the global, non-profit Honeynet Project, a research organisation dedicated to improving the security of the internet at no cost to the public.
“Webmasters are, generally, at risk of having their websites attacked and compromised, and they usually don’t have the means to monitor their page,” says Christian Seifert, who runs the local Honeynet Alliance.
Seifert, one of four volunteer researchers involved in the project, is a PhD student at Victoria University in Wellington.
Once a website is compromised, the attacker might manipulate it to host malicious content, so that when a user visits the site they might be attacked, or spyware might be downloaded to the user’s machine without their consent, says Seifert.
The free web service, PATROL (Periodic Assessment of TReasured Online Links), allows webmasters to submit their own URL to the Honeynet Project’s open-source client honeypot, called Capture. Submitted URLs are monitored periodically by the client honeypot. Reports are generated on a regular basis and published on the New Zealand Honeynet Alliance website, says Seifert.
The Honeynet Project also offers a service called SCOUT (Speedy Complete Online URL Test) which is more targeted at end-users, says Seifert. It allows them to submit a URL and get immediate feedback, he says.“For example, if you get an email with a link that looks suspicious to you, you can submit that URL to our site and we will immediately tell you whether it is malicious or not,” he says.
The service was launched in mid-April and the Honeynet Project has identified 15 malicious URLs already, says Seifert.
Capture, developed at Victoria University, identifies malicious servers by interacting with potentially malicious servers using a dedicated virtual machine and monitoring any state changes on that box, says Seifert.
“If a new file appears in the start-up folder we know that that website is malicious,” he says.
The Honeynet Project’s method is not signature-based.
“We are looking at the effects of a successful attack and that allows us to detect [attackers] that we don’t know anything about yet,” he says. “So it is really geared towards the future, looking at future exploits — zero-day exploits,” he says.
Capture can be downloaded from the Honeynet website and is distributed under the GNU General Public Licence.
“The latest version of the client honeypot allows you look at attacks on various web browsers, not just Internet Explorer, but also Firefox and Opera,” he says.
It also features kernel level monitoring and is compatible with Vista.
Seifert says he is quite excited about the new version of Capture as it brings client honeypot technology into the hands of security people and web administrators.
“But we realise that not everybody has the time and resources to install the client honeypot,” he says. “That is why we have created the web service.”