Honeypot-powered Malware Reverse Engineering
Michele Bombardieri, Salvatore Castanò, Fabrizio Curcio, Angelo Furfaro, Helen D. Karatza
TL;DR
The paper tackles the challenge of in-depth malware analysis within open networks by enhancing high-interaction honeypots with integrated reverse-engineering instrumentation. It introduces HERESy, a modular system that provisions per-attacker containerized environments via a proxy, and collects rich telemetry across file systems, networks, and process execution using Git-based versioning, per-container network captures, and dynamic binary instrumentation with DynamoRIO and CRIU. Experiments in a campus network demonstrate HERESy’s ability to capture thousands of attacks across multiple protocols and to preserve detailed artifacts for reverse engineering. The work improves attacker isolation, data fidelity, and real-time monitoring, with potential for automatic signature generation and closer IDS integration to block future threats.
Abstract
Honeypots, i.e. networked computer systems specially designed and crafted to mimic the normal operations of other systems while capturing and storing information about the interactions with the world outside, are a crucial technology into the study of cyber threats and attacks that propagate and occur through networks. Among them, high interaction honeypots are considered the most efficient because the attacker (whether automated or not) perceives realistic interactions with the target machine. In the case of automated attacks, propagated by malwares, currently available honeypots alone are not specialized enough to allow the analysis of their behaviors and effects on the target system. The research presented in this paper shows how high interaction honeypots can be enhanced by powering them with specific features that improve the reverse engineering activities needed to effectively analyze captured malicious entities.