I just spent some time talking to Claudio Guarnieri, European security researcher for Rapid7, about some interesting new open source security developments. Guarnieri is responsible for Cuckoo Sandbox, a malware analysis system. His website reckons that “you can throw any suspicious file at it and in a matter of seconds Cuckoo will provide you back some detailed results outlining what such file did when executed inside an isolated environment.”
But he was also talking about a USB threat detection software which appears to be unique. Ghost USB Honeypot is a honeypot for malware which spreads via USB storage devices. The aim is to fool malware into infecting a fake device, from which point you can trap and/or analyse the malware.
It works by emulating a USB device so that, if a computer is infected by malware which propagates using USB flash drives, as so much of it does, the honeypot will trick the malware into infecting the emulated device, where it can be detected without compromising the host system. This kind of attack can particularly difficult to detect because it can attack high security machines that aren’t network-connected. Stuxnet was one such.
To anyone looking at it from user space or from higher levels in the kernel-mode storage architecture, the Ghost drive appears to be a real removable storage device, that strives to behave exactly like disk.sys, the operating system’s disk class driver. The key to its operation is that malware should not be able to detect that it’s not a real USB device.
You can drive it from a GUI or from the command line, and the aim is for companies to be able to deploy the software on standard client machines without the user having to get involved.
In fact, ideally, according to Ghost’s developer, Bonn University student Sebastian Poeplau, the best way to get this to work successfully is to hide it from the user so they don’t try to write to it. In this way, any write access can be assumed to be malware, and the data written is copied into an image file and can be copied off for later analysis. There’s a video of a recent presentation Poeplau gave about the project, its rationale and how it works, here.