GHOST USB HONEYPOT

MASTER

VINAMRA MITTAL
ADNAN JAWED
RUCHI CHAUHAN
SHIVAM KUMAWAT FACULTY NAME- MS. HARPREET KAUR
<INTRODUCTION TO MALWARE>

• Malware is a serious threat for modern information

technology. It is therefore vital to be able to detect and analyze
such malicious software in order to develop contermeasures.
Honeypots are a tool supporting that task—they collect malware
samples for analysis. Unfortunately, existing honeypots concentrate on
malware that spreads over networks, thus missing any
malware that does not use a network for propagation.
<CHALLENGE>

• MALWARE SPREADS VIA REMOVABLE STORAE DEVICES.

• EXISTING HONEYPOTS: RESTRICTED TO NETWORK BASED MALWARE
• IDEA: A USB HONEYPOT
a) Specialised on malware that spreads via USB storage
b) To be deployed on production systems
<OTHER SOLUTION>

• There are several solutions that provide storage device emulation, but none of them are
able to emulate removable storage devices:
a) Daemon tools : a well-known emulator of CD and DVD drives, but it cannot emulate
other types of storage devices and therefore does not meet the requirements for
our concept.
b) FileDisk
c) Windows Driver Kit
<TECHNIQUE TO SOLVE>

• A popular network-independent technique for malware to

spread is copying itself to USB flash drives. In this article we
present Ghost, a new kind of honeypot for such USB malware.
It detects malware by simulating a removable device in software,
thereby tricking malware into copying itself to the virtual device.
We explain the concept in detail and evaluate it using samples
of wide-spread malware. We conclude that this new approach
works reliably even for sophisticated malware, thus rendering
the concept a promising new idea.
<INFECTION PROCESS FOR USB MALWARE>
<GOALS OF THIS TECHNIQUE>

• The goal of any honeypot is to collect information like insights into the malware itself,
information about its author or about infections with that particular malware. In our case,
the effort is targeted at learning about an infection of the honeypot machine in the first
place and at obtaining a sample of the malicious software.
1) It provides a means of host-based intrusion detection with very low false-positive rate.
2) If malware infects the virtual device, we are likely to be provided with all executables
the malware.
<COMPONENTS OF THE HONEYPOT>

1. GHOST: A VIRTUAL USB FLASH DRIVE

• EMULATES A USB STORAGE DEVICE

• GOAL: MALWARE UNABLE TO DISTINGUISH BETWEEN A REAL USB DEVICE AND THE GHOST DRIVE

• DETECTS INFECTIONS OF THE HOST AND COLLECTS MALWARE

2. SCANNER FOR USB STORAGE

• ANALYZES REMOVABLE DEVICES THAR ARE PLUGGED IN

• CONCENTRATES ON KNOWN EXPLOITS.

<IMPLEMENTATION>

• First, we would like to have virtual storage, i. e. an emulated storage device that is backed by
an image file. Applications must be able to write data to and read from the device, while we
route all those I/O operations to an image file that comprises our storage. Secondly, the
device has to look exactly like a removable storage device to any
application that queries information about it.
• We chose Windows 7 as target system for our implementation, because despite its age it is
still widely used and targeted by many pieces of malware [17]. However, the code can be
extended to work on other versions of Windows with little effort.
<DEVICE DETECTION>
<COMPONENTS OF GHOST HONEYPOT>
<HOW DOES IT WORK??>
Basically, the honeypot emulates a USB storage device. If your machine is infected by malware
that uses such devices for propagation, the honeypot will trick it into infecting the emulated
device.
Ghost supports Windows XP 32 bit and Windows 7 32 bit.You can either download a binary
distribution from the old website or compile the code yourself. If you choose to build the code,
you will need the Windows Driver Kit.
<OBJECTIVE OF THIS TECHNIQUE>

• 1)To detect the files infected by malware that copies itself to removable devices specially
USB drives.
• 2) To make data transfer using USB drives more secure.
• 3) To alert OS that the connected virtual device is removable and malware will effect it.
<CONCLUSION>

• MODERN MALWARE UNABLE TO DISTINGUISH REAL FROM VIRTUAL

• EXCELLENT FOR HOST BASED INTRUSION DETECTION
• REQUIRES NO PRIOR KNOWLEDGE ABOUT THE MALWARE
THANK YOU MAM…..