back to article Zombie tactics threaten to poison honeypots

Innovations in botnet technology threaten the usefulness of honeypots, one of the main ways to study how bot herders control networks of zombie PCs. Computer scientists led by Cliff Zou and colleagues at the University of Central Florida warn that bot herders can now avoid honeypots - unprotected computers outfitted with …


This topic is closed for new posts.
  1. Cameron Colley

    Why VMs?

    Since a program can detect that it is in a VM why not just use a couple of cheap low-power PCs instead, possible with debugging machines attached via Firewire, or whatever? A few could be attached to the same debugging machine and could also share a firewall machine with packet inspection.

    1. Carter Cole

      10k reasons why

      you can make 10k virtual machines for free but even with old 386 your going to pay more for power and each machine to the point where it becomes ineffective to try and scale

      1. Cameron Colley

        10K machines aren not free.

        VMs are not free, they're just generally more efficient -- but, when it comes down to it, you still need a given amount of power to complete a given number of calculations. Yes, it may be slightly more expensive to buy and house a couple of hundred EeePCs (or whichever generic low power cheapo system) but with proper planning it shouldn't cost all that much more.

        I'll admit I don't own or use a racked server -- but I bet they cost more than, for example, 5 EeePCs and use about as much power?

  2. Anonymous Coward


    All they have to do is harness the 'honeypot' systems in a ringfenced environment with stubbs that intercept outgoing email and other traffic and return 'normal' reponses... (i.e. email server responses, ping echos etc.)

    Oh wait, then the blackhats would simply be able to run a validation 'attack' against a system under their control and it's back to the drawing board for the security firm... =O(

  3. Snowy Silver badge

    Honeypot the new defense

    Just have the software set up to make the pc look like a honeypot and they pass you by...

  4. amanfromMars 1 Silver badge

    Who Dares Win Wins

    "....., and the limitation in deploying honeypots in security defence," Zou said."

    What limitations? You cannot be serious, Mr Zou.

    Honey for All is such AIdDelight.

  5. Clinton


    Thousands or more zombies in the each bot net and the security firms can't let a couple honey pots send a few thousand e-mails to add to the billions that are already sent? Isn't it more important to get the research data then to worry about spreading the bot to a few more machines? Quit being high and mighty and get the job done!

    1. Black Betty

      The law does not allow exceptions.

      A security firm that deliberately allowed its machine to spread spam/malware would be in for a world of hurt. And unlike the spammers they do have a known street address where a summons can be served.

      1. Dave Bell

        You might be surprised...

        This is an example of a tricky general legal problem, perhaps more obvious in the case of an undercover cop. The big problem is that the laws on computer crime have been far less tested in the courts. The limits on what a honeypot operator can do are quite vague.

        But this situation isn't some gangster saying, "We don't tell you anything until you've killed this guy."

        1. Black Betty

          1) These people are not cops.

          2) Civil litigation is possibly a far bigger worry than arrest.

  6. Carter Cole

    another feature to add to the code in my head

    to have a giant botnet would be awesome but i must confess ive been writing code in my head for one (and how to make it beat all the other) thanks for the heads up on another feature i need to add in :)

  7. Anonymous Coward

    Jesus Christ How old?

    How old is this research. Ive seen bot sources as late back as 2006/07 that incorporated VM scanning functions and other sandbox software.

  8. Ammaross Danan


    Since many servers (should) nowadays be running inside a VM, simply dumping out due to being an a virtual environment isn't enough of a check. Servers are the lucrative hosts for zombies due to their always-on, high-bandwidth, high-horsepower nature. To dump them simply for being a virtual server will cut out a portion of this zombie base. As noted in the paper, other methods would be much more meaningful. However, one mentioned (of including a self-address in the list for verification), wouldn't be on my list. Even if it was a web-based email, it would still require utilizing one (or some) of the bots to auto-check the "personal" email address for verification, which would throw a control password into the mix, and provide a means of compromise. Not good. Other alternative would be to check it with some control center, which could be traced back to, another fail.

    Perhaps the easiest way would be to register a few (if not all) directly-accessible bots (not behind a firewall or the like) as targets. For every batch of spam sent, from every server, one email would be addressed to <randomgarbage>@<infectedcomputerip> (so to speak) and have a C&C message verify across the bot-whispernet that such an email was received, and have that determine if the machine is being filtered/blocked/redirected. It isn't flawless, but will give the herder an idea of which machines are pointlessly infected.

    As for the "act as a honeypot" to disable a zombie suggestion above, I would assume you have the technical know-how to remove such a bot if you know how to "act as a honeypot" in the first place. Or am I just giving too much credit?

    Either way, if the bot is unable to send spam for whatever reason, I'd probably just flip it into "keylog and send me juicy info" status anyways.

    1. Dave Bell

      But what would be key-logged?

      At that point, you somehow have to fake a computer doing something for a local human. That's non-trivial. Luckily, so is detecting a fake human with another computer.

  9. Juillen 1


    By their ethics of "we won't let things get a little worse, even if it helps cure the problem", we'd have no surgery, or indeed any modern medicine.

    One of the base tenets of medical intervention is that you temporarily put the patient in a worse, but controlled state as part of the process that leads to them being better (i.e. you feed them paralytics, memory loss drugs and cut into them, leaving them temporarily worse off, but in the process you fix an underlying ailment leaving them long term better off).

    Now everything in modern medicine has to go through ethics approval, to make sure the research and processes are ethical. Why should it be believe that the digital world is any different?

  10. Steve Bush

    No way to evade detection as honeypot finally

    All the botnet has to do is judge the target by results. ie itself receive some of the spam generated and if none received then judge the target to be defective/honeypot

This topic is closed for new posts.

Other stories you might like

  • International operation takes down Russian RSOCKS botnet
    $200 a day buys you 90,000 victims

    A Russian operated botnet known as RSOCKS has been shut down by the US Department of Justice acting with law enforcement partners in Germany, the Netherlands and the UK. It is believed to have compromised millions of computers and other devices around the globe.

    The RSOCKS botnet functioned as an IP proxy service, but instead of offering legitimate IP addresses leased from internet service providers, it was providing criminals with access to the IP addresses of devices that had been compromised by malware, according to a statement from the US Attorney’s Office in the Southern District of California.

    It seems that RSOCKS initially targeted a variety of Internet of Things (IoT) devices, such as industrial control systems, routers, audio/video streaming devices and various internet connected appliances, before expanding into other endpoints such as Android devices and computer systems.

    Continue reading
  • EnemyBot malware adds enterprise flaws to exploit arsenal
    Fast-evolving botnet targets critical VMware, F5 BIG-IP bugs, we're told

    The botnet malware EnemyBot has added exploits to its arsenal, allowing it to infect and spread from enterprise-grade gear.

    What's worse, EnemyBot's core source code, minus its exploits, can be found on GitHub, so any miscreant can use the malware to start crafting their own outbreaks of this software nasty.

    The group behind EnemyBot is Keksec, a collection of experienced developers, also known as Nero and Freakout, that have been around since 2016 and have launched a number of Linux- and Windows-based bots capable of launching distributed denial-of-service (DDoS) attacks and possibly mining cryptocurrency. Securonix first wrote about EnemyBot in March.

    Continue reading
  • Microsoft sounds the alarm on – wait for it – a Linux botnet
    Redmond claims the numbers are scary, but won't release them

    Microsoft has sounded the alarm on DDoS malware called XorDdos that targets Linux endpoints and servers.

    The trojan, first discovered in 2014 by security research group MalwareMustDie, was named after its use of XOR-based encryption and the fact that is amasses botnets to carry out distributed denial-of-service attacks. Over the last six months, Microsoft threat researchers say they've witnessed a 254 percent spike in the malware's activity. 

    "XorDdos depicts the trend of malware increasingly targeting Linux-based operating systems, which are commonly deployed on cloud infrastructures and Internet of Things (IoT) devices," Redmond warned

    Continue reading
  • Vehicle owner data exposed in GM credential-stuffing attack
    Car maker says miscreants used stolen logins to break into folks' accounts

    Automaker General Motors has confirmed the credential stuffing attack it suffered last month exposed customers' names, personal email addresses, and destination data, as well as usernames and phone numbers for family members tied to customer accounts.

    Continue reading
  • Enemybot botnet uses Gafgyt source code with a sprinkling of Mirai
    Keksec malware used for DDoS attacks, may spread to cryptomining, Fortinet says

    A prolific threat group known for deploying distributed denial-of-service (DDoS) and cryptomining attacks is running a new botnet that is built using the Linux-based Gafgyt source code along with some code from the Mirai botnet malware.

    The group Keksec (also known as Nero and Freakout) is using the fast-evolving Enemybot to target routers from vendors like Seowon Intech and D-Link and is exploiting a remote code execution (RCE) vulnerability (CVE-2022-27226) discovered last month in iRZ mobile routers, according to a report this week by Fortinet's FortiGuard Labs team.

    Keksec is using the Enemybot malware as a classic botnet, rolling up compromised Internet of Things (IoT) devices into a larger botnet that can be used to launch DDoS attacks.

    Continue reading
  • Emotet reestablishes itself at the top of the malware world
    Botnet infrastructure shut down last year, now central to a fast-spreading email scam, researchers say

    More than a year after essentially being shut down, the notorious Emotet malware operation is showing a strong resurgence.

    In a March threat index, Check Point researchers put the Windows software nasty at the top of its list as the most widely deployed malware, menacing or infecting as much as 10 percent of organizations around the globe during the month – a seemingly unbelievable estimate, and apparently double that of February.

    Now Kaspersky Labs says a rapidly accelerating and complex spam email campaign is enticing marks with fraudulent messages designed to trick one into unpacking and installing Emotet or Qbot malware that can steal information, collect data on a compromised corporate network, and move laterally through the network and install ransomware or other trojans on networked devices.

    Continue reading
  • Microsoft-led move takes down ZLoader botnet domains
    That should keep the criminals offline for, well, weeks probably

    Microsoft has announced a months-long effort to take control of 65 domains that the ZLoader criminal botnet gang has been using to spread the remote-control malware and orchestrate infected machines.

    The tech giant's Digital Crimes Unit obtained a court order from a US federal judge in Georgia to take down the domains, which are now directed to a Microsoft-controlled sinkhole so they can't be used by the malware's masterminds to communicate with their botnet of commandeered Windows computers.

    From what we can tell from the filings submitted by Microsoft to the courts, its justification for the seizure is that ZLoader used the domains to injure the Windows giant as well as residents of the US state and commit computer fraud, infringement of Microsoft trademarks, and other illegal activity. The trademark infringement being that at least one of the domains was used for a website that featured Microsoft trademarks in an attempt to masquerade as a legit Redmond site, and also references in phishing emails to Microsoft-trademarked programs, such as Excel.

    Continue reading
  • Attackers exploit Spring4Shell flaw to let loose the Mirai botnet
    Trend Micro says vulnerable systems in Singapore have been compromised

    There has been a land rush of sorts among threat groups trying to use the vulnerability discovered in the open-source Spring Framework last month, and now researchers at Trend Micro are saying it's being actively exploited to run the Mirai botnet.

    Mirai is a long-running threat that has been around since 2016 and is used to pull smaller networked and Internet of Things (IoT) devices, such as IP cameras and routers, into a botnet that can then be used in such campaigns as distributed denial-of-service (DDoS) and phishing attacks.

    The Trend Micro researchers wrote in a post that they observed the bad actors weaponizing and run Mirai malware on vulnerable servers in the Singapore region via the Spring4Shell vulnerability, tracked as CVE-2022-22965.

    Continue reading
  • Feds take down Kremlin-backed Cyclops Blink botnet
    Control systems scrubbed, hijacked network devices need to be patched and cleaned

    The US Justice Department today revealed details of a court-authorized take-down of command-and-control systems the Sandworm cyber-crime ring used to direct network devices infected by its Cyclops Blink malware.

    The move follows a joint security alert in February from US and UK law enforcement that warned of WatchGuard firewalls and ASUS routers being compromised to run Cyclops Blink. This botnet malware – technical breakdown here [PDF] – allows the equipment to be remote controlled to carry out attacks on behalf of its masterminds.

    Previously, Uncle Sam said the Sandworm crew worked for the Russian Federation's GRU espionage nerve-center, which handles foreign intel operations. 

    Continue reading
  • Cyclops Blink malware sets up shop in ASUS routers
    Kremlin-backed Sandworm has its VPNFilter replacement, it seems

    Cyclops Blink malware has infected ASUS routers in what Trend Micro says looks like an attempt to turn these compromised devices into command-and-control servers for future attacks.

    ASUS says it's working on a remediation for Cyclops Blink and will post software updates if necessary. The hardware maker recommends users reset their gateways to factory settings to flush away any configurations added by an intruder, change the login password, make sure remote management access from the WAN is disabled, and ensure the latest firmware is installed to be safe.

    Cyclops Blink has ties to Kremlin-backed Sandworm, the criminal gang behind the nasty VPNFilter malware that in 2018 targeted routers and storage devices. The crew also carried out several high-profile attacks including the 2015 and 2016 cyber-assaults on Ukraine's electrical grid, NotPetya in 2017, and the French presidential campaign email leak that same year.

    Continue reading

Biting the hand that feeds IT © 1998–2022