Are bad guys using honeypots to catch security researchers?

A common tool of security researchers when dealing directly with malicious security crackers has itself been hijacked by malicious security crackers. The specific intent of their use of the tool is open to question, however.

The Last Line Of Defense is the Web face for LastLine, Inc., which performs security research and "provides protection technology that is complementary to existing anti-virus software and firewalls." LastLine takes a proactive approach to developing security strategies based on what it calls "cyber crime intelligence that we gather by analyzing millions of suspicious URLs and binaries every day."

A recent encounter in LastLine's research activities is recounted in "Statistics Don't Lie... Or Do They?." LastLine "obtained access to a backend server" used by malicious security crackers in their illegal malware-enabled activities -- that is, cracked the security of security crackers' servers. What they discovered is that the server in question was not as straightforward a malware command and control system as might have been expected.

Security researchers and other network security experts often use a mechanism known as a "honeypot." A honeypot is in effect a fake vulnerable server. Malicious security crackers discover it, and gain access to it, without realizing until after that point that they have not been targeting the real thing. When they do so, their activities are logged and the sysadmins are notified of the breach, allowing these sysadmins to collect network forensic data and other information of interest to them, and to use that data to hunt down the criminals, shore up their own defenses, or both.

That is, ironically, what LastLine found on the server: a honeypot.

The suggestion of some articles on the subject of this incident, such as Kaspersky Labs' "threatpost" security news service's report on the incident, is "Attackers Now Using Honeypots to Trap Researchers." The evidence in this particular case is not really sufficient to leap to this conclusion, however. The fact is that the honeypot in this case could just as easily have been set up to catch other malicious security crackers who might want to hijack the server.

Without more information, it is simply not reasonable to jump to a conclusion such as the belief that the honeypot was specifically set up to catch security researchers. What we can glean from the information we have, however, is instructive nonetheless. This situation shows malicious security crackers using sophisticated measures to protect themselves against a taste of their own medicine.