Posts Tagged ‘drones
One way a cybersleuth might try to identify a spammer is by building a honeypot drone for a bot-network. A honeypot drone is a computer on the Internet that pretends to be part of a bot-network, but is actually under the control of a cybersleuth. By allowing the honeypot to become a part of the bot-network,the cybersleuth could obtain a copy of the bot-network software and could then discover the mechanism by which the spammer issues new instructions to drones. Once the mechanism is known, one could potentially wait for the spammer to issue new instructions and then catch the spammer.
However, sophisticated spammers have already developed ways to evade honeypot detection.First, such spammers realize that they are putting themselves and their bot-networks at risk by connecting directly to a site that provides instructions to drones. To counter this risk, sophisticated spammers no longer connect directly to such sites. Instead, they now post new instructions to drones by using a path through multiple computers, often including computers located outside the United States. In such instances, the information obtained from the honeypot drone is of little use in identifying the spammers’ true network addresses.
A second, and more powerful, spammer technique to evade honeypot detection has arisen more recently. Spammers often now design bot-networks so that the sites with which individual drones communicate are not fixed. For example, drones in the Phatbot network receive instructions using a peer-to-peer network of drones. Because the honeypot drone in such a network only communicates with a few other drones, its view of the bot-network is local and limited, and it would not have access to the network address of the bot-network administrator. Thus, as these two spammer techniques to evade detection illustrate, we can expect this “cat and mouse” pattern to play out repeatedly as sophisticated spammers increasingly use and evolve new such methods to evade honeypot detection.