back to article Zombie tactics threaten to poison honeypots

Innovations in botnet technology threaten the usefulness of honeypots, one of the main ways to study how bot herders control networks of zombie PCs. Computer scientists led by Cliff Zou and colleagues at the University of Central Florida warn that bot herders can now avoid honeypots - unprotected computers outfitted with …

COMMENTS

This topic is closed for new posts.
  1. Cameron Colley

    Why VMs?

    Since a program can detect that it is in a VM why not just use a couple of cheap low-power PCs instead, possible with debugging machines attached via Firewire, or whatever? A few could be attached to the same debugging machine and could also share a firewall machine with packet inspection.

    1. Carter Cole
      Alert

      10k reasons why

      you can make 10k virtual machines for free but even with old 386 your going to pay more for power and each machine to the point where it becomes ineffective to try and scale

      1. Cameron Colley

        10K machines aren not free.

        VMs are not free, they're just generally more efficient -- but, when it comes down to it, you still need a given amount of power to complete a given number of calculations. Yes, it may be slightly more expensive to buy and house a couple of hundred EeePCs (or whichever generic low power cheapo system) but with proper planning it shouldn't cost all that much more.

        I'll admit I don't own or use a racked server -- but I bet they cost more than, for example, 5 EeePCs and use about as much power?

  2. Anonymous Coward
    Pirate

    Simples...

    All they have to do is harness the 'honeypot' systems in a ringfenced environment with stubbs that intercept outgoing email and other traffic and return 'normal' reponses... (i.e. email server responses, ping echos etc.)

    Oh wait, then the blackhats would simply be able to run a validation 'attack' against a system under their control and it's back to the drawing board for the security firm... =O(

  3. Snowy Silver badge
    Go

    Honeypot the new defense

    Just have the software set up to make the pc look like a honeypot and they pass you by...

  4. amanfromMars 1 Silver badge

    Who Dares Win Wins

    "....., and the limitation in deploying honeypots in security defence," Zou said."

    What limitations? You cannot be serious, Mr Zou.

    Honey for All is such AIdDelight.

  5. Clinton
    Stop

    Ethics?

    Thousands or more zombies in the each bot net and the security firms can't let a couple honey pots send a few thousand e-mails to add to the billions that are already sent? Isn't it more important to get the research data then to worry about spreading the bot to a few more machines? Quit being high and mighty and get the job done!

    1. Black Betty
      FAIL

      The law does not allow exceptions.

      A security firm that deliberately allowed its machine to spread spam/malware would be in for a world of hurt. And unlike the spammers they do have a known street address where a summons can be served.

      1. Dave Bell

        You might be surprised...

        This is an example of a tricky general legal problem, perhaps more obvious in the case of an undercover cop. The big problem is that the laws on computer crime have been far less tested in the courts. The limits on what a honeypot operator can do are quite vague.

        But this situation isn't some gangster saying, "We don't tell you anything until you've killed this guy."

        1. Black Betty

          1) These people are not cops.

          2) Civil litigation is possibly a far bigger worry than arrest.

  6. Carter Cole
    Terminator

    another feature to add to the code in my head

    to have a giant botnet would be awesome but i must confess ive been writing code in my head for one (and how to make it beat all the other) thanks for the heads up on another feature i need to add in :)

  7. Anonymous Coward
    WTF?

    Jesus Christ How old?

    How old is this research. Ive seen bot sources as late back as 2006/07 that incorporated VM scanning functions and other sandbox software.

  8. Ammaross Danan
    Terminator

    Problem

    Since many servers (should) nowadays be running inside a VM, simply dumping out due to being an a virtual environment isn't enough of a check. Servers are the lucrative hosts for zombies due to their always-on, high-bandwidth, high-horsepower nature. To dump them simply for being a virtual server will cut out a portion of this zombie base. As noted in the paper, other methods would be much more meaningful. However, one mentioned (of including a self-address in the list for verification), wouldn't be on my list. Even if it was a web-based email, it would still require utilizing one (or some) of the bots to auto-check the "personal" email address for verification, which would throw a control password into the mix, and provide a means of compromise. Not good. Other alternative would be to check it with some control center, which could be traced back to, another fail.

    Perhaps the easiest way would be to register a few (if not all) directly-accessible bots (not behind a firewall or the like) as targets. For every batch of spam sent, from every server, one email would be addressed to <randomgarbage>@<infectedcomputerip> (so to speak) and have a C&C message verify across the bot-whispernet that such an email was received, and have that determine if the machine is being filtered/blocked/redirected. It isn't flawless, but will give the herder an idea of which machines are pointlessly infected.

    As for the "act as a honeypot" to disable a zombie suggestion above, I would assume you have the technical know-how to remove such a bot if you know how to "act as a honeypot" in the first place. Or am I just giving too much credit?

    Either way, if the bot is unable to send spam for whatever reason, I'd probably just flip it into "keylog and send me juicy info" status anyways.

    1. Dave Bell

      But what would be key-logged?

      At that point, you somehow have to fake a computer doing something for a local human. That's non-trivial. Luckily, so is detecting a fake human with another computer.

  9. Juillen 1

    Ethics?

    By their ethics of "we won't let things get a little worse, even if it helps cure the problem", we'd have no surgery, or indeed any modern medicine.

    One of the base tenets of medical intervention is that you temporarily put the patient in a worse, but controlled state as part of the process that leads to them being better (i.e. you feed them paralytics, memory loss drugs and cut into them, leaving them temporarily worse off, but in the process you fix an underlying ailment leaving them long term better off).

    Now everything in modern medicine has to go through ethics approval, to make sure the research and processes are ethical. Why should it be believe that the digital world is any different?

  10. Steve Bush

    No way to evade detection as honeypot finally

    All the botnet has to do is judge the target by results. ie itself receive some of the spam generated and if none received then judge the target to be defective/honeypot

This topic is closed for new posts.

Other stories you might like