Hiding the honeypots: Is it possible to hide honeypot traps from Botnet drones

Feb 26, 2010

Armies of networked computers that have been compromised by malicious software are commonly known as Botnets. Such Botnets are usually used to carry out fraudulent and criminal activity on the Internet. Now, writing in the International Journal of Information and Computer Security, US computer scientists reveal that the honeypot trap designed to protect computers from Botnets are now vulnerable to attack because of advances in Botnet malware.

In the 1990s and early 2000s, viruses and worms were the main problems facing computer security experts, with the likes of Melissa, Love Letter, W32/Sircam, MyDoom, Netsky and Bagle familiar to anyone reading the computer press during that period. There has not been a major outbreak of a conventional or worm on the internet since the Sassar worm of May 2004. That is not because improvements in computer security have outstripped the skills of the virus writers but simply because the focus has shifted to taking control of computers invisibly. Instead of erasing information from hard drives or causing other mischief, compromised computers are recruited into Botnets that track keystrokes and steal usernames, passwords, and credit card details with criminal intent.

Cliff Zou and colleagues of the University of Central Florida in Orlando, explain that Botnets have become one of the major attacks on the internet today, allowing those that control them to take control of tens of thousands of computers and websites, steal credit card and , send millions of spam emails, and infect other computers, all for illicit financial gain. Moreover, those in control of the most powerful Botnets even hire out computer time on these illegal systems to other criminals.

The self-propagating nature of a Botnet means that the underlying software is always attempting to infect new computers. This has allowed security experts to create "honeypot" traps - unprotected computers with hidden monitoring software installed - that attract Botnets and then extract data about the Botnet and the compromised computers it controls. Honeypots set up by security defenders thus become spies in exposing botnet membership and revealing Botnet attack behavior and methodology allowing security experts to find ways to block Botnet activity.

Zou and his team have now discovered that Botnet software could be developed to detect honeypots. Given that security defenders have an obligation to dis-arm their own honeypot computers so that they do not become active components of the Botnet, the could, they explain, simply detect such a honeypot during initial activity as it will not send back appropriate information. The Botnet would then either disable the honeypot computer or else simply ignore its existence and move on to the next target.

By revealing this vulnerability to the computer security industry and presenting possible guidelines for creating honeypots that might be undetectable, the team hopes to pioneer a way to trap and block Botnet software before the controllers are able to exploit this technical loophole in legitimate computer systems employing honeypots.

"Honeypot research and deployment still has significant value for the security community, but we hope this paper will remind honeypot researchers of the importance of studying ways to build covert honeypots, and the limitation in deploying honeypots in security defense," Zou says, "but all that effort will be for naught if honeypots remain as easily detectible as they are presently."

Explore further: Engineer leads effort to develop computer systems that can see better than humans

More information: "Honeypot detection in advanced botnet attacks" in Int. J. Information and Computer Security, 2010, 4, 30-51

Related Stories

Corporations, agencies infiltrated by 'botnet'

Feb 18, 2010

(AP) -- Security experts have found a network of 74,000 virus-infected computers that stole information from inside corporations and government agencies. The unusual thing about the incident is not that it happened but that ...

Comcast tries pop-up alerts to warn of infections

Oct 10, 2009

(AP) -- Comcast Corp. wants to enlist its customers in a fight against a huge problem for Internet providers - the armies of infected personal computers, known as "botnets," that suck up bandwidth by sending spam and facilitating ...

Guilty plea in Seattle 'botnet' case

May 05, 2006

A California man pleaded guilty Thursday to charges stemming from a "botnet" attack last year that damaged U.S. Department of Defense computers.

Botnet Hijacking Steals 70GB of Data

May 05, 2009

(PhysOrg.com) -- Security researchers have uncovered one of the most notorious zombie networks, the Torpig botnet, by collecting 70GB of data that was stolen in just 10 days.

California man indicted in 'botnet' case

Feb 11, 2006

A California man was indicted Friday for allegedly creating a "botnet" that used university computer systems and disrupted information technology at a Seattle hospital.

Conficker worm dabbling with mischief

Apr 28, 2009

The Conficker worm's creators are evidently toying with ways to put the pervasive computer virus to work firing off spam or spreading rogue anti-virus applications called "scareware."

Recommended for you

Hacking Gmail with 92 percent success

1 hour ago

(Phys.org) —A team of researchers, including an assistant professor at the University of California, Riverside Bourns College of Engineering, have identified a weakness believed to exist in Android, Windows ...

User comments : 2

Adjust slider to filter visible comments by rank

Display comments: newest first

frajo
1 / 5 (1) Feb 26, 2010
The most remarkable aspect about all the botnet-related articles is that they seem to share a common taboo: "Don't ever mention the affected or the less affected operating systems".
abhishekbt
Mar 02, 2010
This comment has been removed by a moderator.
frajo
1 / 5 (1) Mar 02, 2010
The "silent majority" doesn't even know what an operating system is. An article like this one could help to educate those people.