Last week, I wrote about Microsoft's Strider HoneyMonkey Exploit Detection System, which is software that tries to find new exploits by surfing the Web and waiting for something to infiltrate the system. I don't know of many other such tools, but I have heard of two other client-based honeypot projects.
One is being developed by Bing Yuan at the Laboratory for Dependable Distributed Systems. Yuan is pursuing the technology as his diploma project at the laboratory, and so far, no working code seems to be available to the public. His project is Windows-based, will integrate with Microsoft Internet Explorer (IE), and will work with other software such as the Honeywall CD-ROM. I'm not sure how far along Yuan is in the development process or whether the tool will eventually be released to the public. You can however read more about it at the lab's Web site.
http://lufgi4.informatik.rwth-aachen.de/diplomas/show/27
The second tool I know about is called Honeyclient. The tool is being developed by Kathy Wang, who gave a related presentation at the recent REcon 2005 conference (see the first URL below) in Montreal. You can see the slides from the presentation at the second URL below. Honeyclient is written in Perl and is designed to run on Windows systems. It surfs the Web by using IE and tries to detect any file or registry changes. As it stands now, the tool is made up of two Perl scripts: one is a proxy and the other uses IE to drive a Web-surfing session.
http://www.recon.cx
http://www.synacklabs.net/honeyclient/Wang-Honeyclients-RECON.pdf
Wang's project isn't extensively documented, but the two Perl scripts that make up Honeyclient contain a few comments that help you better understand what it actually does. Of course, if you can read Perl code, then you'll get an even better understanding. Honeyclient isn't nearly as functional as HoneyMonkey, but it's similar and a good start. You can learn more about Honeyclient and download the latest version at Wang's Honeyclient Development Project Web site.
http://www.synacklabs.net/honeyclient
If you want to test Honeyclient, the readme file contains the basic installation and usage instructions. One thing I learned when testing the software (which isn't stated in the readme file) is that the directories in the checklist.txt file (which you need to create) are completely parsed, including any subdirectories. Another thing I noticed is that Honeyclient has a lengthy startup time because it also parses the registry HKEY_CLASSES_ROOT tree into a hash so that it can later detect any modifications. A word of caution is in order too: Be sure to use an isolated test machine or an OS running in a virtual machine when testing the tool.
If you know of any other tools similar to these, send me an email message with a link or details.
