Setting Bait to Track Data Thieves

Germans use unguarded PCs as honeypots

Seven computers hum through the Rhineland night at the University of Mannheim’s Laboratory for Dependable Distributed Systems. All they do is collect bad news and nasty infections from the open Internet.

This is the lab’s honeypot ­network, says Thorsten Holz, a doctoral student at the lab. The honeypots are machines that are walled off from the German university’s network but connected to the Internet. By leaving themselves unguarded and pretending to be operated by naive humans, they tirelessly troll for the latest in spam, worms, viral infections, and malware. Then the honey­pots ­execute the bad code and record what ­happens. Researchers hope that by ­studying the results they’ll get a better understanding of how data is stolen and what happens to it.

Holz’s team recently reported the results of a seven-month study that focused on two ­”families” of the seven or eight current ­varieties of ”keyloggers”--malware that records keystrokes in order to pick up passwords and other sensitive data. The two f­amilies were Limbo/Nethell, which uses sham Web sites to infect ­visitors lured by spam or other social-engineering tricks, and its more sophisticated cousin ZeuS/Zbot, a keylogger that uncoils from an attachment and hides in the user’s browser to steal ­passwords and account information.

The team followed the Mannheim honeypot data to open ”drop zones,” computers where cybercriminals compile and aggregate their ill-gotten gains before transferring them elsewhere.

In analyzing the drop zones, the team found that:

• The drop zones housed 33 gigabytes of account data from 177 000 compromised machines in 175 countries, including 10 775 unique bank-account credentials.

• Facebook is the most popular site for stolen social-network credentials, Windows Live for Webâ¿¿mail user names and passwords, and eBay for online trading accounts.

• ZeuS can parse account information to read balances (the mean value was US $1700, the average $5225).

Worrisome as the results are, the honeypots themselves are a step forward in understanding black-market data.

Using honeypots to analyze malware came into its own about a decade ago through the work of security pros like Lance Spitzner, author of Honeypots: Tracking Hackers (Addison-Wesley, 2003); Marty Roesch, creator of the popular Snort intrusion-prevention and detection software; and Ron Gula (formerly of the National Security Agency), who started working with honeypots in order to defend the big communications networks run by BBN Technologies and GTE.

”What’s amazed me the most is the explosion in the different ways they’re used,” Spitzner says. ”There’s client honeypots, [Voice over Internet Protocol] honeypots, Bluetooth honeypots. Ten years ago there were really only one or two choices.” Spitzner founded the Honeynet Project in 1999, and it now has worldwide presence.

Security firms use honeypots to identify new malware they must defend their clients against. But according to Roesch and Yuval Ben-Itzhak, chief technical officer of the Web security company Finjan, the kind of half-year-long, in-depth analysis the Mannheim group did takes too long to be done by most security firms.

The Mannheim lab’s next project is to further automate the honeypots. ”We have automated collection, analysis, and monitoring. The next step is to do this on a larger scale,” Holz says.