Impersonating a Host as a Honeypot to Detract Malware

Matthew Johnson

Honeypots are a very unique and effective tools. The honeypot’s main purpose is to help in the process of reverse engineering malware by attracting and collecting the malware. A honeypot is meant to have little to no security in place. This makes it easy for attackers to exploit the system and deploy malware on the honeypot. The administrator of the honeypot will then do a couple tasks. He/She will try to reverse engineer the malware and figure out how the malware works as well as how the malware was deployed to the system. This is exactly what the attacker does not want. So, attackers began to add a script to their malware that tried to determine of the target system is a honeypot or a regular system. This is the aspect that the research utilizes.


The paper is about research that has been conducted to figure out what attackers look for in a machine to determine if it is a honeypot or not. Once these aspects have been discovered, see if it is possible to change or simulate these parameters in a machine that is not a honeypot. This is to disguise the host machine as a honeypot. If it is possible to change or simulate these features, this can be used as an additional measurement of security for a machine. If the machine happens to obtain a piece of malware and the malware checks to see if the machine is a honeypot, it will uninstalls itself.


Honeypots that are hosted on the VMware virtual platform have a couple aspects that are detectable and unique to “real” machines. One aspect an attacker can look at is the MAC address. The first three octets of a MAC (Media Access Control) address on a machine hosted on VMware will always be one of three options. These are 00-05-69, 00-0C-29, and 00-50-56. Malware can check the MAC address. If the MAC address starts with any of this options, it knows the targeted machine could potentially be a honeypot. With the use of MAC address spoofing, a MAC address that starts with 00-05-69, 00-0C-29, or 00-50-56 can be simulated on the target machine to be disguised as a potential honeypot. The MAC address is a hard-coded ID that is associated with the NIC (Network Interface Controller) of a device. MAC address spoofing is the technique to change the MAC address associated with the NIC to a specified MAC address.


A second weakness that deals with honeypots hosted on VMware comes from a backdoor that was left by developers. This backdoor deals with I/O. It was left open so that developers can make changes to the machine while it was still running. The backdoor consists of assembly code that is run. When the backdoor is executed, there are a list of commands that can be executed. An attacker can exploit this backdoor and attempt to execute these commands. If the commands are successful, the attacker knows that the machine is a virtual machine and potentially a honeypot. This feature would be more difficult to emulate than the previous MAC address spoofing.


An aspect of honeypots mentioned previously is that there is little to no security implemented. This makes it exceptionally easy for malware to be injected into the machine. There is this concept of “To good to be true”. This deals with no security being implemented. If it takes little to no effort for malware to be injected and executed on a machine, there it might be to good to be true. This is not a technical aspect of honeypots but one that could be used to potentially identify a honeypot. As well, if a machine has little to no security being implemented, it most likely to does not have any information or data that would be useful to an attacker.


Another type of honeypot is UML (User-Mode Linux). UML is a Linux module that runs inside another pre-existing Linux module. The module that UML runs in is the host operating system and UML is the guest. One flaw with UML is the hard drive. UML uses !dev/udb for it’s hard drive which is a fake IDE-device. Therefore, it is possible to detect a UML honeypot by utilizing this information. Another way to detect a UML honeypot is inspecting the Jproc tree. When running the command ‘cat /proc/cpuinfo’, the output will show that the vendor_id is “User Mode Linux and Model name as “UML”. As well, running the command “egrep ‘uml|honeypot’ /proc/ksysms” will show the machine is a UML honeypot. The output of the command shows the memory is part of a UML honeypot.


The next step for taking this further is live testing. This includes obtaining a piece of malware that is designed to inspect the machine to see if it is recognized as a honeypot. Once the malware is obtained, the malware will be injected into a honeypot. This is to test the malware and see if it can detect that it has been uploaded to a honeypot. Then, a host machine that is hardware based will be set-up to look like it has the same features as a honeypot. The obtained malware will then be injected on the hardware based machine and tested. I the malware detects the machine as a honeypot and uninstalls itself, the test was a success. If it does not recognize the machine as a honeypot and executes, the test did not pass and further research and testing is necessary.


Defense in depth is a term used to describe multiple layers of security. The use of this potential security measure adds another layer of defense. However, it is different than other defenses. It does not stop malware from being injected to the machine. It deters malware from staying on the machine. Since attackers do not want their malware to reside on a honeypot, making a machine look like a honeypot will deter malware from staying on the machine.


“A Guide To Different Kinds Of Honeypots | Symantec Connect”. N.p., 2017. Web. 7 May 2017. N.p., 2017. Web. 7 May 2017. N.p., 2017. Web. 7 May 2017.

“Detecting Honeypots And Other Suspicious Environments – IEEE Xplore Document”. N.p., 2017. Web. 7 May 2017.

“IT Security – MAC Address Spoofing”. N.p., 2017. Web. 7 May 2017.












Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s