26

Do techniques exists to know if a machine is a honeypot (or suspicious indicators)?

What techniques can be used for a software inside the honeypot or outside it?

What techniques uses malware to prevent infecting honeypot?

OrangeDog
  • 274
  • 3
  • 15
wjaphqoz
  • 263
  • 1
  • 3
  • 4
  • 4
    There may be ways for detecting some specialized honeypot software, but someone could simply use a regular computer as a honeypot that is being monitored by an outside source. It would be impossible to detect such a situation. – Gray Jun 01 '15 at 20:08
  • 2
    There are all kinds of tests - but it depends on the honeypot. Do you have a certain honeypot in mind? – schroeder Jun 01 '15 at 20:29

4 Answers4

31

Ideally, no. A honeypot is a word used to define the purpose of a machine, but has no bearing on the machine itself, how it's configured or any particular software running on it.

That said, someone creating a honeypot typically has the goal of luring targets into expending resources or breaking OpSec. To do this, they would present a goal that appears to offer a significant reward and/or minimal effort required to exploit. Provided the owner of the honey pot is not a very good poker player (knowing how much to offer without making the trap obvious), one could potentially measure the "too good to be true" value of a machine.

Sadly, though, if one were to compare this measure with the majority of internet connected hosts, a deliberately weak and valuable goal will be largely indistinguishable from one that is accidentally so.

Smiling Dragon
  • 469
  • 3
  • 6
  • 8
    "a deliberately weak and valuable goal will be largely indistinguishable from one that is accidentally so" -- Indeed. There are a *lot* of hilariously insecure setups connected to the internet. – Kevin Jun 01 '15 at 22:57
  • 3
    There are many pre-packaged honeypots designed to run as software or as a specialized VMs. https://www.honeynet.org/project – schroeder Jun 01 '15 at 23:43
19

Hmmm, how to tell if you have walked into a honeypot, let's see...

  • The machine looks like it was just set up yesterday and the only thing it has on it besides default directories is a folder called "Sensitive" filled with page scans of old copies of 2600 and lists of mispelled names and address purporting to be employees of HB Gary.

  • The mouse driver has the manufacturer labeled as "Microsoft SMS Solutions"

  • You try to talk to the drive controller or any other DMA device and the computer begins responding like it had a lobotomy.

  • The CPUID op code places value 0x02 in EAX

  • You do an RDTSC timing on an instruction sequence and the resulting value is some insane number.

  • You try to make an HTTP connection to cnn.com and get the error "cannot connect"

  • The only printers installed on the machine have the word "generic" in their name.

  • You give the command "net view" and get back the response "The list of servers for this workgroup is not currently available."

  • Your radio scanner suddenly has a lot of wierd activity on Motorola trunking lines by guys with Texan accents saying things like "Code 10" and "in position".

In all seriousness, the only people who fall for honeypots are adolescents or amateurs using Blackhole or something. Normally, hackers who present any serious threat will never enter a honeypot because they target specific IPs which they know ahead of time to be valid machines. If the hacker wants to identify any honeypots sitting on, say, a corporate network, it is easy to do because the machine will either have no outbound traffic or the traffic will be contrived and not follow a normal usage pattern. Also, a supposed machine sitting alone outside the DMZ is a dead givaway.

Rory Alsop
  • 61,367
  • 12
  • 115
  • 320
Tyler Durden
  • 1,116
  • 1
  • 9
  • 18
  • 8
    Your last line is VERY incorrect. I run honeypots on my own and I get a variety of skills of people connecting. The rest is gold, though. – schroeder Jun 02 '15 at 04:24
  • 7
    Your answer could be improved a lot by explaining *why* these are signs you are in a honeypot. – Philipp Jun 02 '15 at 08:24
  • 1
    Well of course it doesn't matter how you walked into that honeypot, it all boils down to one thing... how do you walk out of there, Tyler?! – SPRBRN Jun 02 '15 at 10:05
  • Tyler - I have made a minor tweak. It doesn't change the meaning, but removes the piece that was garnering offensive flags – Rory Alsop Jun 03 '15 at 08:18
  • 1
    @SPRBRN There are methods to "walk out of a honeypot": Typical malware does not arrive in full armour but downloads additional modules later. It will not do so when detecting a honeypot. Also, malware may delete itself on recognising a honeypot (but this is too late, because it was already logged and copied) – jk - Reinstate Monica Jun 19 '15 at 08:42
1

While, as Smiling Dragon stated ideally honey pots are undetectable, they can be. An attack can use context and known implementation details to detect a honey pot.

Context can be very important. That is, a machine is too obviously insecure (as stated above) or too insecure relative to the environment, this can be an indicator to tread softly.

With regards to implementation details this follows like other software, especially operating system software (consider OS fingerprinting). If a stimuli that induces a response known to be (or thought to be) from a honey pot this can alert or caution an attacker.

These might papers be worth a read for you, http://old.honeynet.org/papers/individual/DefeatingHPs-IAW05.pdf and http://ro.ecu.edu.au/cgi/viewcontent.cgi?article=1027&context=adf

user3730788
  • 133
  • 5
-2

Yes.

The honeypot is not just there to attract an attacker, but also to gain information about them. So, a honeypot wants to log all actions of the attacker.

An attacker may now cause a log overflow (a technique seen in the wild is writing and deleting some file very often) and change their bahaviour on the information gained this way.

A malware may also try other methods to detect whether the machine it has infected is raw iron or a virtual machine.

jk - Reinstate Monica
  • 1,658
  • 1
  • 11
  • 18