Today I’ve released version 0.3 of the Ghost USB honeypot, which introduces a lot of new features, including a completely rewritten core for better malware detection. The new version is available on the project page. This post outlines the major changes.

In a previous blogpost I’ve already written about the wide-ranging changes to the core of Ghost. We basically switched to a new emulation technique in order to make it harder for malware to recognize Ghost’s fake USB device. The new core is considered stable by now and thus included in version 0.3.

Over the last few weeks I’ve basically rewritten the core of Ghost, our system for USB malware detection. While the new approach promises to be much more effective, it has a drawback: It only works for Windows Vista and later systems. As a consequence, there are now two flavors of Ghost in existence: One supports Windows XP but won’t receive much further development, whereas a lot of interesting new features will be implemented for the other one, which is dedicated to Vista and later. In this post, I’m going to explain the reasoning behind the decision, describe the recent technical advances and outline some of our plans for the future.

We’ve just released version 0.2 of the Ghost USB honeypot for Windows XP and Windows 7 with a lot of great new features. You can download the new version from the project page. In this post, I’m going to give an overview of the changes.

Let’s start with what you usually do first: install Ghost. Installing the honeypot has been tedious in the past, so we’ve built an installer that handles most of the work for you. Just run it and enjoy.

This is a short introduction to one of the features that the upcoming Ghost 0.2 will offer. I expect to release the new version in late August or early September.

There is a command-line frontend for Ghost already that controls the honeypot’s operation, but its capabilities are limited. In particular, the only way to get feedback from Ghost is to read the command-line output. That’s only slightly inconvenient if you run the tool manually, but it’s not at all suitable for automation, and it makes integrating Ghost into individual analysis setups unnecessarily complicated.

As the first half of the HP summer of code has passed, I’d like to give a short update on the current status of the Ghost USB honeypot.

While Ghost has been able to report possible infections with USB malware by means of an emulated USB flash drive before, it is now able to collect information about the process that writes data to the bait device. This information includes the process ID and a list of all modules (i.e. executables, such as EXE and DLL files) that are currently loaded into the process. We extract the data directly from the kernel’s internal structures, so it will be hard for malware to shield it from the honeypot. Knowing the process that the malware resides in is interesting for analysis, and having a list of modules that the process uses can give us a hint as to where the malicious code is stored on disk.

In this post I’d like to describe some aspects of the communication between kernel and user mode in the Ghost USB honeypot. More specifically, I’ll focus on how to realize blocking communication with the Windows Driver Frameworks (WDF).

Ghost consists of a kernel-mode component that does the main work of emulating a USB flash drive and listening for attempts to write data to the device, and there is a user-mode component that allows the user to control the honeypot and to view the results. Now we want the (kernel-mode) driver to communicate any results to the (user-mode) frontend as soon as they’re available. Unfortunately, there is no convenient way to call user-mode code from kernel space. So the frontend has to ask for the information.

Before we released the Ghost USB honeypot as open source software, we had quite some trouble to apply the GPL to our case. Since there wasn’t much information available for the very particular case of using the GPL for a Windows driver, I’ll discuss our issues and solutions in this article. This might not directly be applicable to other software, but it should provide the reader with general insights and will hopefully help people to sort out similar problems in the future.

I’m very pleased to announce that we have released the first public version of the Ghost USB honeypot.

Ghost is a honeypot for malware that uses USB storage devices for propagation. It is able to capture such malware without any further knowledge - especially, it doesn’t need signatures or the like to accomplish its task.

Detection is achieved by emulating a USB flash drive on Windows systems and observing the emulated device. The assumption is that on an infected machine the malware will eventually copy itself to the removable device.