Honeypot role reversal
Security firm Tllod (The Last Line of Defense) reports in its blog that some botnet control servers are apparently equipped with functions to mislead and monitor inquisitive researchers, and to complicate their analyses. According to the researchers, such servers present a fake, basic web interface after pretending to accept easily guessed log-in credentials.
For instance, in one case the combination admin/admin was sufficient for an apparently successful log-in. The examined server was even prepared for attempted SQL injection attacks on the password field and pretended to fall for such strings as 'or 1=1--". After a successful log-in, the server recorded all activities. In Tllod's opinion, this deceptive mechanism could serve the purpose of analysing the methods of potential intruders. Previously, such honeypots were only known to be used by security researchers who wanted to investigate the methods of criminals.
When analysing the source code of a control server set up by criminals, Tllod also noted that the statistics presenting the number of infected PCs (bots) and successful exploits were simply random figures. Such figures are obviously useless – and botnet researchers should be sceptical when examining the statistics presented by the control servers of other botnets. In the past, security researchers often released the internal statistics of hacked control servers.
The examined server's web interface also pretended to allow users to upload executable files to the bots. However, the files were only stored – probably for subsequent analysis.