« RECON 2005 Talk on Honeyclients | Main | Oops, Did You Mean To Type 'google'? »
April 20, 2005
Why We Need Honeyclients
This article talks about how attackers are now using fake weblogs to entice users to click on certain links. Once those links are accessed, malware such as keyloggers and trojans are uploaded to the victim host from the malicious server. In this article, users are social-engineered to click on the link which starts the malware upload to their machines. However, the attack could certainly be done in such a way that users only need to access the site and become infected, all without clicking on a single URL on that site.
This server to client attack cannot be detected using traditional honeypots. Traditional honeypots are passive devices which do not actively hit sites for data. Honeyclients, however, can be deployed to detect and warn of such malicious servers, because honeyclients are designed to actively access those servers. If we hope to better detect new server to client 0-day attacks, we need to actively look for those servers.
Posted by Kathy at April 20, 2005 10:24 PM