

Attackers Now Using Honeypots to Trap Researchers - mfukar
http://threatpost.com/en_us/blogs/attackers-now-using-honeypots-trap-researchers-110410

======
mahmud
[Edit: this is unrelated to botmasters trapping researchers, and is more of
detecting botnets. My bad.]

This has been going on since the late 80s to early 90s; at that time, viruses
scanned the disks for signs of "abnormality". For example, a sophisticated
virus would check to see how many directories where in the disk, how many of
them were non-system, it checked timestamps to see if everything was pristine.
If it found files containing number constants, it checked to see if $number--
and $number++ existed. And as soon as it was confident the system was a
research box and not a user box, the virus would exhibit extremely benign
behavior, or do without stealthiness and go full on violent, trying to destroy
hardware equipment (i.e. spinning floppy at max speed. Asserting and holding
controller lines for expensive hard-disks.)

This probing behavior is not the default, but it's triggered if the virus had
some slight suspicion about the machine (checking performance, too fast or too
slow?, checking to see if a debugger was resident, scanning the heap for anti-
virus tool signatures, see if a few interrupts were hooked, etc.)

IIRC, I read about this first in one of the Phalcon/Skism philes, though it
could have been NuKe.

The heuristics sound complex, specially when you think about it as a HLL
programmer working in a protected environment. But they were very
straightforward in DOS, where one had direct access to system data structures,
and entire structure-traversal strategies could be as simple as bit
manipulation.

/me just got the sudden urge to find that article. brb ..

P.S. And this really bugs me: why do black-hats consistently out-class
"normal" programmers when it comes to systems programming? Pound for pound,
the average underground "file" has more information density, sometimes an
order of magnitude (bear with me here) than the normal "app dev" articles you
see elsewhere. If I am hacking on a new platform the first thing I do is get
the official manuals and specs, then I look for its underground text files.

~~~
barrkel
People with their head buried in low-level details are frequently - in my
experience - worse at higher-level code organization and abstraction.

There's two things at work. Some people's aptitude for handling complexity
lulls them into relying on it to get themselves out of tight spots, rather
than learning to architect their code better; and they wind themselves up
tighter and tighter. And on the other side, "app dev", people are pulling
together a lot more constraints than the bit-twiddling level, combining user
stories, business strategy, long-term supportability and team development, UX,
and a bunch of other things which, while more nebulous and less concrete, are
usually more important, economically speaking.

~~~
mahmud
You can pay us app-devs all the lip service in the world, but the fact remains
that _YOU_ get to hack on the Delphi compiler, while we A/B test sign up
forms.

;-)

I said the exact same thing, a few days ago:

<http://news.ycombinator.com/item?id=1832024>

P.S. Get in touch in the twitters, please. I am _very_ interested in what you
do, and where it's going.

------
kfarzaneh
New forms of an old art:
[http://www.foreignpolicy.com/articles/2010/03/12/the_history...](http://www.foreignpolicy.com/articles/2010/03/12/the_history_of_the_honey_trap?page=full)

------
ohashi
This is a game of cat and mouse that frustrates and intrigues me.

