Ghost USB Honeypot Protects your USB drives from Malware
Remember when you only got viruses from visiting spammy websites? Well not anymore unfortunately.
With the development and success of USB flash drives came a whole new wave of malware infections. Nowadays, you shouldn’t plug your flash drive into a library computer, or even a friend’s laptop without having some sort protection in place. Criminals will often use seemingly undetectable malware to compromise closed networks (such as flash drives) that are not accessible through the Internet.
Malware is spread from computer to computer through the USB drives themselves, a method made popular by the very dangerous “Flame” cyber-espionage malware. Discovered in 2013 by the digital security company Kaspersky, The super Trojan malware, Flame, is believed to be one of the most sophisticated viruses to date.
In the case of Flame, the malware created a folder that could not be seen by a Windows PC, hiding the application and its payload of stolen documents from the user. This opened up the possibility that people unknowingly carried Flame on their USB drives from computer to computer.
To detect malware and other malicious software present on your computer, it emulates a flash drive on Windows and observes the emulated device. In other words, it is saying “hey look over here” and offering itself as bait (like a honeypot for bears) while your real device slips through undetected.
Normally, any malware present will then attempt to copy itself onto the emulated flash drive. This protects your real usb drive and ultimately the files present on the device.
The honeypot was first developed as a graduate thesis by Sebastian Poeplau, a student at Bonn University's Institute of Computer Science in Germany, and presented to the public at the Honeynet Project's 2012 workshop in the San Francisco Bay Area.
“We know, without having any knowledge about the actual malware that if we plug in the USB flash drive, and wait for a sufficient time, the malware will eventually copy itself to the flash drive,” he said in the presentation.
Poeplau’s ghost software simply emulates the USB drive in an image file, so that any attempt by the machine under test to write to the device can be trapped. The software loads virtual device drivers, letting Windows notify the system (including any malware that might be present) that a removable device has been plugged in. The trapped copy of the malware can then be unloaded when the emulator is unplugged.
Currently, ghost supports Windows XP 32 bit and Windows 7 32 bit. To install the software, just follow the install guide. The good news is, as of now Ghost features an installer that will do most of the work for you. In a nutshell, all you have to do is get the two dependencies and run Setup.exe with administrative privileges. The install guide will take you through the rest of the process.
This is a great, open source option for installing on bulk orders of flash drives, or working with exceptionally large computer networks. Be sure to protect yourself and your clients from digital attacks!