Catching worms with ghost flash drives
Development of Sebastian Pöplau's Ghost USB Honeypot, originally developed at the University of Bonn, will now be taken up by the Honeynet Project. The software emulates a USB flash drive inserted into a USB port on a Windows system, and functions as malware bait. If a system is infected with a worm such as Conficker, Stuxnet or Flame, the worm will copy itself to the fake flash drive. It will then land in an image file, used by Ghost to spoof a USB flash drive, from where it can be analysed.
The idea is to run the honeypot software in the background on production systems at regular intervals, perhaps when the user is inactive and the screensaver is displayed. If something copies itself to the flash drive within a set time frame, say 30 seconds, it can be assumed that it has caught some malware.
Ghost USB currently runs under Windows XP only, although the project plan includes adding support for Windows 7. The project page contains pre-compiled drivers suitable for conducting initial experiments. A Windows Driver Kit is required to compile the source code, which is open source; the software is licensed under the GPLv3.