Zombie tactics threaten to poison honeypots

Hive minds vs bot herders


Innovations in botnet technology threaten the usefulness of honeypots, one of the main ways to study how bot herders control networks of zombie PCs.

Computer scientists led by Cliff Zou and colleagues at the University of Central Florida warn that bot herders can now avoid honeypots - unprotected computers outfitted with monitoring software - set up by security firms.

Ethical concerns mean that security firms do not allow their infrastructure to be used in sending spam or running attacks against victims. By monitoring such instructions it's therefore possible for cybercrooks to program command and control servers to disable or simply ignore these machines, thus depriving security firms of vital intelligence in how zombie botnets are operating in the real world.

Zou and his team are working on techniques to make stealthier honeypot traps to trick bot herders. "Honeypot research and deployment still has significant value for the security community, but we hope this paper will remind honeypot researchers of the importance of studying ways to build covert honeypots, and the limitation in deploying honeypots in security defence," Zou said. "But all that effort will be for naught if honeypots remain as easily detectable as they are presently."

Preliminary findings from the Florida team's research were published in a recent edition of the International Journal of Information and Computer Security, as explained here.

Security and anti-virus firms say that the problem is already on their agenda.

Luis Corrons, PandaLabs technical director at Spanish anti-virus firm Panda Security, explained: "While you can and must filter the traffic generated by the bot inside a honeypot, you can filter and decide what will go out, and what does not. For example, if the bot herder is telling the bot to send spam, you can let the bot receive all the information, and even let him send out the spam messages but redirect them with a proxy to avoid it reaching any victims.

If the bot then contacts the Command and Control server to say the messages have been sent, you can let that info pass through, so the bot herder will think everything works fine.

There are some other ideas the bot herder could take, such as being one of the recipients to check that the spam is really being sent. In this case, there’s little that can be done from our side, as we won’t participate in letting threats spread.

Amichai Shulman, CTO at database security firm Imperva, suggested that rather than monitoring the behaviour of infected machines miscreants could instead attempt to identify virtual machines. "Most honeypot machines are based on a virtualisation platform (most often VMWare). By detecting this attribute of the infected platform, malware developers will probably be able to detect most honeypots out there,” he said.

While conceding that building a honeypot is tricky Shulman suggested a number of approaches designed to camouflage such systems from the eyes of cybercrooks:

Many Honeypot researchers are contemplating on the question of how to impersonate infected behaviour while not taking part in any evil, destructive activity.

I do think however that the problem described by the researchers is much exaggerated. There are many techniques that Honeypot developers employ that would make it very difficult for the malware / botnet to detect honeypot behaviour. Some examples include unlimited outbound communications for a relatively short period of time, deflecting outbound communications to known attack targets, outbound bandwidth control and outbound signature detection.

Most often the time of infection and the time when a recruited zombie becomes maliciously active are far apart, thus there is no need to immediately shutdown any outbound communications of the infected computer upon infection.

®

Similar topics

Broader topics


Other stories you might like

  • Enemybot botnet uses Gafgyt source code with a sprinkling of Mirai
    Keksec malware used for DDoS attacks, may spread to cryptomining, Fortinet says

    A prolific threat group known for deploying distributed denial-of-service (DDoS) and cryptomining attacks is running a new botnet that is built using the Linux-based Gafgyt source code along with some code from the Mirai botnet malware.

    The group Keksec (also known as Nero and Freakout) is using the fast-evolving Enemybot to target routers from vendors like Seowon Intech and D-Link and is exploiting a remote code execution (RCE) vulnerability (CVE-2022-27226) discovered last month in iRZ mobile routers, according to a report this week by Fortinet's FortiGuard Labs team.

    Keksec is using the Enemybot malware as a classic botnet, rolling up compromised Internet of Things (IoT) devices into a larger botnet that can be used to launch DDoS attacks.

    Continue reading
  • Emotet reestablishes itself at the top of the malware world
    Botnet infrastructure shut down last year, now central to a fast-spreading email scam, researchers say

    More than a year after essentially being shut down, the notorious Emotet malware operation is showing a strong resurgence.

    In a March threat index, Check Point researchers put the Windows software nasty at the top of its list as the most widely deployed malware, menacing or infecting as much as 10 percent of organizations around the globe during the month – a seemingly unbelievable estimate, and apparently double that of February.

    Now Kaspersky Labs says a rapidly accelerating and complex spam email campaign is enticing marks with fraudulent messages designed to trick one into unpacking and installing Emotet or Qbot malware that can steal information, collect data on a compromised corporate network, and move laterally through the network and install ransomware or other trojans on networked devices.

    Continue reading
  • Microsoft-led move takes down ZLoader botnet domains
    That should keep the criminals offline for, well, weeks probably

    Microsoft has announced a months-long effort to take control of 65 domains that the ZLoader criminal botnet gang has been using to spread the remote-control malware and orchestrate infected machines.

    The tech giant's Digital Crimes Unit obtained a court order from a US federal judge in Georgia to take down the domains, which are now directed to a Microsoft-controlled sinkhole so they can't be used by the malware's masterminds to communicate with their botnet of commandeered Windows computers.

    From what we can tell from the filings submitted by Microsoft to the courts, its justification for the seizure is that ZLoader used the domains to injure the Windows giant as well as residents of the US state and commit computer fraud, infringement of Microsoft trademarks, and other illegal activity. The trademark infringement being that at least one of the domains was used for a website that featured Microsoft trademarks in an attempt to masquerade as a legit Redmond site, and also references in phishing emails to Microsoft-trademarked programs, such as Excel.

    Continue reading

Biting the hand that feeds IT © 1998–2022