Honeypot traps designed to protect computers from Botnets, which are used to carry out fraudulent and criminal activity on the Internet, are now vulnerable to attack because of advances in Botnet malware, computer scientists say.
Botnets are armies of networked computers that have been compromised by malicious software.
In the 1990s and early 2000s, viruses and worms were the main problems facing computer security experts, with the likes of Melissa, Love Letter, W32/Sircam, MyDoom, Netsky and Bagle familiar to anyone reading the computer press during that period.
There has not been a major outbreak of a conventional computer virus or worm on the internet since the Sassar worm of May 2004.
That is not because improvements in computer security have outstripped the skills of the virus writers but simply because the focus has shifted to taking control of computers invisibly.
Instead of erasing information from hard drives or causing other mischief, compromised computers are recruited into Botnets that track keystrokes and steal usernames, passwords, and credit card details with criminal intent.
Cliff Zou and colleagues of the University of Central Florida, Orlando (UCFO), explain that Botnets have become one of the major attacks on the internet today.
It permits those that control them to take control of tens of thousands of computers and websites, steal credit card and banking information, send millions of spam emails, and infect other computers, all for illicit financial gain.
Moreover, those in control of the most powerful Botnets even hire out computer time on these illegal systems to other criminals.
The self-propagating nature of a Botnet means that the underlying software is always attempting to infect new computers.
This has allowed security experts to create “honeypot” traps - unprotected computers with hidden monitoring software installed - that attract Botnets and then extract data about the Botnet and the compromised computers it controls.
Honeypots set up by security defenders thus become spies in exposing botnet membership and revealing Botnet attack behaviour and methodology allowing security experts to find ways to block Botnet activity.
Zou and his team have now discovered that Botnet software could be developed to detect honeypots.
Given that security defenders have an obligation to dis-arm their own honeypot computers so that they do not become active components of the Botnet, the malicious software could, they explain, simply detect such a honeypot during initial activity as it will not send back appropriate information.
The Botnet would then either disable the honeypot computer or else simply ignore its existence and move on to the next target, says an Inderscience release.
By revealing this vulnerability to the computer security industry and presenting possible guidelines for creating honeypots that might be undetectable, the team hopes to pioneer a way to trap and block Botnet software before the Botnet controllers are able to exploit this technical loophole in legitimate computer systems employing honeypots.
These findings were published in the International Journal of Information and Computer Security.
