- * Interpretation of useful HTML tags for remote links
- - hrefs, imgs, etc ...
- - iframes, frames, etc
- * Interpretation of scripting languages
- - supports deobfuscation, remote script sources
- * ActiveX vulnerability "modules" for exploit detection
- * Shellcode detection and analysis (through libemu)
- * Heap spray detection
Here is one more: a release of a new tool called PhoneyC, a virtual client honeypot.
PhoneyC is a virtual client honeypot, meaning it is not a real application (that can be compromised by attackers and then monitored for analysis of attacker behavior), but rather an emulated client, implemented in Python. The main thing it does is scour web pages looking for those that attack the browser.
It can be run, for example, as: $ python phoneyc.py -v www.google.com
By using dynamic analysis, PhoneyC is able to remove the obfuscation from many malicious pages. Furthermore, PhoneyC emulates specific vulnerabilities to pinpoint the attack vector. PhoneyC is a modular framework that enables the study of malicious HTTP pages and understands modern vulnerabilities and attacker techniques.
Download version 0.1 (a contained readme contains installation instructions) here: phoneyc_v0_1_rev1631.tar_.gz
v0.1 feature highlights include:
PhoneyC is hosted on http://code.google.com/p/phoneyc/ from which the newest development version can be obtained via SVN. For any issues turn to the Google Group dedicated to the project: http://groups.google.com/group/phoneyc.
Possibly related posts: