Attackers Now Using Honeypots to Trap Researchers

Attackers are constantly changing their tactics and adapting to what the security community and researchers are doing, and it’s not unusual for the bad guys to adopt techniques used by their adversaries. The latest example of this is a malware gang that has deployed what amounts to a honeypot designed to monitor the activity of researchers or other attackers who try to access a command-and-control server.

Attackers are constantly changing their tactics and adapting to what the security community and researchers are doing, and it’s not unusual for the bad guys to adopt techniques used by their adversaries. The latest example of this is a malware gang that has deployed what amounts to a honeypot designed to monitor the activity of researchers or other attackers who try to access a command-and-control server.

While researching a piece of malware related to the Zeus botnet, a group of researchers at The Last Line of Defense gained access to a remote server used to help control the attack. This particular attack was sending out huge amounts of spam throughout October, specifically targeting business owners who file quarterly taxes. Known as the EFTPS malware, the spam included a link that sent victims to a site that loaded the Zeus Trojan on their machines and then forwarded them to the actual site at the Treasury Department that handles these payments.

But the interesting part is what the researchers found when the accessed the back end server: a fake administrative console. Many, if not most, large-scale malware campaigns now have some kind of admin interface on a remote server that enables the attackers to login and access statistics on infections, geographic distribution of compromised PCs and other measurements. And researchers have been able to access these consoles on a number of occasions, mining them for key intelligence on the attackers behind the malware and how the attack works.

But in this case, the attack crew apparently anticipated this and set up a phony login interface, complete with weak username and password and a simple SQL-injection vulnerability. The console clearly is meant to attract researchers, and perhaps other attackers, to poke around and allow the crew behind EFTPS to observe their movements and methods.

“This admin interface acts as a ‘hacker honeypot’ that records
detailed information about who attempted to access the admin console, as
well as who attempted to hack into it. The fake login system
conveniently accepts default/easily guessed credentials and common SQL
injection strings. After the researcher/hacker is ‘authenticated’, they are shown random exploit statistics,” the Last Line of Defense researchers said in a blog post.

The admin console also has a feature that allows remote users to upload new “bots,” a tactic evidently designed to entice other attackers to try and compromise the server so the EFTPS crew can get a read on what they’re up to.

Legitimate security researchers have been using honeypot systems for years now and they have become a key tool for gathering information on new exploits, attack techniques and botnet research. The most prominent example is The Honeynet Project, a network of volunteers around the world who maintain complex honeypots and publish a lot of research based on what they collect and observe.

Suggested articles

plugX malware loader TA416

TA416 APT Rebounds With New PlugX Malware Variant

The TA416 APT has returned in spear phishing attacks against a range of victims – from the Vatican to diplomats in Africa – with a new Golang version of its PlugX malware loader.

Discussion

  • PaulM on

    I suspect this fake web console may have had a different target in mind. There has been a history of crews hijacking each other's botnets, which for Zeus, SpyeEye, and other fraudware bot kits means a direct loss of revenue. The fake upload function in particular makes me think this is designed to catch and identify rival crews trying to take over their botnet.

  • Alan8 on

    Why are these pests allowed to continue?  There should be international laws against Internet crimes, and when a criminal operation like this is detected, Interpol should be breaking down their doors!

  • Anonymous on

    If you want doors broken down all you have to do is send the bad guys a prototype Apple IPhone  ;-)

  • Anonymous on

    "If you want doors broken down all you have to do is send the bad guys a prototype Apple IPhone"

    OH PLLLLLEEEEEEASE. send them a WP7 instead!!!

    Microsoft…what a croc of sh*t!

  • Anonymous on

    Good. I'm happy to see that we're finally using their tactics against them. The next step is to integrate enterprise exposure processes into malware campaigns and create a paradigm shift in our operations. Constantly reducing malware costs and increasing the amount of infections is key to a successful revenue stream.

  • T800 on

    Like Alan8 said, where the hell is Interpol in all this. We have all seen how Stuxnet was made to specifically attack industrial machines, which means there are whole organizations behind all this.
  • balaji b on

    If there are no hackers, what would the security researchers do? loose jobs and start with programming web apps?

    Without hackers, new versions and security pathes would not be required. So developers too will loose their values and may be jobs.

    Internet is for everybody. Just like in nature, internet is balanced because of the good as well as the bad people.

    So praise the security researchers and thank the hackers ...

     

  • Anonymous on

    The Internet IS a natural phenomenon. The bot-nets and the law-makers, security researchers and pirates all must do their utmost to survive and thrive, just like in nature. And just like in nature, God help us all if anybody actually succeeds in coming out on top.

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.