An innovative malware honeypot project backed by a leading consortium of IT security experts is preparing to re-launch its global sensor network after Jan. 1 in an effort to dupe more cyber-criminals into handing over information about their latest attack methods.
The Web Application Security Consortium's Distributed Open Proxy Honeypot Project, which was initially turned on in Jan. 2007, will relight its set of attack monitoring sensors on or about the first of the year after significantly scaling back its operations during the month of December.
After its initial 11 months of data collection, the project undertook the month-long hiatus to give project researchers more time to examine results and plan for the year ahead.
In addition to tweaking their tactics for tracking and luring malware distributors in 2008, WASC project leaders said they are also planning to add new honeypots to their existing network, which already spans locations in Europe, Russia, South America, and the United States.
Unlike more traditional OS-level or SMTP-based honeypot applications -- systems designed to collect individual malware samples for subsequent examination by anti-virus researchers -- the WASC project utilizes a network of 14 specially-configured open proxy servers (or proxypots) to monitor traffic for nefarious activities carried out by everyone from botnet herders to adware purveyors.
Traditional honeypots have proven useful for tracking widespread computer viruses and allowing AV companies to produce the signature files needed to protect machines against infection, but those targets are ill-suited to provide the level of real-time intelligence needed to protect against today's fast-moving customized threats, said Ryan Barnett, the WASC project's leader.
By serving up an unprotected open proxy server to the larger Internet, and thereby advertising itself as exactly the type of anonymous conduit that attackers seek out to distribute their work -- rather than merely an undefended computer, the effort is already garnering new insight into cyber-criminals' methods, he said.
Barnett, who is also director of application security training at Breach Security and an instructor for the SANS Institute, said that despite being pleased with the project's initial ability to identify attacks and test ways to thwart malware campaigns further upstream, he is hoping that 2008 will provide even greater rewards.
Among the improvements the group is aiming to make to its system -- built around the ModSecurity open-source Web application firewall, for which Barnett also serves as development community manager -- are more effective ways for categorizing attacks, correlating anomalies, and applying forensics to trends that it charts over time.
The security expert is hoping that the same open-source movement that has allowed ModSecurity to mature, with the firewall recently adding a range of new features in its late-December version 2.5 release, will also take hold with the honeypot effort and encourage more people to launch sensors or help research its data findings.
"Getting different versions of data analysis will be key, but we will need to get a lot more people onboard," Barnett said. "We feel that there's a whole symbiotic approach with the project and the open-source community already. We need to export more of the raw data into that community to help analyze the results -- there's simply too much data for us to churn through alone."
