About HoneySigger

How HoneySigger Helps

HoneySigger is designed to sit on a honeypot/spamtrap server and process all emails arriving at that honeypot. The honeypot will typically consist of junk addresses or of invalid addresses that are known to be on spammers lists (iamjustsendingthisleter@... being a good example). Inbound messages are directed at HoneySigger which automatically unpacks the mime parts of each message. Upon finding a suspicious attachment type (.exe, .zip, .rar etc) the system will automatically save this to disk and create a ClamAV signature (MD5) of the attachment. This is then pushed out to your front line scanners - providing near instant protection.

Provided you have enough spamtrap email addresses (widely distributed throughout the alphabet to account for spammers sending spam to a..., b..., c... etc), there is every chance that your honeypot sees a particular piece of malware before your users do. Once that piece of malware has hit HoneySigger a signature has been automatically generated, and your users are automatically, instantly protected.

By virtue of the system being hosted on a honeypot means that we only see unsoliciated mail - no human is ever going to send emails to these addresses. As soon as we see some .zip or .rar file (not to mention .exe and the rest) we know that it's unwanted - and we aren't going to break anything by block further instances of it. There is a 0% chance of false positives (and so what if you accidentally hit some .zip file by accident - it arrived at a honeypot!), 100% hit rate and provided you get the generated signatures out to your front line servers quick enough then you're instantly protected!

How HoneySigger Works

HoneySigger is designed to be deployed on your honeypot mail server(s). Inbound mail is then routed to the executable by means of a pipe. HoneySigger will automatically read a message piped in via stdin and unpack the various mime parts. Upon finding a suspect file or mime type, HoneySigger will save this part to disk, check whether ClamAV already knows about the file, and if not will generate an MD5 hash of the file. This MD5 hash is then posted off to a server via HTTP POST where a PHP script creates a catalogue of the various hashes. This can then be deployed out to your spam / AV scanners processing legitimate mail. In addition to checking with ClamAV (via the clamav-daemon interface) that the file isn't already in their signature repository, HoneySigger also maintains its own local cache of generated signatures in order that the system doesn't re-generate the same signature multiple times before the ClamAV update is rolled out.

But not all spam is malware!

No. But any spammed attachment that is a zip file, exe file or similar is likely to contain malware of some description. HoneySigger will only generate signatures for file / mime types that you have told it are suspicious - and only when these files arrive at your honeypot. The list of mime types is completely configurable - if you want to avoid generating signatures for a particular filetype then simply change the configuration.

But what about malware that is periodically re-generated to avoid signatures?

This is becoming a common technique amongst malware authors. The malware executable is automatically repacked every 1/2 hour or so, with the new version of the executable file having a completely different signature (the non-discoverability property of the MD5 algorithm). In some cases, malware authors have built up collections of varients of malware and released these all at once in order to overload the signature people - the storm worm for example.

But HoneySigger doesn't care about any of this! As soon as the first copy of that new varient hits HoneySigger, a signature is instantly generated. If the malware is repacked then that version will automatically get a signature too - and so on. In short, it doesn't matter what the malware authors do to the malware they are spamming out. Provided that your honeypot sees the malware before the users do then they will be protected. The more spamtrap addresses you have assembled, the more chance there is of HoneySigger seeing the malware before you do.

HoneySigger Copyright © Richard Bishop 2008 - 2009