Client honeypot

It has been suggested that this article be merged into Honeypot (computing) and Honeypot (computing). (Discuss) Proposed since February 2007.

Honeypots are security devices whose value lie in being probed and compromised. Traditional honeypots are servers (or devices that expose server services) that wait passively to be attacked. Client Honeypots are active security devices in search of malicious servers that attack clients. The client honeypot poses as a client and interacts with the server to examine whether an attack has occurred. Up until now, the focus of client honeypots have been web browsers, but any client that interacts with servers can be part of a client honeypot (for example ftp, ssh, email, etc).

There are several terms that are used to describe client honeypots. Besides client honeypot, which is the correct classification, honeyclient is the other term that is generally used. However, honeyclient is the name of first open source client honeypot implementation (see below). Honeymonkey is also frequently encountered to describe client honeypots. Similar to honeyclient, honeymonkey refers to a specific implementation. (also see Honeymonkey )

A client honeypot is composed of three components. The first component, a queuer, is responsible to create a list of server for the client to visit. This list can be created, for example, through crawling. The second component is the client itself, which is able to make a request to a server that the queuer has identified. After the interaction with the server has taken place, the third component, an analysis engine, is responsible to determine whether an attack has taken place on the client honeypot.

In addition to these components, client honeypots are usually equipped with some sort of containment strategy that would prevent successful attacks from further spreading from the client honeypot. This is usually achieved through firewalling the client honeypot and containment within a virtual machine.

Analogous to traditional server honeypots, client honeypots are mainly classified by their interaction level: high and low, which denotes the level of functional interaction the server can utilize on the client honeypot.

High interaction client honeypots are fully functional systems comparable to real systems with real clients. As such, no functional limitations (besides the containment strategy) exist on high interaction client honeypots. Attacks on high interaction client honeypots are detected via inspection of the state of the system after a server has been interacted with. For example, if a new file in a directory is detected is a strong indicator that the server has exploited a vulnerability of the client to install such a file.

High interaction client honeypots are very effective at detecting unknown attacks on clients. However, since the state of the system is monitored to make an attack assessment, high interaction client honeypots are rather slow. Further, this detection mechanism is prone to detection evasion. For example, an attack could delay the exploit from immediately triggering (time bombs) or an attack could trigger upon user action (e.g. once the mouse hovers over an image). Since no immediate state change occurred, the client honeypot is likely to incorrectly classify the server as safe although it did perform an attack on the client. Finally, high interaction client honeypots are expensive, as an entire system is needed to operate them.

Low interaction client honeypots differ from high interaction client honeypots in that they do not utilize an entire real system, but rather use light weight or simulated clients to interact with the server. (in the browser world, low interaction client honeypots are similar to web crawlers) Once a server has served up its response, the response is examined directly to assess whether an attack has taken place. This could be done, for example, via examination of the response for malicious strings.

Low interaction client honeypots are likely to have a lower detection rate, since the attack has to be known to the client honeypot. New attacks are likely to go unnoticed. However, low interaction client honeypots, due to their light weight nature, are easy to deploy and operate and also very speedy in interacting with servers.

HoneyMonkey ^[1] is a web browser based (IE) high interaction client honeypot implemented by Microsoft in 2005. It is not available for download. HoneyMonkey is state based and detects attacks on clients by monitoring files, registry, and processes. A unique characteristic of HoneyMonkey is its layered approach to interacting with servers in order to identify zero-day exploits. HoneyMonkey initially crawls the web with a vulnerable configuration. Once an attack has been identified, the server is reexamined with a fully patched configuration. If the attack is still detected, one can conclude that the attack utilizes an exploit for which no patch has been publicly released yet and therefore is quite dangerous.

HoneyClient ^[2] is a web browser based (IE/FireFox) high interaction client honeypot implemented by Kathy Wang sometime in 2004 or 2005. It is the first open source client honeypot written in Perl. HoneyClient is state based and detects attacks on clients by monitoring specific directories and registry entries. This is done by taking cryptographic hashes for each file and registry entry and comparing these to cryptographic hashes after an interaction with a server has occurred. As a result, HoneyClient is rather slow to crawl and detect malicious servers.

Capture is a high interaction client honeypot ^[3] developed by researchers at Victoria University of Wellington, NZ. Capture differs from existing client honeypots in various ways. First, it is designed to be fast. State changes are being detected using an event based model allowing to react to state changes as they occur. Second, Capture is designed to be scalable. A central Capture server is able to control numerous clients across a network. Third, Capture is supposed to be a framework that allows to utilize different clients. The intitial version of Capture supports Internet Explorer, but additional clients will be supported with upcoming versions of Capture.

The Spycrawler ^[4] developed at the University of Washington is yet another browser based (Mozilla) high interaction client honeypot developed by Moshchuk et al in 2005. This client honeypot is not available for download. The Spycrawler is state based and detects attacks on clients by monitoring files, processes, registry, and browser crashes. Spycrawlers detection mechanism is event based. Further, it increases the passage of time of the virtual machine the Spycrawler is operating in to overcome (or rather reduce the impact) of time bombs.

HoneyC ^[5] is a low interaction client honeypot developed at Victoria University of Wellington by Christian Seifert in 2006. HoneyC is a platform independent open source framework written in Ruby. It currently concentrates driving a web browser simulator to interact with servers. Malicious servers are detected by statically examining the web server’s response for malicious strings through the usage of Snort signatures.

SpyBye ^[6] is a low interaction client honeypot developed by Niels Provos. SpyBye allows a web master to determine whether a web site is malicious by a set of heuristics and scanning of content against the ClamAV engine.

Shelia ^[7] is a high interaction client honeypot developed by Joan Robert Rocaspana at Vrije Universiteit Amsterdam. It integrates with an email reader and processes each email it receives (URLs & attachments). Depending on the type of URL or attachment received, it opens a different client application (e.g. browser, office application, etc.) It monitors whether executable instructions are executed in data area of memory (which would indicate a buffer overflow exploit has been triggered). With such an approach, SHELIA is not only able to detect exploits, but is able to actually ward off exploits from triggering.

Monkey-Spider ^[8] is a low interaction client honeypot developed at the University of Mannheim by Ali Ikinci. Monkey-Spider is a crawler based client honeypot utilizing anti-virus solutions to detect malware. It is claimed to be fast and expandable with other detection mechanisms. The work has started as a diploma thesis and will be continued and released soon as Free Software.

There are several additional projects in the works that have not resulted in releases or publication of results. These are namely a high interaction client honeypot framework being developed at the University of Mannheim ^[9] and Web Exploit Finder developed by three students of the Hochschule der Medien, Stuttgart ^[10]. Robert Danford has been working on the 2nd generation client honeypots with an implementation Pezzonavante Honeyclient ^[11], but has not released the software nor his results.

The New Zealand Honeynet Alliance offers a web service, called SCOUT ^[12], that allows end users to submit suspicious URLs to a web page for immediate assessment by an installation of a Capture-HPC client honeypot. Once a URL has been submitted, the client honeypot (which runs Windows XP SP2 and Internet Explorer 6.0) will retrieve the URL and check for any unauthorized state changes (e.g. a new file in the startup folder.) If any of those changes are detected, the URL will be classified as malicious, otherwise as benign.

The New Zealand Honeynet Alliance offers a web service, called PATROL ^[13], that allows web administrators to have their site periodically monitored by an installation of a client honeypot, Capture-HPC. If the site has been attacked, compromised and is starting to serve malware, the client honeypot will detect and report this. A simple web page is provided that allows web administrators to submit URLs of their site. Once submitted, our client honeypot (which runs Windows XP SP2 and Internet Explorer 6.0) will retrieve the URLs on a regular basis, check for any unauthorized state changes (e.g. a new file in the startup folder.) and generate a downloadable report showing the malicious nature of the URL.

• Honeynet
• HoneyMonkey

• ^ - Moshchuk, A., Bragin, T., Gribble, S.D. and Levy, H.M., A Crawler-based Study of Spyware on the Web. in 13th Annual Network and Distributed System Security Symposium, (San Diego, 2006), The Internet Society
• ^ - Wang, Y.-M., Beck, D., Jiang, X., Roussev, R., Verbowski, C., Chen, S. and King, S., Automated Web Patrol with Strider HoneyMonkeys: Finding Web Sites That Exploit Browser Vulnerabilities in 13th Annual Network and Distributed System Security Symposium (San Diego, 2006), Internet Society.
• Provos, N., McNamee, D., Mavrommatis, P., Wang, K., Modadugu, N. The Ghost In The Browser - Analysis of Web-based Malware, Proceedings of the 2007 HotBots, (Cambridge, April 2007), Usenix
• Provos, N., Holz, T. Virtual Honeypots: From Botnet Tracking to Intrusion Detection, Addison-Wesley, Boston, 2007
• Seifert, C., Steenson, R., Holz, T., Yuan, B., Davis, M. A., Know Your Enemy: Malicious Web Servers, 2007, available at http://www.honeynet.org/papers/mws/index.html, accessed 14 August 2007.
• Seifert, C., Welch, I. and Komisarczuk, P. HoneyC - The Low-Interaction Client Honeypot, Proceedings of the 2007 NZCSRCS, Waikato University, Hamilton, New Zealand, April 2007
• ^ - http://handlers.dshield.org/rdanford/pub/2nd_generation_honeyclients.ppt
• ^ - http://pi1.informatik.uni-mannheim.de/index.php?pagecontent=site%2FResearch.menu%2FDiploma%20Theses.page%2FWork%20in%20Progress.page%2FClient-Side%20Honeypots.page&uin=&show=true
• ^ - http://www.honeyclient.org/trac
• ^ - https://www.client-honeynet.org/honeyc.html
• ^ - https://www.client-honeynet.org/capture.html
• ^ - https://www.client-honeynet.org/cwebservice.php
• ^ - https://www.client-honeynet.org/cmonitor.php
• ^ - http://www.xnos.org/security/overview.html
• ^ - http://www.spybye.org/
• ^ - http://www.cs.vu.nl/~herbertb/misc/shelia/
• ^ - http://www.ikinci.info/Diploma-Thesis-Ali-Ikinci.pdf

• The Honeynet Project
• Virtuelle Leimrouten (in German)
• Video of Michael Davis' Client Honeypot Presentation at Client Honeypot Presentation at HITB 2006
• Video of Kathy Wang's Presentation of HoneyClient at Recon 2005
• Video of Wolfgarten's presentation at CCC conference