A New Client-Side Honeypot Enters the Ring

Xnos Labs' Web Exploit Finder (WEF) is a relatively new client-side honeypot (begun in the summer of 2006). There are German and English whitepapers here which restates and expands upon information put on the first linked site. The architecture itself is similar to our own though there are differences such as their use of EBJ, JSF, and JBoss on the management side. Other differences come in implementation details such as our exclusive use of perl vs their use of C/C++/Java/J2EE.

Similar to the Capture client-side honeypot, they use system call hooking to notify them of events rather than the snapshot-based system that we currently use. While it is clear that such a system is ultimately beneficial for efficiency reasons, we have currently prioritized other aspects such as dealing with active content like Flash and implementing intelligent crawling with link prioritizing. It's hard to say whether WEF will take off though. The students currently say they can only work on it in their spare time. Therefore even though it aims to be open source (though no code has actually been posted yet) it is at a disadvantage in that Capture is sponsored by the Honeynet project, and our own code has a number of full time developers supporting it. It will still be interesting to see what they can produce though. Also, since all of the major client-side honeypots (except for Microsoft's Honeymonkeys) are open source, I'm sure we will all benefit from some degree of technology transfer in the long run.