[Dshield] Msft Research

Jody J. Hietpas jodyh at iname.com
Thu Aug 18 16:22:20 GMT 2005


On Thu, Aug 18, 2005 at 09:46:10AM -0600, Josh Tolley wrote:
> Jody J. Hietpas wrote:
> > I've been wondering how long the HoneyMonkey would be effective for them.
> 
> There's a difference, though. Provided Microsoft at least tries to hide 
> its sources (that is, not having every honeymonkey probe come from 
> research.microsoft.com), they're pretty safe. Their results aren't 
> public, and their techniques aren't public, so it would take a lot of 
> inside knowledge to identify a client or a scan or a connection or 
> whatever as coming from their honeymonkeys. With DShield, you simply 
> 
<snip>
> Josh Tolley

Well, say you are the 0nzer of a brand new bot network.  You have an army of machines that you can set up as your own sensor network.  You put a small web server on them that tries to exploit old/unpatched Windows machines, and link to other machines in the botnet.  From the description of the HoneyMonkey project, it states that they follow through the links like a spider program.  It also hands off any detected sites to a second scanner to verify.  A bit (ok, a whole lot) of traffic analysis could give you some clues.

I'm not saying it wouldn't be a lot of work, and I don't know why anyone would go through the trouble.  It may be worth it if you have a nice new 0-day that you are sitting on and don't want to tip your hand yet.  The list itself may be worth a bit of money to someone.

I'm sure they are already making sure that their scans don't come from research.microsoft.com, and they are taking precautions to remain as anonymous as possible.  This is another part of the arms race.  As with anything else that we are doing to "keep the Internet safe", both sides will adapt to the ever changing conditions.

Jody
--
perl -e'print "\n", pack("h*","a6f64697860496e616d656e236f6d6a0"), "\n\n";'
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 187 bytes
Desc: not available
Url : http://www.dshield.org/pipermail/list/attachments/20050818/2d4cac5a/attachment.bin


More information about the list mailing list