Zombie tactics threaten to poison honeypots

Hive minds vs bot herders


Innovations in botnet technology threaten the usefulness of honeypots, one of the main ways to study how bot herders control networks of zombie PCs.

Computer scientists led by Cliff Zou and colleagues at the University of Central Florida warn that bot herders can now avoid honeypots - unprotected computers outfitted with monitoring software - set up by security firms.

Ethical concerns mean that security firms do not allow their infrastructure to be used in sending spam or running attacks against victims. By monitoring such instructions it's therefore possible for cybercrooks to program command and control servers to disable or simply ignore these machines, thus depriving security firms of vital intelligence in how zombie botnets are operating in the real world.

Zou and his team are working on techniques to make stealthier honeypot traps to trick bot herders. "Honeypot research and deployment still has significant value for the security community, but we hope this paper will remind honeypot researchers of the importance of studying ways to build covert honeypots, and the limitation in deploying honeypots in security defence," Zou said. "But all that effort will be for naught if honeypots remain as easily detectable as they are presently."

Preliminary findings from the Florida team's research were published in a recent edition of the International Journal of Information and Computer Security, as explained here.

Security and anti-virus firms say that the problem is already on their agenda.

Luis Corrons, PandaLabs technical director at Spanish anti-virus firm Panda Security, explained: "While you can and must filter the traffic generated by the bot inside a honeypot, you can filter and decide what will go out, and what does not. For example, if the bot herder is telling the bot to send spam, you can let the bot receive all the information, and even let him send out the spam messages but redirect them with a proxy to avoid it reaching any victims.

If the bot then contacts the Command and Control server to say the messages have been sent, you can let that info pass through, so the bot herder will think everything works fine.

There are some other ideas the bot herder could take, such as being one of the recipients to check that the spam is really being sent. In this case, there’s little that can be done from our side, as we won’t participate in letting threats spread.

Amichai Shulman, CTO at database security firm Imperva, suggested that rather than monitoring the behaviour of infected machines miscreants could instead attempt to identify virtual machines. "Most honeypot machines are based on a virtualisation platform (most often VMWare). By detecting this attribute of the infected platform, malware developers will probably be able to detect most honeypots out there,” he said.

While conceding that building a honeypot is tricky Shulman suggested a number of approaches designed to camouflage such systems from the eyes of cybercrooks:

Many Honeypot researchers are contemplating on the question of how to impersonate infected behaviour while not taking part in any evil, destructive activity.

I do think however that the problem described by the researchers is much exaggerated. There are many techniques that Honeypot developers employ that would make it very difficult for the malware / botnet to detect honeypot behaviour. Some examples include unlimited outbound communications for a relatively short period of time, deflecting outbound communications to known attack targets, outbound bandwidth control and outbound signature detection.

Most often the time of infection and the time when a recruited zombie becomes maliciously active are far apart, thus there is no need to immediately shutdown any outbound communications of the infected computer upon infection.

®

Similar topics

Broader topics


Other stories you might like

  • Red Hat Kubernetes security report finds people are the problem
    Puny human brains baffled by K8s complexity, leading to blunder fears

    Kubernetes, despite being widely regarded as an important technology by IT leaders, continues to pose problems for those deploying it. And the problem, apparently, is us.

    The open source container orchestration software, being used or evaluated by 96 per cent of organizations surveyed [PDF] last year by the Cloud Native Computing Foundation, has a reputation for complexity.

    Witness the sarcasm: "Kubernetes is so easy to use that a company devoted solely to troubleshooting issues with it has raised $67 million," quipped Corey Quinn, chief cloud economist at IT consultancy The Duckbill Group, in a Twitter post on Monday referencing investment in a startup called Komodor. And the consequences of the software's complication can be seen in the difficulties reported by those using it.

    Continue reading
  • Infosys skips government meeting – and collecting government taxes
    Tax portal wobbles, again

    Services giant Infosys has had a difficult week, with one of its flagship projects wobbling and India's government continuing to pressure it over labor practices.

    The wobbly projext is India's portal for filing Goods and Services Tax returns. According to India's Central Board of Indirect Taxes and Customs (CBIC), the IT services giant reported a "technical glitch" that meant auto-populated forms weren't ready for taxpayers. The company was directed to fix it and CBIC was faced with extending due dates for tax payments.

    Continue reading
  • Google keeps legacy G Suite alive and free for personal use
    Phew!

    Google has quietly dropped its demand that users of its free G Suite legacy edition cough up to continue enjoying custom email domains and cloudy productivity tools.

    This story starts in 2006 with the launch of “Google Apps for Your Domain”, a bundle of services that included email, a calendar, Google Talk, and a website building tool. Beta users were offered the service at no cost, complete with the ability to use a custom domain if users let Google handle their MX record.

    The service evolved over the years and added more services, and in 2020 Google rebranded its online productivity offering as “Workspace”. Beta users got most of the updated offerings at no cost.

    Continue reading
  • GNU Compiler Collection adds support for China's LoongArch CPU family
    MIPS...ish is on the march in the Middle Kingdom

    Version 12.1 of the GNU Compiler Collection (GCC) was released this month, and among its many changes is support for China's LoongArch processor architecture.

    The announcement of the release is here; the LoongArch port was accepted as recently as March.

    China's Academy of Sciences developed a family of MIPS-compatible microprocessors in the early 2000s. In 2010 the tech was spun out into a company callled Loongson Technology which today markets silicon under the brand "Godson". The company bills itself as working to develop technology that secures China and underpins its ability to innovate, a reflection of Beijing's believe that home-grown CPU architectures are critical to the nation's future.

    Continue reading
  • China’s COVID lockdowns bite e-commerce players
    CEO of e-tail market leader JD perhaps boldly points out wider economic impact of zero-virus stance

    The CEO of China’s top e-commerce company, JD, has pointed out the economic impact of China’s current COVID-19 lockdowns - and the news is not good.

    Speaking on the company’s Q1 2022 earnings call, JD Retail CEO Lei Xu said that the first two years of the COVID-19 pandemic had brought positive effects for many Chinese e-tailers as buyer behaviour shifted to online purchases.

    But Lei said the current lengthy and strict lockdowns in Shanghai and Beijing, plus shorter restrictions in other large cities, have started to bite all online businesses as well as their real-world counterparts.

    Continue reading
  • Foxconn forms JV to build chip fab in Malaysia
    Can't say when, where, nor price tag. Has promised 40k wafers a month at between 28nm and 40nm

    Taiwanese contract manufacturer to the stars Foxconn is to build a chip fabrication plant in Malaysia.

    The planned factory will emit 12-inch wafers, with process nodes ranging from 28 to 40nm, and will have a capacity of 40,000 wafers a month. By way of comparison, semiconductor-centric analyst house IC Insights rates global wafer capacity at 21 million a month, and Taiwanese TSMC’s four “gigafabs” can each crank out 250,000 wafers a month.

    In terms of production volume and technology, this Malaysian facility will not therefore catapult Foxconn into the ranks of leading chipmakers.

    Continue reading
  • NASA's InSight doomed as Mars dust coats solar panels
    The little lander that couldn't (any longer)

    The Martian InSight lander will no longer be able to function within months as dust continues to pile up on its solar panels, starving it of energy, NASA reported on Tuesday.

    Launched from Earth in 2018, the six-metre-wide machine's mission was sent to study the Red Planet below its surface. InSight is armed with a range of instruments, including a robotic arm, seismometer, and a soil temperature sensor. Astronomers figured the data would help them understand how the rocky cores of planets in the Solar System formed and evolved over time.

    "InSight has transformed our understanding of the interiors of rocky planets and set the stage for future missions," Lori Glaze, director of NASA's Planetary Science Division, said in a statement. "We can apply what we've learned about Mars' inner structure to Earth, the Moon, Venus, and even rocky planets in other solar systems."

    Continue reading
  • The ‘substantial contributions’ Intel has promised to boost RISC-V adoption
    With the benefit of maybe revitalizing the x86 giant’s foundry business

    Analysis Here's something that would have seemed outlandish only a few years ago: to help fuel Intel's future growth, the x86 giant has vowed to do what it can to make the open-source RISC-V ISA worthy of widespread adoption.

    In a presentation, an Intel representative shared some details of how the chipmaker plans to contribute to RISC-V as part of its bet that the instruction set architecture will fuel growth for its revitalized contract chip manufacturing business.

    While Intel invested in RISC-V chip designer SiFive in 2018, the semiconductor titan's intentions with RISC-V evolved last year when it revealed that the contract manufacturing business key to its comeback, Intel Foundry Services, would be willing to make chips compatible with x86, Arm, and RISC-V ISAs. The chipmaker then announced in February it joined RISC-V International, the ISA's governing body, and launched a $1 billion innovation fund that will support chip designers, including those making RISC-V components.

    Continue reading

Biting the hand that feeds IT © 1998–2022