Wednesday, February 09, 2011

The Honeynet Project Releases New Tool: PhoneyC

    As promised, I will be reposting some of the cool new announcements from The Honeynet Project here on my blog since I now serve as Project’s Chief PR Officer.Honeynet_logo_ppt_400px

    Here is one more: a release of a new tool called PhoneyC, a virtual client honeypot.

    PhoneyC is a virtual client honeypot, meaning it is not a real application (that can be compromised by attackers and then monitored for analysis of attacker behavior), but rather an emulated client, implemented in Python. The main thing it does is scour web pages looking for those that attack the browser.

    It can be run, for example, as: $ python phoneyc.py -v www.google.com

    By using dynamic analysis, PhoneyC is able to remove the obfuscation from many malicious pages. Furthermore, PhoneyC emulates specific vulnerabilities to pinpoint the attack vector. PhoneyC is a modular framework that enables the study of malicious HTTP pages and understands modern vulnerabilities and attacker techniques.

    Download version 0.1 (a contained readme contains installation instructions) here: phoneyc_v0_1_rev1631.tar_.gz

    v0.1 feature highlights include:

    * Interpretation of useful HTML tags for remote links
    - hrefs, imgs, etc ...
    - iframes, frames, etc
    * Interpretation of scripting languages
    - javascript (through spidermonkey)
    - supports deobfuscation, remote script sources
    * ActiveX vulnerability "modules" for exploit detection
    * Shellcode detection and analysis (through libemu)
    * Heap spray detection

    PhoneyC is hosted on http://code.google.com/p/phoneyc/ from which the newest development version can be obtained via SVN. For any issues turn to the Google Group dedicated to the project: http://groups.google.com/group/phoneyc.

Possibly related posts:

Dr Anton Chuvakin