A honeypot for arbitrary malware on USB storage devices

Poeplau, Sebastian; Gassen, Jan

doi:10.1109/crisis.2012.6378948

Cited by 13 publications

(8 citation statements)

References 2 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Poeplau et al [22] present a honeypot that is able to emulate removable USB-devices. Therefore, they target malware that spreads via removable media.…”

Section: Related Workmentioning

confidence: 99%

Bee Master: Detecting Host-Based Code Injection Attacks

Barabosch

Eschweiler

Gerhards-Padilla

2014

Detection of Intrusions and Malware, and Vulnerability Assessment

View full text Add to dashboard Cite

Abstract.A technique commonly used by malware for hiding on a targeted system is the host-based code injection attack. It allows malware to execute its code in a foreign process space enabling it to operate covertly and access critical information of other processes. Since there exists a plethora of different ways for injecting and executing code in a foreign process space, a generic approach spanning all these possibilities is needed. Approaches just focussing on low-level operating system details (e.g. API hooking) do not suffice since the suspicious API set is constantly extended. Thus, approaches focussing on low level operating system details are prone to miss novel attacks. Furthermore, such approaches are restricted to intimate knowledge of exactly one operating system.In this paper, we present Bee Master, a novel approach for detecting host-based code injection attacks. Bee Master applies the honeypot paradigm to OS processes and by that it does not rely on low-level OS details. The basic idea is to expose regular OS processes as a decoy to malware. Our approach focuses on concepts -such as threads or memory pages -present in every modern operating system. Therefore, Bee Master does not suffer from the drawbacks of low-level OS-based approaches. Furthermore, it allows OS independent detection of host-based code injection attacks. To test the capabilities of our approach, we evaluated Bee Master qualitatively and quantitatively on Microsoft Windows and Linux. The results show that it reaches reliable and robust detection for various current malware families.

show abstract

“…Poeplau et al [22] present a honeypot that is able to emulate removable USB-devices. Therefore, they target malware that spreads via removable media.…”

Section: Related Workmentioning

confidence: 99%

Bee Master: Detecting Host-Based Code Injection Attacks

Barabosch

Eschweiler

Gerhards-Padilla

2014

Detection of Intrusions and Malware, and Vulnerability Assessment

View full text Add to dashboard Cite

show abstract

“…However, according to [13], one of the major weaknesses of the USB protocol is its flexibility, and potential threats increase if the device is connected to other devices, networks or the Internet [14]. An infected computer might uncover confidential information or personal data, participate in distributed attacks against other computer systems [15], or it might sabotage computer-controlled industrial processes. As explained in [16,17], a regular user may plug a USB flash drive found on the ground into a corporate computer without knowing that it may be an infected device, ready to start an attack.…”

Section: Related Workmentioning

confidence: 99%

Distributed Architecture to Enhance Systems Protection against Unauthorized Activity via USB Devices

Oliveira

Pinto

Santos

2021

JSAN

View full text Add to dashboard Cite

Cyberattacks exploiting Universal Serial Bus (USB) interfaces may have a high impact on individual and corporate systems. The BadUSB is an attack where a USB device’s firmware is spoofed and, once mounted, allows attackers to execute a set of malicious actions in a target system. The countermeasures against this type of attack can be grouped into two strategies: phyiscal blocking of USB ports and software blocking. This paper proposes a distributed architecture that uses software blocking to enhance system protection against BadUSB attacks. This architecture is composed of multiple agents and external databases, and it is designed for personal or corporate computers using Microsoft Windows Operating System. When a USB device is connected, the agent inspects the device, provides filtered information about its functionality and presents a threat assessment to the user, based on all previous user choices stored in external databases. By providing valuable information to the user, and also threat assessments from multiple users, the proposed distributed architecture improves system protection.

show abstract

“…The SCADA honeypot proposals discussed so far focused on the assumption that attacks are network borne. In 2012 students at Bonn University in Germany, led by Sebastian Poeplau, created Ghost USB, a honeypot which emulates USB devices to counter the threat of malware that propagated by removable media [56]. Currently, Ghost USB supports 32bit Windows XP/7 and is supported by the Honeynet Project.…”

Section: Attribution Of Cyber Attacks On Industrial Control Systemsmentioning

confidence: 99%

Attribution of Cyber Attacks on Industrial Control Systems

Cook¹,

Nicholson²,

Janicke³

et al. 2016

EAI Endorsed Transactions on Industrial Networks and Intelligen

View full text Add to dashboard Cite

In order to deter or prosecute for cyber attacks on industrial control systems it is necessary to assign attribution to the attacker and define the type of attack so that international law enforcement agencies or national governments can decide on appropriate recourse. In this paper we identify the current state of the art of attribution in industrial control systems. We highlight the critical differences between attribution in enterprise networks and attribution in industrial networks. In doing so we provide a roadmap for future research.

show abstract

A honeypot for arbitrary malware on USB storage devices

Cited by 13 publications

References 2 publications

Bee Master: Detecting Host-Based Code Injection Attacks

Bee Master: Detecting Host-Based Code Injection Attacks

Distributed Architecture to Enhance Systems Protection against Unauthorized Activity via USB Devices

Attribution of Cyber Attacks on Industrial Control Systems

Contact Info

Product

Resources

About