What is a Honeypot?

A honeypot is a computer resource whose only purpose is to get exploited. It is a trap, but for computer criminals. An attacked and properly investigated honeypot can provide valuable information about both the attack, and the attacker. Although honeypots serve a specialized role on the network, they are disguised as a normal network resource. This makes for a more attractive target if the attacker sees them as a valuable asset to take advantage of, and not a cleverly disguised and controlled trap.

Although honeypots are a generalized concept, we typically encounter only a handful of particular applications, and it is further useful to divide them into two distinct classes.

↑ Contents

Low Interaction

Low interaction honeypots are defined as such due to the limited interaction an attacker or malware is allowed. All services of a low interaction honeypot are emulated. This means that low interaction honeypots are not themselves vulnerable and will not become infected by the exploit attempted against the emulated vulnerability. These emulated services masquerade as vulnerable software or entire systems, faking the entire network dialog as the attack progresses. Most often, this process is used to collect malware, in which case the end goal is simply to collect a downloaded malware sample. A low interaction honeypot can also be used to log and report activities, as any connections are suspicious and most probably attacks.

Examples of Low Interaction Honeypots Software

↑ Contents

High Interaction

High interaction honeypots make use of the actual vulnerable service or software, closely monitoring the system as it is actually exploited by attackers. This has an advantage over lower interaction honeypots in that it is possible to get a far more detailed picture of exactly how an attack progresses or how a particular malware sample behaves in the wild. Additionally, as emulated services are not used (which would require pre-knowledge of vulnerabilities to be exploited) a high interaction honeypot has the possibility of discovering previously unknown exploits. By their very nature, however, high interaction honeypots will likely become infected themselves, requiring the highest attention by operators to prevent the disastrous consequences further propagation to remote or even local systems. It is for these reasons that the strictest safeguards must be built around the honeypot in regards to network security policies.

High Interaction Honeypot Software

↑ Contents

Malware Collectors

Most of the honeypots Shadowserver utilizes in the botnet hunting mission are malware collectors. These are honeypots specialized for the task of accepting exploit attempts from attackers and extracting transfered malware binaries from the transaction. These honeypots can be low or high interaction, however most are low interaction since the goal is to collect malware samples only.

The primary malware collector used by Shadowserver is the excellent Nepenthes.

↑ Contents

HoneyClients

While most honeypots emulate servers, waiting for an attacker to exploit the service being offered, some honeypots actively persue attacks against software clients. In particular, web based exploits against specific web browsers can enable malicious websites to install malware onto a victim's machine. These honeypots crawl websites, and through various methods, determine which websites actually attack the web browser. Malware samples are collected from the honeypot before it is cleaned from infection, it is then allowed to continue crawling.

Three such honeyclients are listed below.

  • HoneyClient An opensource set of scripts that drive Internet Explorer
  • HoneyC Low interaction client honeypot
  • HoneyMonkey Microsoft's Strider HoneyMonkey Exploit Detection System

↑ Contents

SpamTraps

One of the primary ideas behind honeypots is to use the techniques of attackers against them. The same can be done with email, attempting to catch everything from spam to phishing attacks to malicous messages. Spammers typically use a tool that harvests email addresses from web pages to seed their huge contact lists. Spamtraps exploit this methodology by publishing email addresses on web sites, waiting for the spammers to collect the addresses.

To ensure that every message delivered to a spamtrap is interesting, these addresses neccesarily should not be advertised in such a way that would invite the correspondence of honest senders. This would erode the usefulness of a spamtrap.

Additional information can be attained by dynamically generating email addresses based on the IP address that visited the page. If a message is ever delivered to the spamtrap, the address can be matched to the IP that collected the spamtrap's email address in the first place.

Aside from single-email spamtraps, many domain names employ bit-buckets. A bit-bucket is a holding bin for emails sent to nonexistent email addresses. These bit-buckets are almost always populated with spam sent from a brute-force spam attempt.

With all of the above techniques, malware can be collected by simply stripping out any non-text attachment and analyzing the files as they arrive. Email viruses are still a large problem on the Internet today, and some variants are seeded from similar (or maybe the same) lists as used by spammers.

↑ Contents

Additional Resources

↑ Contents

<< Botnet Detection | Knowledge Base | eFraud >>