Comments on: FREE HoneyPoint to Capture Conflicker Infections http://stateofsecurity.com/?p=612 Insight from the Information Security Experts Tue, 31 Aug 2010 17:42:12 +0000 hourly 1 http://wordpress.org/?v=abc By: Brent Huston http://stateofsecurity.com/?p=612&cpage=1#comment-20642 Brent Huston Sun, 04 Oct 2009 16:54:58 +0000 http://stateofsecurity.com/?p=612#comment-20642 Sorry for the 404, but this tool has now expired. The free version is no longer available, but <a href="http://microsolved.com/?page_id=86" rel="nofollow">the trial and a license version is available here</a> that does much more than catch Conficker. The price for the commercial tool is US $29.95 and available through the Digital River store. Sorry for the 404, but this tool has now expired. The free version is no longer available, but the trial and a license version is available here that does much more than catch Conficker.

The price for the commercial tool is US $29.95 and available through the Digital River store.

]]> By: Joel http://stateofsecurity.com/?p=612&cpage=1#comment-20641 Joel Sun, 04 Oct 2009 16:20:00 +0000 http://stateofsecurity.com/?p=612#comment-20641 Hi, Is this application still available? The download link returns a HTTP 404. Thanks! Hi,

Is this application still available? The download link returns a HTTP 404.

Thanks!

]]> By: Danny http://stateofsecurity.com/?p=612&cpage=1#comment-17012 Danny Fri, 27 Mar 2009 15:41:31 +0000 http://stateofsecurity.com/?p=612#comment-17012 Silly question...how can I test this to make sure it is working? Silly question…how can I test this to make sure it is working?

]]> By: Brent Huston http://stateofsecurity.com/?p=612&cpage=1#comment-17011 Brent Huston Fri, 27 Mar 2009 14:14:59 +0000 http://stateofsecurity.com/?p=612#comment-17011 Neither. The tool is not a scanner, it is a honeypot for capturing incoming probes from Conficker compromised hosts. Once the worm is in control of a system, it uses that system to scan for other victims. The scanning is what this product is aimed at catching. See http://www.microsolved.com/honeypoint/ to learn more about the basic concepts behind this approach. Neither. The tool is not a scanner, it is a honeypot for capturing incoming probes from Conficker compromised hosts.

Once the worm is in control of a system, it uses that system to scan for other victims. The scanning is what this product is aimed at catching.

See http://www.microsolved.com/honeypoint/ to learn more about the basic concepts behind this approach.

]]> By: James Friesen http://stateofsecurity.com/?p=612&cpage=1#comment-17010 James Friesen Fri, 27 Mar 2009 14:01:19 +0000 http://stateofsecurity.com/?p=612#comment-17010 Does it simply scan your LAN, or can it be told to look at a WAN port? Does it simply scan your LAN, or can it be told to look at a WAN port?

]]> By: Brent Huston http://stateofsecurity.com/?p=612&cpage=1#comment-17004 Brent Huston Thu, 26 Mar 2009 12:06:32 +0000 http://stateofsecurity.com/?p=612#comment-17004 I saw your blog post. Thanks for the feedback. I should have included a readme. Basically, you execute the application as root on a Linux box (preferably one without Samba) (a LiveCD such as Puppy Linux will also work). The instructions for it's use are in the How To: window of the application, but you just click start and the application will dilate port 445/tcp with a HoneyPoint listener. Then you wait for probes to arrive from conficker scans and the app will log the source IP addresses to the log window. Treat all source IP addresses as infected hosts and investigate them in accordance with your site's security policy. Let me know if you have other questions. Good hunting! I saw your blog post. Thanks for the feedback. I should have included a readme.

Basically, you execute the application as root on a Linux box (preferably one without Samba) (a LiveCD such as Puppy Linux will also work). The instructions for it’s use are in the How To: window of the application, but you just click start and the application will dilate port 445/tcp with a HoneyPoint listener. Then you wait for probes to arrive from conficker scans and the app will log the source IP addresses to the log window. Treat all source IP addresses as infected hosts and investigate them in accordance with your site’s security policy.

Let me know if you have other questions. Good hunting!

]]> By: Craig http://stateofsecurity.com/?p=612&cpage=1#comment-17003 Craig Thu, 26 Mar 2009 10:54:00 +0000 http://stateofsecurity.com/?p=612#comment-17003 How do we use this, are there any instructions? Details on what it does? How do we use this, are there any instructions? Details on what it does?

]]>