Shelia: A New Client-Side Honeypot

Thanks to Christian Seifert of the Capture client-side honeypot (CSH) team for notifying me to this new CSH (he stays on top of the new ones better than I, since he's doing his PhD on CSHs ;)). What's interesting is that all CSHs are currently slightly different in their focus. Shelia seeks to analyze links and files obtained through email rather than spidering. It then monitors the usual suspects of filesystem, registry, processes, and network access for aberrant changes. Shelia uses the broader definition of "client-side attacks" which roughly translates to mean "attacks on applications on a normal end-user's system or any attack not made on a server application" and therefore it is also directly concerned with attacks on things like MS Word.

There's a lot of good information in the accompanying whitepaper and it makes for a good read. Unfortunately, the author was only aware of the very old version of our Honeyclient (something I'll be sure to correct) and therefore it includes the statement "On the other hand, no provisions that would limit the spread of malicious activity are implemented in Honeyclient." This is not true in the current architecture. Currently the firewall makes it so that the only site that a compromised machine could possibly contact (let alone attack) would be the site which infected the client. Also once malicious activity is detected the VM in which the malware is running it is of course suspended.