Today I’ve released version 0.3 of the Ghost USB honeypot, which introduces a lot of new features, including a completely rewritten core for better malware detection. The new version is available on the project page. This post outlines the major changes.
In a previous blogpost I’ve already written about the wide-ranging changes to the core of Ghost. We basically switched to a new emulation technique in order to make it harder for malware to recognize Ghost’s fake USB device.
Over the last few weeks I’ve basically rewritten the core of Ghost, our system for USB malware detection. While the new approach promises to be much more effective, it has a drawback: It only works for Windows Vista and later systems. As a consequence, there are now two flavors of Ghost in existence: One supports Windows XP but won’t receive much further development, whereas a lot of interesting new features will be implemented for the other one, which is dedicated to Vista and later.
We’ve just released version 0.2 of the Ghost USB honeypot for Windows XP and Windows 7 with a lot of great new features. You can download the new version from the project page. In this post, I’m going to give an overview of the changes.
Let’s start with what you usually do first: install Ghost. Installing the honeypot has been tedious in the past, so we’ve built an installer that handles most of the work for you.
This is a short introduction to one of the features that the upcoming Ghost 0.2 will offer. I expect to release the new version in late August or early September.
There is a command-line frontend for Ghost already that controls the honeypot’s operation, but its capabilities are limited. In particular, the only way to get feedback from Ghost is to read the command-line output. That’s only slightly inconvenient if you run the tool manually, but it’s not at all suitable for automation, and it makes integrating Ghost into individual analysis setups unnecessarily complicated.
As the first half of the HP summer of code has passed, I’d like to give a short update on the current status of the Ghost USB honeypot.
While Ghost has been able to report possible infections with USB malware by means of an emulated USB flash drive before, it is now able to collect information about the process that writes data to the bait device. This information includes the process ID and a list of all modules (i.
In this post I’d like to describe some aspects of the communication between kernel and user mode in the Ghost USB honeypot. More specifically, I’ll focus on how to realize blocking communication with the Windows Driver Frameworks (WDF).
Ghost consists of a kernel-mode component that does the main work of emulating a USB flash drive and listening for attempts to write data to the device, and there is a user-mode component that allows the user to control the honeypot and to view the results.
Before we released the Ghost USB honeypot as open source software, we had quite some trouble to apply the GPL to our case. Since there wasn’t much information available for the very particular case of using the GPL for a Windows driver, I’ll discuss our issues and solutions in this article. This might not directly be applicable to other software, but it should provide the reader with general insights and will hopefully help people to sort out similar problems in the future.
I’m very pleased to announce that we have released the first public version of the Ghost USB honeypot.
Ghost is a honeypot for malware that uses USB storage devices for propagation. It is able to capture such malware without any further knowledge - especially, it doesn’t need signatures or the like to accomplish its task.
Detection is achieved by emulating a USB flash drive on Windows systems and observing the emulated device.