Upgraded client honeypot available to the masses
- 15 April, 2008 22:00
Enhancements to its client honeypot Capture-HPC mean the Honeynet Project tool is now usable by non-experts, says one of its developers, Victoria University’s Christian Seifert.
Seifert is a PhD student at the Wellington university and also heads the local chapter of the global non-profit Honeynet Project. Capture has been developed by the Project in conjunction with Victoria’s School of Mathematics, Statistics and Computer Science. An updated and enhanced version of the high-interaction client honeypot has just been released.
Its improved capabilities upgrade Capture from a pure research tool, and put it into the hands of administrators and security professionals, as well as a wider range of security researchers, says Seifert.
The enhanced software tool includes new features and also has increased performance speed, allowing it to investigate a larger range and number of client-side computer attacks, says Seifert. He developed the tool with Ramon Steenson, a Honeynet volunteer and former research assistant at Victoria University.
The New Zealand chapter of the Honeynet Project is currently conducting a study for InternetNZ, which includes a comprehensive survey of the entire local web server space, says Seifert.
“This should allow us to assess the magnitude of the problem of client-side attacks in New Zealand, and take appropriate measures to make the internet in New Zealand a safer place,” he says.
The results of the study should be released in a few months.
Capture-HPC is free and can be downloaded from the Honeynet Project’s website.
Security researchers can use the tool to search specifically for and study malicious servers. It can also be used by virus and malware researchers, to collect malware pushed out by malicious servers; while network administrators can use it to monitor their systems for client-side attacks. In addition, website operators will find it useful for monitoring their sites for unauthorised modifications with client-side attack code, according to the open-source project.
Client honeypots like Capture struggle with the vast number of servers they need to inspect to track down client-side attacks. This means researchers usually have to set up multiple honeypots to look at a sample of sufficient size, says Seifert.
However, the new version of Capture-HPC enjoys a 500% increase in performance over the previous one, allowing security researchers with few resources to carry out automated investigations of client-side attacks, says Seifert.
Capture can now be run on one box and still collect a sufficiently large data-set, he says.
The performance gain is the result of interacting with potentially malicious web servers in a different way, says Seifert.
“In the past, we used one instance of a browser to retrieve a web page, [waited] a bit to see whether it [attacked], and then proceeded to the next web page,” he says.
Now, the tool visits multiple web pages, say 100, at the same time. If attacked, the total number of web pages is then split into smaller chunks and interacted with again until, eventually, the tool interacts with just one server, he says.
“This method is an application of the common divide and conquer algorithm design paradigm, which is also applied in algorithms such as the binary search,” says Seifert.
The Capture-HPC system can now collect more data than previously, he says. Besides malware and unauthorised state changes, Capture collects network traffic for all client and server interactions, he says. In addition, the new version reports system performance statistics, so operators can monitor Capture during operation.
The new software also introduces a client plug-in framework, which allows third-party developers to add support for additional client applications that are currently not supported by Capture. The tool already supports a range of browsers, office applications and media players, he says.
Seifert is currently working as an intern at a security software company in Seattle.