27 Mar 2013

Honeypot Counter-Attack Kneels Secret Agency

Security researcher and DefCon co-founder Russia Alexey Sintsov came up with an experimental honeypot capable of stealing sensitive data from an attacker, including the aggressor’s network adapter settings, trace routes and login names.

In the time the honeypot was up on the Russian DefCon website, the hostile honeypot managed to counterattack a desktop traced back to an intelligence agency of a former Soviet country. But further investigations made Sintsov and his team suspect that the agent’s system was compromised and used by another crook as cover.

"When you start a site about IT security, you should be ready, that [a] big part of people will try to hack you. Not because they are evil guys or black hats, just because they can," Alexey Sintsov writes in his research paper, Honeypot that can bite: Reverse penetration. "My thought was like, 'Okay, it will be fun to play with them in a new game they do not expect'" and to test the theory of "reverse-penetration." And it turns out attackers don’t expect to be themselves the victims, making his job pretty easy.

The honeypot ran a script checking for particular behavior patterns. When, for instance, a SQL injection attempt was detected, the script installed a backdoor via a Java applet on the attacker’s Windows-running system and started gathering intel, such as internal IP addresses, resources; scanning though his files; and making video and audio recordings directly from his device.

Sintsov’s script was designed to automatically snatch attackers' email addresses if they were registered on one of two Russian email services; mail.ru and yandex.ru, by exploiting then-unpatched vulnerabilities in those services.

The legal, moral and ethical implications of the reverse penetration are yet to be debated; fighting fire with fire may prove the most effective mechanism of counteracting the ever growing number of cyber-attackers.