Crashed Pips - Computers, politics, emetic trash

Saturday, September 8, 2007

Honeypot Experiment #1 - screensavers.com

Filed under: Uncategorized — Tags: , , , , , , — Jonathan Rothwell @ 18:35

So, the Crashed Pips honeypot set up and ready, the first experiment took place. Using a certain search engine and a known supplier of malware.

Honeypot The honeypot takes forever to boot - virtual machines are generally very slow and resource-intensive on the rest of the system. Windows took around ten minutes to get to a usable desktop.

Honeypot #1 - usable desktop

The usable desktop, before the infectofest started. And now we bring you coverage of experiment #1 - how easy it is for an inexperienced computer user to infect their machine using only Microsoft’s own search engine.

Honeypot #1 - MSN

Alarm bells should immediately start to ring at this point - in this case, an outdated version of Internet Explorer is being used, there is no antivirus software (see the system tray’s Windows Security warning) and the fictional user is now going to look, using Windows Live Search, for a screensaver for his/her new setup.

Honeypot #1 - Search results

The first organic result here is for screensavers.com, which, according to a SiteAdvisor report, is a distributor of adware and spyware.

So, taking the position of the gullible computer user, here’s the download page for the Matrix screensaver.

Honeypot #1 - Download page

‘Virus checked’ and ‘Spyware checked’ are visible below the ‘download’ link. Lies. Lies. Lies. As indicated by the next page:

Honeypot #1 - Starware offer

Uh-oh! Starware is a known spyware distributor, and to an inexperienced computer user this would appear to be quite a good software package. Note that the installer (even without the toolbar) automatically dumps an ‘affiliate shortcut’ on your desktop (essentially an invitation for spam galore).

Honeypot #1 - Install complete

After the install is complete, you are offered these (seemingly good) options.

Not so. The search engine actually uses your searches to create an advertising profile that helps ads to be delivered (outside the browser) that you are more likely to respond to. It isn’t like Google or most other search engines, which use the search data to optimise the searches. These are used to make you easier to sell to.

And this was just the Starware toolbar that was actually installed.

Honeypot #1 - Install really complete

Aha! The screensaver has finally been installed, after a magnitude of bogus free offers and all sorts of other junk. And we’ve now effectively opened up the honeypot to other spyware/adware etc.



Wednesday, September 5, 2007

The Crashed Pips Honeypot Experiment

Filed under: Uncategorized — Tags: , , , , , , — Jonathan Rothwell @ 19:24

A honeypot is a computer (or virtual computer) designed to catch all those internet nasties that you’d normally want to avoid - so that people can be educated on what they do and how to avoid them, and to study them and find out which ports they use, what files they’re reading that they shouldn’t be etc.

So, with that settled, I can now announce the Crashed Pips Honeypot Experiment 2007. Over the next 30 days, I shall be making occasional posts updating you on the results of the experiment. I may even prepare a report/conclusion at the end.

What is the machine’s setup?

The machine’s a Virtual PC setup using 128mB of RAM and a 15gB hard disk (more than adequate for this purpose). It will be running an installation of Microsoft Windows XP Professional without any security software installed whatsoever apart from what is built directly into the operating system - in this case, nothing more than a firewall. Windows Update warnings will also be ignored.

How will you hose the machine?

I will visit certain websites, and leave ports open deliberately in an attempt to lure viruses, spyware etc into the honeypot. I also intend to follow spoof virus warnings that lead to spyware, and to install certain software that is known to contain advertising and spyware.

How realistic is this experiment? Could I cite it in a paper?

There is no way that this experiment could be called realistic, because a special effort is being made to infect the machine with as much malware as possible. This will therefore make the test wildly unrealistic and inaccurate. If you’re quoting this in a scientific paper or anything serious, you’re a Cornish sardine.



Powered by WordPress 2.7 Comments are the responsibility of their respective author. The Rest © 2007-2009 Jonathan Rothwell, unless otherwise stated.