HoneySigger attempts to bridge the gap between current 'reactive' antivirus systems (which are very slow at catching up with newly released malware) and full blown proactive heuristics analysis systems - which are notoriously complex (and generally commercial only).

HoneySigger is intended to be deployed as part of a spamtrap / honeypot solution. Signatures of newly released malware are automatically generated, which can then be deployed to your spam filter/AV systems on the front line.

When a new piece of malware is released into the wild a race begins between the malware authors (who are trying to get as many people infected as possible), and the signature writers (who want to get the signature out to the end users as fast as possible in order to protect their customers from becoming a victim of the new malware.

Whilst AV companies are getting better at shipping out signatures in a timely fashion, there is still the so-called 'window of opportunity' during which time the signatures haven't been deployed to the end users computer or gateway - and hence no protection exists yet. Even the best commercial AV companies have these problems and until the signature has been deployed, you have no protection against that malware.

Graph illustration window of opportunity/vulnerability
Recent files flagged by HoneySigger
16.30 19/01/200919012009.zip70464
14.54 19/01/200919012009.zip70441
07.20 13/01/2009NorthwestAirlines.zip69926
06.19 13/01/2009NorthwestAirlines.zip63696
15.22 11/01/2009UPSInv.zip9654
21.51 10/01/2009UPS_877621.zip70556
16.48 19/12/2008UPS_N022.zip19316
02.56 18/12/2008PDF8761231.zip65956
21.23 12/12/2008DOC651221.zip58150

Graphs such as this aren't uncommon, showing the window of opportunity before the various AV companies get their signatures released to their customers. Whilst this is happening people are likely to get infected. As we can see from the (mockup) above, there is a period of 14 hours between the malware being released into the wild and all AV vendors releasing patches to their users.

How HoneySigger Helps

HoneySigger is designed to sit on a honeypot/spamtrap server and process all emails arriving at that honeypot. The honeypot will typically consist of junk addresses or of invalid addresses that are known to be on spammers lists (iamjustsendingthisleter@... being a good example). Inbound messages are directed at HoneySigger which automatically unpacks the mime parts of each message. Upon finding a suspicious attachment type (.exe, .zip, .rar etc) the system will automatically save this to disk and create a ClamAV signature (MD5) of the attachment. This is then pushed out to your front line scanners - providing near instant protection.

Assuming that you have sufficient honeypot addresses, there is every chance that your honeypot will get a copy of the malware before your users do, providing you get the necessary signature to the front line AV servers then your users are automatically, instantly protected.

HoneySigger Copyright © Richard Bishop 2008 - 2009