Security

Are bad guys using honeypots to catch security researchers?

A common tool of security researchers when dealing directly with malicious security crackers has itself been hijacked by malicious security crackers. The specific intent of their use of the tool is open to question, however.

The Last Line Of Defense is the Web face for LastLine, Inc., which performs security research and "provides protection technology that is complementary to existing anti-virus software and firewalls." LastLine takes a proactive approach to developing security strategies based on what it calls "cyber crime intelligence that we gather by analyzing millions of suspicious URLs and binaries every day."

A recent encounter in LastLine's research activities is recounted in "Statistics Don't Lie... Or Do They?." LastLine "obtained access to a backend server" used by malicious security crackers in their illegal malware-enabled activities -- that is, cracked the security of security crackers' servers. What they discovered is that the server in question was not as straightforward a malware command and control system as might have been expected.

Security researchers and other network security experts often use a mechanism known as a "honeypot." A honeypot is in effect a fake vulnerable server. Malicious security crackers discover it, and gain access to it, without realizing until after that point that they have not been targeting the real thing. When they do so, their activities are logged and the sysadmins are notified of the breach, allowing these sysadmins to collect network forensic data and other information of interest to them, and to use that data to hunt down the criminals, shore up their own defenses, or both.

That is, ironically, what LastLine found on the server: a honeypot.

The suggestion of some articles on the subject of this incident, such as Kaspersky Labs' "threatpost" security news service's report on the incident, is "Attackers Now Using Honeypots to Trap Researchers." The evidence in this particular case is not really sufficient to leap to this conclusion, however. The fact is that the honeypot in this case could just as easily have been set up to catch other malicious security crackers who might want to hijack the server.

Without more information, it is simply not reasonable to jump to a conclusion such as the belief that the honeypot was specifically set up to catch security researchers. What we can glean from the information we have, however, is instructive nonetheless. This situation shows malicious security crackers using sophisticated measures to protect themselves against a taste of their own medicine.

About

Chad Perrin is an IT consultant, developer, and freelance professional writer. He holds both Microsoft and CompTIA certifications and is a graduate of two IT industry trade schools.

9 comments
pgit
pgit

Like those nesting dolls... are the "crackers" actually other white hat types trying to keep a step ahead of the crackers? Have the crackers done this? If so, are they watching what the white hats are doing or are they just sitting on a potential bot that might escape some scrutiny because of the nature of the thing? (honey pot) Unless someone steps up and proves it, we don't know if this is a good thing or a bad thing. It almost hurts knowing about this without knowing who's behind it. FWIW I recently had to take my own honey pot off line. Activity had increased substantially and I had one very interesting squatter; a US army signal corp server from somewhere south, Alabama IIRC. Could the entity behind this inverse honey pot be a government/security state or similar "official" source? If we can only speculate... the only hard evidence I have to go with is that the "official" spook types possess the cutting edge of everything..

frank1
frank1

I think what the bad guys have done is capture ignorant fear-mongering journalists.

seanferd
seanferd

Could be (from whay little I know) some other security researcher's honeypot disguised to look like a botnet C&C server or whatever. It certainly could be a criminal vs. criminal honeypot. It's a big and competitive (and rather well commoditized) business.

robo_dev
robo_dev

You never read an article from a company that sells security software that says "no need to worry about that". What you hear is that security experts themselves are being hunted by the evil empire of computer hackers. Despite what you see in movies, if a security researcher logs into a honeypot, the worst risk to him is that he's wasting time.

seanferd
seanferd

Obvious troll is, indeed, obvious. "Ignorant fear-mongering journalist captures moron's comment."

RipVan
RipVan

Who knows? A diversion to keep people from the real target just to lengthen the amount of time they can keep the real thing up? A security device used to log the different ways security companies go about investigating malware? Those two options seem most likely. Edit: speeling.

seanferd
seanferd

Some security types seem to thrive on threat theater. FUD or real threats can certainly be a purported selling point for a product. Whether a product offers any real security is another matter. Despite what you see in movies, if a security researcher logs into a honeypot, the worst risk to him is that he's wasting time What are the criminals going to do? Call the cops on the researchers? Wait - can't they do that thing that makes large electric arcs jump out of the boxen on the researchers end, frying everyone to a crisp?

Editor's Picks