A honeypot for arbitrary malware on USB storage devices

Author

Poeplau, Sebastian ; Gassen, Jan

Author_Institution

Inst. of Comput. Sci. 4, Univ. of Bonn, Bonn, Germany

fYear

2012

fDate

10-12 Oct. 2012

Firstpage

1

Lastpage

8

Abstract

Malware is a serious threat for modern information technology. It is therefore vital to be able to detect and analyze such malicious software in order to develop contermeasures. Honeypots are a tool supporting that task - they collect malware samples for analysis. Unfortunately, existing honeypots concentrate on malware that spreads over networks, thus missing any malware that does not use a network for propagation. A popular network-independent technique for malware to spread is copying itself to USB flash drives. In this article we present Ghost, a new kind of honeypot for such USB malware. It detects malware by simulating a removable device in software, thereby tricking malware into copying itself to the virtual device. We explain the concept in detail and evaluate it using samples of wide-spread malware. We conclude that this new approach works reliably even for sophisticated malware, thus rendering the concept a promising new idea.

Keywords

computer network security; invasive software; peripheral interfaces; Ghost; USB flash drives; USB malware; USB storage devices; honeypot; malicious software analysis; malicious software detection; network-independent technique; removable storage device simulation; virtual device; Ash; Computers; Internet; Malware; Operating systems; Universal Serial Bus;

fLanguage

English

Publisher

ieee

Conference_Titel

Risk and Security of Internet and Systems (CRiSIS), 2012 7th International Conference on

Conference_Location

Cork

Print_ISBN

978-1-4673-3087-9

Electronic_ISBN

978-1-4673-3088-6

Type

conf

DOI

10.1109/CRISIS.2012.6378948

Filename

6378948