HoneySigger attempts to bridge the gap between current 'reactive' antivirus systems (which are very slow at catching up with newly released
malware) and full blown proactive heuristics analysis systems - which are notoriously complex (and generally commercial only).
HoneySigger is intended to be deployed as part of a spamtrap / honeypot solution. Signatures of newly released malware are automatically generated, which can then be deployed to your spam filter/AV systems on the front line.
When a new piece of malware is released into the wild a race begins between the malware authors (who are trying to get as many people infected as
possible), and the signature writers (who want to get the signature out to the end users as fast as possible in order to protect their customers
from becoming a victim of the new malware.
Whilst AV companies are getting better at shipping out signatures in a timely fashion, there is still the so-called 'window of opportunity' during which time the signatures haven't been deployed to the end users computer or gateway - and hence no protection exists yet. Even the best commercial AV companies have these problems and until the signature has been deployed, you have no protection against that malware.
Graphs such as this aren't uncommon, showing the window of opportunity before the various AV companies get their signatures released to their customers. Whilst this is happening people are likely to get infected. As we can see from the (mockup) above, there is a period of 14 hours between the malware being released into the wild and all AV vendors releasing patches to their users.
How HoneySigger Helps
HoneySigger is designed to sit on a honeypot/spamtrap server and process all emails arriving at that honeypot. The honeypot will typically consist
of junk addresses or of invalid addresses that are known to be on spammers lists (iamjustsendingthisleter@... being a good example). Inbound
messages are directed at HoneySigger which automatically unpacks the mime parts of each message. Upon finding a suspicious attachment type
(.exe, .zip, .rar etc) the system will automatically save this to disk and create a ClamAV signature (MD5) of the attachment. This is then pushed
out to your front line scanners - providing near instant protection.
Assuming that you have sufficient honeypot addresses, there is every chance that your honeypot will get a copy of the malware before your users do, providing you get the necessary signature to the front line AV servers then your users are automatically, instantly protected.