Capture - High Interaction client honeypot framework.

Capture is a high interaction client honeypot. A client honeypot is a security technology that allows one to find malicious servers on a network. Capture identifies malicious servers by interacting with potentially malicious servers using a dedicated virtual machine and observing its system state changes. If an system state change is detected, since no other activity occurs on the dedicated client machine, the server Capture interacted with is classified as malicious.

High level overview of Capture

• Capture Server/Capture Client architecture allows one to control numerous Capture clients on the localhost as well as remote hosts.
• Capture's monitors are able to observe the file system, registry, process of a system on a kernel level.
• Architecure allows Capture to drive various http aware client appliaction. This includes a variety of browsers, but also various office applications and media players.
• Centralized logs keep track of which links have not been visited and which have, server classifications and state changes incurred by visiting malicious servers.
• Capture is able to automatically collect malware that might have been placed on a compromised client system.

Capture takes time and resources to install and configure correctly. We have created two web services, called SCOUT and PATROL, that allows you to submit URLs to our installation of Capture. SCOUT allows end users to submit suspicious URLs to the client honeypot and receive an immediate assessment on whether the URL is malicious or benign. PATROL, on the other hand, is a web service designed for web masters. It allows them to submit their URLs for periodic monitoring by our client honeypot.