Honeynet Project Launches 'Ghost' To Snare USB Malware

Type threatpost
Reporter Paul Roberts
Modified 2018-07-02T19:22:51


The Honeynet Project launched a new project Thursday that is designed to snare malware that spreads by infecting removable USB (universal serial bus) storage drives, citing the increased reliance of malicious programs on portable drives to move from computer to computer.

The ghost-usb-honeypot uses software to emulate portable USB flash drives on Windows systems that are exposed to malicious software circulating on the Internet. Researchers hope to be able to use the emulated drives to spot malware that copies itself to the virtual flash drives.

The Honeynet Project is a non-profit security research organization that collects and analze malware in the wild using a wide range of open source security tools. Honeypots are machines that are set up in order to attract malware and hackers for the purpose of studying their behavior.

The ghost-usb-honeypot project stems from research conducted by Sebastian Poeplau, a student at Bonn University in Germany. Poeplau first presented the results of work he and others conducted at the University of Bonn’s Institute of Computer Science at a Honeynet Project conference in San Francisco in March. Poeplau said that propagation via USB drives is increasingly common, as malware authors look for ways to breach machines or networks that are “air-gapped,” or not accessible from other networks.

Employees working on such air gapped networks still need to transfer data back and forth, and typically use USB drives to do so. The Stuxnet worm famously spread via USB drive, as did the recently discovered Flame malware.

Most honeypot installations to date have focused on malware that spreads by exploiting vulnerable network services or client software. However, nobody has previously attempted to capture and study malware that spreads by USB drives, Poeplau said in a presentation on the project in March. Ghostdrive is a virtual USB drive that’s implemented using a Windows kernel mode driver that hooks Windows at the level of the disk class driver (disk.sys). A virtual bus driver is used to register the virtual driver, emulating the act of “plugging in” a removable device in the virtual Windows instance. Any information written to the virtual device is copied to a binary image file.

In a demonstration, Poeplau infected a virtual Windows instance with the Conficker malware, then loaded a virtual USB drive and observed Conficker infecting the drive. He says that companies could use the free Ghostdrive tool to help monitor USB infections across their organization. In addition, the Ghostnet project may end up detecting malware that spreads solely using USB drives – something that researchers have yet to identify.

Security researchers have long warned about the danger posed by portable USB drives. In 2010, then Deputy Secretary of Defense William Lynn acknowledged that an infected USB was responsible for a compromise of the DOD’s classified SIPRNet. Despite that, most companies do not closely manage or monitor the use of removable devices by employees, opening a gaping hole for attackers.

Famously, IBM was embarrassed after USB keys it was distributing at the AusCERT conference were found to be infected with malware that infected Windows systems.