sebastian.poeplau's blog

Ghost 0.3 released

Today I've released version 0.3 of the Ghost USB honeypot, which introduces a lot of new features, including a completely rewritten core for better malware detection. The new version is available on the project page. This post outlines the major changes.

Two roads diverged in Ghost development

Over the last few weeks I've basically rewritten the core of Ghost, our system for USB malware detection. While the new approach promises to be much more effective, it has a drawback: It only works for Windows Vista and later systems. As a consequence, there are now two flavors of Ghost in existence: One supports Windows XP but won't receive much further development, whereas a lot of interesting new features will be implemented for the other one, which is dedicated to Vista and later. In this post, I'm going to explain the reasoning behind the decision, describe the recent technical advances and outline some of our plans for the future.

Two more of our projects selected for Magnificent7

Rapid7 have announced the selected projects for the second round of their Magnificent7 program. The program sponsors open source efforts in the area of IT security over the course of a year and provides them with Rapid7's technological and marketing expertise.

In March, Cuckoo and Androguard - both developed by members of the Honeynet Project - were chosen, and today's press release revealed two more of our members' projects to be supported under the Magnificent7 program.

Buttinsky, led by Patrik Lantz and Lukas Rist, will be a framework for botnet monitoring built from scratch. Ghost, led by Sebastian Poeplau, protects against malware that spreads on USB storage. We also congratulate the developers of John the Ripper, which is the third project to be selected today.

Ghost version 0.2 released

We've just released version 0.2 of the Ghost USB honeypot for Windows XP and Windows 7 with a lot of great new features. You can download the new version from the project page. In this post, I'm going to give an overview of the changes.

Let's start with what you usually do first: install Ghost. Installing the honeypot has been tedious in the past, so we've built an installer that handles most of the work for you. Just run it and enjoy.

Want to Use Ghost in Your Own Setup?

This is a short introduction to one of the features that the upcoming Ghost 0.2 will offer. I expect to release the new version in late August or early September.

There is a command-line frontend for Ghost already that controls the honeypot's operation, but its capabilities are limited. In particular, the only way to get feedback from Ghost is to read the command-line output. That's only slightly inconvenient if you run the tool manually, but it's not at all suitable for automation, and it makes integrating Ghost into individual analysis setups unnecessarily complicated.

Current Status of Ghost

As the first half of the HP summer of code has passed, I'd like to give a short update on the current status of the Ghost USB honeypot.

Synchronous Communication between Kernel and User Space

In this post I'd like to describe some aspects of the communication between kernel and user mode in the Ghost USB honeypot. More specifically, I'll focus on how to realize blocking communication with the Windows Driver Frameworks (WDF).

Open Source Licensing Madness

Before we released the Ghost USB honeypot as open source software, we had quite some trouble to apply the GPL to our case. Since there wasn't much information available for the very particular case of using the GPL for a Windows driver, I'll discuss our issues and solutions in this article. This might not directly be applicable to other software, but it should provide the reader with general insights and will hopefully help people to sort out similar problems in the future.

Ghost USB honeypot released

I'm very pleased to announce that we have released the first public version of the Ghost USB honeypot.

Ghost is a honeypot for malware that uses USB storage devices for propagation. It is able to capture such malware without any further knowledge - especially, it doesn't need signatures or the like to accomplish its task.

Detection is achieved by emulating a USB flash drive on Windows systems and observing the emulated device. The assumption is that on an infected machine the malware will eventually copy itself to the removable device.

Syndicate content