Title :
A honeypot for arbitrary malware on USB storage devices
Author :
Poeplau, Sebastian ; Gassen, Jan
Author_Institution :
Inst. of Comput. Sci. 4, Univ. of Bonn, Bonn, Germany
Abstract :
Malware is a serious threat for modern information technology. It is therefore vital to be able to detect and analyze such malicious software in order to develop contermeasures. Honeypots are a tool supporting that task - they collect malware samples for analysis. Unfortunately, existing honeypots concentrate on malware that spreads over networks, thus missing any malware that does not use a network for propagation. A popular network-independent technique for malware to spread is copying itself to USB flash drives. In this article we present Ghost, a new kind of honeypot for such USB malware. It detects malware by simulating a removable device in software, thereby tricking malware into copying itself to the virtual device. We explain the concept in detail and evaluate it using samples of wide-spread malware. We conclude that this new approach works reliably even for sophisticated malware, thus rendering the concept a promising new idea.
Keywords :
computer network security; invasive software; peripheral interfaces; Ghost; USB flash drives; USB malware; USB storage devices; honeypot; malicious software analysis; malicious software detection; network-independent technique; removable storage device simulation; virtual device; Ash; Computers; Internet; Malware; Operating systems; Universal Serial Bus;
Conference_Titel :
Risk and Security of Internet and Systems (CRiSIS), 2012 7th International Conference on
Conference_Location :
Cork
Print_ISBN :
978-1-4673-3087-9
Electronic_ISBN :
978-1-4673-3088-6
DOI :
10.1109/CRISIS.2012.6378948
