HomeMalware
November 4, 2010, 10:52AM

Attackers Now Using Honeypots to Trap Researchers

Attackers are constantly changing their tactics and adapting to what the security community and researchers are doing, and it's not unusual for the bad guys to adopt techniques used by their adversaries. The latest example of this is a malware gang that has deployed what amounts to a honeypot designed to monitor the activity of researchers or other attackers who try to access a command-and-control server.

While researching a piece of malware related to the Zeus botnet, a group of researchers at The Last Line of Defense gained access to a remote server used to help control the attack. This particular attack was sending out huge amounts of spam throughout October, specifically targeting business owners who file quarterly taxes. Known as the EFTPS malware, the spam included a link that sent victims to a site that loaded the Zeus Trojan on their machines and then forwarded them to the actual site at the Treasury Department that handles these payments.

But the interesting part is what the researchers found when the accessed the back end server: a fake administrative console. Many, if not most, large-scale malware campaigns now have some kind of admin interface on a remote server that enables the attackers to login and access statistics on infections, geographic distribution of compromised PCs and other measurements. And researchers have been able to access these consoles on a number of occasions, mining them for key intelligence on the attackers behind the malware and how the attack works.

But in this case, the attack crew apparently anticipated this and set up a phony login interface, complete with weak username and password and a simple SQL-injection vulnerability. The console clearly is meant to attract researchers, and perhaps other attackers, to poke around and allow the crew behind EFTPS to observe their movements and methods.

"This admin interface acts as a 'hacker honeypot' that records detailed information about who attempted to access the admin console, as well as who attempted to hack into it. The fake login system conveniently accepts default/easily guessed credentials and common SQL injection strings. After the researcher/hacker is 'authenticated', they are shown random exploit statistics," the Last Line of Defense researchers said in a blog post.

Editor's Pick

Threatpost Newsletter Sign-up


The admin console also has a feature that allows remote users to upload new "bots," a tactic evidently designed to entice other attackers to try and compromise the server so the EFTPS crew can get a read on what they're up to.

Legitimate security researchers have been using honeypot systems for years now and they have become a key tool for gathering information on new exploits, attack techniques and botnet research. The most prominent example is The Honeynet Project, a network of volunteers around the world who maintain complex honeypots and publish a lot of research based on what they collect and observe.

Commenting on this Article is closed.

Comments

Submitted by PaulM (not verified) on Fri, 11/05/2010 - 7:30am.

I suspect this fake web console may have had a different target in mind. There has been a history of crews hijacking each other's botnets, which for Zeus, SpyeEye, and other fraudware bot kits means a direct loss of revenue. The fake upload function in particular makes me think this is designed to catch and identify rival crews trying to take over their botnet.

Submitted by Alan8 (not verified) on Fri, 11/05/2010 - 9:41am.

Why are these pests allowed to continue?  There should be international laws against Internet crimes, and when a criminal operation like this is detected, Interpol should be breaking down their doors!

Submitted by Dennis Fisher on Fri, 11/05/2010 - 10:13am.

I had the same feeling on that. There is a lot of that going on these days, and the fact that it helps them monitor researchers may just be a nice side effect for them.

Submitted by Anonymous (not verified) on Fri, 11/05/2010 - 10:21am.

If you want doors broken down all you have to do is send the bad guys a prototype Apple IPhone  ;-)

Submitted by Anonymous (not verified) on Fri, 11/05/2010 - 1:03pm.

"If you want doors broken down all you have to do is send the bad guys a prototype Apple IPhone"

OH PLLLLLEEEEEEASE. send them a WP7 instead!!!

Microsoft…what a croc of sh*t!

Submitted by Anonymous (not verified) on Fri, 11/05/2010 - 2:16pm.

Seriously! International police raids are free and easy!

Submitted by JimK (not verified) on Sat, 11/06/2010 - 9:28am.

send them a WP7 instead!!!  Sorry that wouldn't work. Only Apple would go that fa.r.

Submitted by Anonymous (not verified) on Sat, 11/06/2010 - 2:18pm.

Good. I'm happy to see that we're finally using their tactics against them. The next step is to integrate enterprise exposure processes into malware campaigns and create a paradigm shift in our operations. Constantly reducing malware costs and increasing the amount of infections is key to a successful revenue stream.

Submitted by T800 (not verified) on Sat, 11/06/2010 - 3:08pm.
Like Alan8 said, where the hell is Interpol in all this. We have all seen how Stuxnet was made to specifically attack industrial machines, which means there are whole organizations behind all this.
Submitted by balaji b (not verified) on Sun, 11/07/2010 - 11:35am.

If there are no hackers, what would the security researchers do? loose jobs and start with programming web apps?

Without hackers, new versions and security pathes would not be required. So developers too will loose their values and may be jobs.

Internet is for everybody. Just like in nature, internet is balanced because of the good as well as the bad people.

So praise the security researchers and thank the hackers ...

 

Submitted by Anonymous (not verified) on Mon, 11/08/2010 - 7:09am.

Finding out what door to break down is often non-trivial. The server this honeypot is running on, for instance, is probably some poor sap's machine that got cracked a couple of months ago. To crack it, these attackers probably ran some scans from some other machines, also not belonging to them. They might have gone through any number of steps to hide and obfuscate their real origin. To actually catch them, you probably need warrants in several different countries, a process that is hard for a good reason.

So, don't harsh too badly on Interpol. I'm sure they're doing what they can (and they do rollup a botnet or two, now and then).

Submitted by Anonymous (not verified) on Thu, 11/11/2010 - 4:18pm.
The Internet IS a natural phenomenon. The bot-nets and the law-makers, security researchers and pirates all must do their utmost to survive and thrive, just like in nature. And just like in nature, God help us all if anybody actually succeeds in coming out on top.

 

Copyright © 2012 threatpost.com | Terms of Service | Privacy