An innovative malware honeypot project backed by a leading consortium of IT security experts is preparing to re-launch its global sensor network early this year in an effort to dupe more cyber-criminals into handing over information about their latest attack methods.
The Web Application Security Consortium’s Distributed Open Proxy Honeypot Project, which was initially turned on in Jan. 2007, will relight its set of attack monitoring sensors on or about the first of the year after significantly scaling back its operations during the month of December.
After its initial 11 months of data collection, the project undertook the month-long hiatus to give project researchers more time to examine results and plan for the year ahead.
In addition to tweaking their tactics for tracking and luring malware distributors in 2008, WASC project leaders said they are also planning to add new honeypots to their existing network, which already spans locations in Europe, Russia, South America, and the United States.
Unlike more traditional OS-level or SMTP-based honeypot applications — systems designed to collect individual malware samples for subsequent examination by anti-virus researchers — the WASC project utilizes a network of 14 specially-configured open proxy servers (or proxypots) to monitor traffic for nefarious activities carried out by everyone from botnet herders to adware purveyors.
Traditional honeypots have proven useful for tracking widespread computer viruses and allowing AV companies to produce the signature files needed to protect machines against infection, but those targets are ill-suited to provide the level of real-time intelligence needed to protect against today’s fast-moving customized threats, said Ryan Barnett, the WASC project’s leader.
By serving up an unprotected open proxy server to the larger Internet, and thereby advertising itself as exactly the type of anonymous conduit that attackers seek out to distribute their work — rather than merely an undefended computer, the effort is already garnering new insight into cyber-criminals’ methods, he said.
Barnett, who is also director of application security training at Breach Security and an instructor for the SANS Institute, said that despite being pleased with the project’s initial ability to identify attacks and test ways to thwart malware campaigns further upstream, he is hoping that 2008 will provide even greater rewards.
Among the improvements the group is aiming to make to its system — built around the ModSecurity open-source Web application firewall, for which Barnett also serves as development community manager — are more effective ways for categorizing attacks, correlating anomalies, and applying forensics to trends that it charts over time.
The security expert is hoping that the same open-source movement that has allowed ModSecurity to mature, with the firewall recently adding a range of new features in its late-December version 2.5 release, will also take hold with the honeypot effort and encourage more people to launch sensors or help research its data findings.
“Getting different versions of data analysis will be key, but we will need to get a lot more people onboard,” Barnett said. “We feel that there’s a whole symbiotic approach with the project and the open-source community already. We need to export more of the raw data into that community to help analyze the results — there’s simply too much data for us to churn through alone.”
The future of the proxypots
What the use of the proxypot model allows the project to observe are the source IP addresses being used by attackers running over its sensors, along with the nature of their threats and their targets.
For instance, out of the 8.9 million questionable transactions carried out over the group’s servers in October, when the sensor network was last running at full bore, 2.6 million of the requests were related to advertising click fraud, the leading type of threat observed in the firewalls’ logs.
Further investigation of the results would allow WASC to figure exactly which sites were being pumped-up by those automated traffic hoarders and inform any companies involved of the illegal activity, Barnett said.
For the record, more than three quarters of the traffic moving over the proxypots fails to trigger any of the firewall rules, meaning that it is either benign or unidentifiable as malware.
While the WASC honeypot project could eventually be used to snuff out some malware sources or block the threats themselves, for now, the idea is to create an early warning system to help the security industry respond to emerging attacks.
Along with finding more bodies to throw at analysis of its findings, the project is also considering how it will continue to move forward in relation to the matter of allowing its proxypots to be used to carry out actual attacks.
Thus far, participants in the program have been sending spoofed information back to the attackers channeling traffic over their proxies to fool them into thinking that their campaigns are working and prevent detection of the honeypots.
However, some researchers involved with the program have been asking to allow traffic to pass over their systems unrestricted under the belief that it would be the best way to screen for the newest and smartest threats.
In most cases, project participants will need to defer to local laws governing their level of liability for allowing nefarious traffic flow over their servers if they decide to run wide open, said Barnett. Figuring out exactly how to tackle the issue is one of the WASC honeypot’s other major goals in advancing its status during 2008.
“We’re trying to regroup and figure out how to best address everything in the next twelve months, enough people are asking about the alternative of not blocking malicious traffic that it has become a question we seriously need to consider,” said Barnett. “There are legal issues to study if we want to let real attack run through us, it could still happen anyways — people can always get around rules, so, there is definitely still some risk involved.”
