Detecting Honeypots and other Suspicious Environments
When running a honeypot, the operator should also know the constraints given by currenty honeypot-based techniques. Back in 2004, we showed as part of the NoSEBrEaK project how an attacker can detect, disable and circumvent Sebek, the primary Data Capture tool used by honeynet researchers to capture the attacker's activities on a honeypot. Since then, Sebek has been improved and most of the attacks do not work anymore.
Last year, Frederic Raynal and I published a paper about detection of honeypots and other suspicious environments, e.g., whether a program runs under a debugger. We give examples how to detect the presence of UML, VMWare, Softice, and OllyDbg. For example, Agobot uses the following piece of code to detect software breakpoints:
Download the paper
Last year, Frederic Raynal and I published a paper about detection of honeypots and other suspicious environments, e.g., whether a program runs under a debugger. We give examples how to detect the presence of UML, VMWare, Softice, and OllyDbg. For example, Agobot uses the following piece of code to detect software breakpoints:
mov esi, address ; load function address
mov al, [esi] ; load the opcode
cmp al, 0xCC ; check if the opcode is 0xCC
je BPXed ; yes, there is a breakpoint
; jump to return true
xor eax, eax ; false,
jmp NOBPX ; no breakpoint
BPXed:
mov eax, 1 ; breakpoint found
NOBPX:
@InProceedings{Holz:2005:DHO,
author = {Thorsten Holz and Frederic Raynal},
title = {Detecting Honeypots and Other Suspicious Environments},
year = {2005},
address = {West Point},
institution = {United States Military Academy},
publisher = {IEEE},
booktitle = {Proceeedings of the 6th IEEE Information Assurance Workshop},
}
Download the paper
".
