See No Evil: Evasions in Honeymonkey Systems

Brendan Dolan-Gavitt & Yacin Nadji

May 7, 2010

Abstract tacks can no longer be found by using honeypots that host vulnerable network services and moni- Client-side attacks have emerged in recent years tor for signs of compromise. Instead, researchers to become the most popular means of propagat- have proposed using honeyclients, which actively ing malware. In order to keep up with this new seek out malicious content on the web, to find wave of web-based malware, companies such as previously unknown client-side attacks. Google routinely crawl the web, feeding suspi- We note in passing that, like detection of mali- cious pages into virtual machines that emulate cious software, detection of malicious web pages client systems (known as honeymonkeys or hon- is theoretically undecidable. We provide a proof eyclients). In this paper, we will demonstrate of this fact, in the spirit of Fred Cohen [1], in that although this approach has been successful Appendix A. However, such theoretical impos- to date, it is vulnerable to evasion by attackers: sibility need not deter us; just as a large indus- by guarding exploit code with client-side checks try has grown up around virus detection, hon- to determine whether a visitor is a human or eyclients are in widespread use today, and it is an automated system, attackers can ensure that both useful and necessary to consider practical only human users are exploited, causing the page evasions against them. to look benign when viewed by a honeyclient. Just as honeypots can be classified as high- or Our 13 evasions, which include both observa- low- interaction, so too can honeyclients be cat- tional and interactive proofs of humanity, are egorized based on the extent to which they em- able to easily distinguish between honeyclients ulate a full end user system. HoneyMonkey [14] and human victims. We evaluate the strengths and the MITRE Honeyclient [8], which are both and weaknesses of these evasions, and speculate high-interaction honeyclients, use a full virtual on even more powerful attacks and defenses. machine with a web browser to visit potentially malicious sites; if the visit results in a persis- 1 Introduction tent change to the state of the VM outside the browser, one can conclude that a successful at- Attacks against end users have undergone a dra- tack has occurred. By contrast, low-interaction matic shift in the past several years, moving from honeyclients such as honeyc [13] merely emulate attacks against listening network services to at- a full browser, and use heuristics to detect at- tacks on client software such as browsers and tacks rather than monitoring for changes in the document viewers. These changes have created state of the OS. a need for new defensive tactics. Many new at- Honeyclients have recently gained wide use in

1 the Google Safe Browsing API [3]. As Google on the attacker, or run the risk of alerting the crawls the web, it uses heuristics to detect poten- user. By contrast, many of the evasions we de- tially malicious web sites. These sites are then scribe are transparent to the user and do not fed to a custom honeyclient to verify that they harm the attacker’s chances of success. are, in fact, malicious [11]. If a web page is found to host attack code, users who attempt to visit the page from Google’s search results are pre- 3 Methodology sented with the warning shown in Figure 1. The Honeyclients and honeypots are two similar so- user must ignore this warning to view the poten- lutions to fundamentally different problems. A tially malicious page. honeypot attempts to capture push-based infec- Due to the prevalence of client-side attacks tion, malware that is forced onto unsuspecting and the increasing use of honeyclients to de- servers. Once a server becomes infected, it fur- tect them, a likely next step for attackers is thers the campaign by pushing its infection on to to consider honeyclient evasions — techniques other hosts. A honeyclient, however, attempts to that cause a web page to exhibit benign behavior capture pull-based infection, which requires some when visited by a honeyclient while still exploit- human involvement. ing real users. In this project, we will present a By detecting whether a client is a human or number of such evasions, assess their utility to a honeyclient we can mount attacks on humans attackers, and consider possible defenses honey- only, nullifying honeyclients as a tool for analy- clients can use to counter our attacks. sis. To demonstrate these attacks, we have de- signed and implemented a reverse Turing test 2 Related Work that looks for a variety of features that would most likely be present in a true human client. In Honeypots have long been used to detect and the interest of a conservative analysis, we have analyze novel attacks. Efforts such as the Hon- limited ourselves to ourselves to legal constructs eynet Project [12] and numerous academic pa- in common languages seen on the web, such as pers [10, 6] have described the use of both real HTML, JavaScript, Flash and Java. Our ap- and virtual machines to pick up on network- proach precludes, for example, the use of a secu- based attacks on vulnerable services. As the rity flaw in Flash to implement our reverse Tur- use of honeypots became more common, evasion ing test. This conservative approach also means techniques were developed [5, 7] that used tech- that our evasions cannot be countered by patch- niques such as virtual machine detection to pre- ing known client-side flaws. If our features deter- vent executing in a honeypot environment. As mine a client is a human, the exploit is launched. attacks shifted to the client side, honeyclients Otherwise, the site executes only benign code. were proposed as a means of detecting attacks. We have ranked our features by considering Systems such as Strider HoneyMonkey [14] use the following categories: virtual machines running a vulnerable version In- 1. How difficult is the feature to counter? ternet Explorer to detect malicious sites. Despite the widespread use of honeyclients, 2. How noticeable is the feature to a human honeyclient evasion has received little attention client? in academic literature. Although Wang et al. discusses evasions, the attacks they consider are 3. How costly is the feature’s implementation either easy to counter, impose a significant cost for an attacker?

2 Figure 1: Google Malicious Site Warning

– Does the attack incur false positives by 4 Attacks rejecting real humans? – Does it increase the time required to Our attacks fall into two different categories: execute the attack? state-based and behavior-based. State-based at- tacks query the client’s state to infer information This ranking can be used by an attacker to de- about the user. For example, if the browser has termine the features to be used, and the order recently visited sites like Facebook and Twitter, in which they should be executed to detect hon- it makes it more likely that the client is an actual eyclients. A subset of the features can be used human, rather than a browser instance spawned depending on the attacker’s needs. For example, from a VM snapshot. Behavior-based attacks if it is more important to prevent missed attacks interact with the user directly. CAPTCHA is on humans than defeating honeyclient analysis, a a well known technique for differentiating hu- feature that introduces some false positives may mans and computers. Here, we use it in a similar be left out. fashion; if the CAPTCHA is properly solved, we For each feature, we have created pages that know a human is in control of the browser and demonstrate the evasion. When loaded by a hu- we can deliver our exploit safely. These two at- man, client-side code on the page tests for some tack categories are shown in Figure 2. Both at- feature that indicates the presence of a human, tacks occasionally rely on a predefined timeout and then performs an XMLHttpRequest back to or threshold that must be crossed to determine if the server with the test result. In a real attack, an exploit should be launched or not. This values the server could then examine the result and, if are in no way static, and will change as further the test indicates that the client is human, send testing is done to determine the “best” possible the exploit code to the client. Thus, an attacker values. An overview of our attacks is presented can avoid leaking valuable exploit code to a hon- in Table 1, with explanations of the intuition be- eyclient, while remaining effective against human hind them presented in the subsequent sections. users. We can evaluate our approach by comparing It is important to note that all the attacks are page execution behavior between the MITRE written entirely in Javascript or Flash. All major Honeyclient and a human client. browsers support Javascript and 99% of Internet-

3 Behavior-based Stimulus User Interaction Launch Attack

Yes

Decide: user is human? Data collection History No example.com cnn.com twitter.com Do Nothing facebook.com goatse.cx ...

State-based

Figure 2: The two categories of evasions we describe. Behavior-based evasions use user interaction to distinguish between humans and honeyclients, while state-based evasions use only data gathered from the browser and operating system. enabled computers have Flash installed1, making user intervention. If a camera is connected, we these suitable languages to perform honeyclient launch the exploit. evasion. Connection Speed Large companies who 4.1 State-based Attacks would benefit from honeyclient testing e.g., google.com generally have high throughput In- State-based attacks infer if a client is a honey- ternet connections to deliver fast and reliable ser- client based on information harvested from the vices. As such, their honeyclient operations are browser and operating system state. likely to access the web with a very fast down- load rate. We determine the connection speed Camera Intuitively, large-scale honeyclient of the client by disabling the browser’s cache, web crawling will use virtualization for scala- downloading a one megabyte file, and recording bility and to make rollback after infection triv- the time it takes to complete the operation. If ial. Customized honeyclient VMs can quickly be the connection rate is below 1 MB/sec, we launch started from a snapshot, visit a malicious site, the exploit. determine the guest OS’s state was altered, and revert back to the original snapshot to scan the Browser History Honeyclients process po- next potentially malicious site. These machines tentially malicious URLs in a sequence in dis- are unlikely to have a connected camera, a com- tinct sessions. If two potentially malicious web- mon feature on home and work computers. sites were viewed in a row and the machine was Flash has built-in APIs to use an attached we- compromised, it is unclear which site was respon- bcam. To use the webcam, Flash must first ask sible for subverting the machine. Thus, most for the user’s permission. However, Flash can honeyclients process malicious URLs in isolation determine if a webcam exists without requiring from standard browser usage. Due to this behav- 1“in mature markets”—see http://www.adobe.com/ ior, it is unlikely honeyclients will have extensive products/player_census/flashplayer/ browser history.

4 Attack State-based Behavior-based Description Alert X An alert pop-up is displayed when the page renders. The exploit is delivered only if the alert box is closed. Camera X We query the flash plugin to check for the presence of a web camera. If one exists, we deliver the exploit. CAPTCHA X We deliver the exploit after successful completion of a CAPTCHA. Connection Speed X We determine the connection speed of the connected client and deliver the exploit if its below a predefined threshold. Browser History X We view the number of sites the client has visited from a set of popular websites. If the number of visited sites is above a certain threshold, we deliver the exploit. Date X We compare the day of the week of the client to the current day of the week in the United States (EST). If the days of the week match, we deliver the exploit Immediate History X We check the back button history for previous sites. If above a certain threshold exist, we deliver the exploit. This differs from the previous history attack in that it looks at an indi- vidual page or tab history, not the browser’s history in its entirety. Message Box X We ask the client a randomly generated question with two possible answers using a dialog box. Based on the question, if the “correct” answer is chosen, we deliver the exploit. Microphone X Same as Camera, but checks for the presence of a microphone instead. onMouseMove X If the mouse is moved within the browser before a preset time- out, we deliver the exploit. onBeforeUnload X An offensive image is displayed. If the window is closed within a preset timeout, we deliver the exploit. Plugins X We query the browser for the existence of common browser plugins. If the number of usable plugins is above a predefined threshold, we deliver the exploit. Referrer X If the current client has a non-empty referrer string, we deliver the exploit.

Table 1: Attack Overview

Using a well-known method of accessing the the correct date by querying a remote time server browser’s history[4], we check the client’s his- from Javascript. tory against a list of commonly visited URLs. If over 10% of the websites have been visited by Immediate History A human user is likely to the client, we launch the exploit. stumble upon links to drive-by downloads by way of other websites. A honeyclient, however, gen- Date Honeyclients that use virtualization will erally has a list of URLs of potentially malicious likely spawn fresh VM instances for each po- websites that it visits directly. In the human tentially malicious site view. If the VM is al- case, we will see a clear series of visited websites, ways spawned from the same snapshot, its cur- while in the honeyclient no such series will exist. rent date will be when the snapshot was created This differs from Browser History as Immediate and will not accurately reflect the true current History only looks the back button history of date. We compare the current date (current year the browser, while Browser History considers all and day of the year) of the client with the cur- stored history information. rent date in the eastern timezone of the United In the event the client has three or more web- States. If the client is within 3 days of the actual sites in its back button history, that is the client EST US date, we launch the exploit. We obtain viewed the attack page through a path of direct

5 hyperlinks containing three or more websites, we CAPTCHA As we discussed earlier, launch the exploit. CAPTCHAs are commonly used on the In- ternet today as a way of differentiating a human Microphone This attack is identical to Cam- from an automated bot. We assume the honey- era, except we query for the presence of a micro- client lacks the capability to solve a complicated phone. If one is found, we launch the exploit. CAPTCHA and only launch the exploit in the event the CAPTCHA is correctly solved. It is interesting to note that at the time of the Plugins Browsers often extend functionality HoneyMonkey paper’s writing[14], CAPTCHAs by way of plugins, like Flash. Plugins are com- were uncommon on non-malicious sites and monly used for user digestible material, such as would likely raise suspicion in human users. movies and online games. A honeyclient is un- The web today, however, makes liberal use of likely to have multiple plugins installed. We CAPTCHAs, nullifying the earlier assumption. check for the existence of the following plugins:

• RealNetworks RealPlayer onMouseMove The Javascript event onMouseMove is bound to the page’s docu- • Adobe Director ment prototype in the DOM. This will capture any mouse movement that occurs within the • Apple QuickTime context of the browser’s window that displays the current page. If any mouse movement is • Windows Media detected, we flag the client as a human and launch the exploit. More sophisticated mouse • Adobe Flash movement tracking could be implemented to If the client has made querying specific plugins differentiate between smooth, human-assisted impossible, we consider the client to be a honey- mouse paths and discrete, computer-assisted client and do not launch the exploit. If the client mouse paths. We discuss future enhancements has at least three of the five plugins installed, we in Section 7. launch the exploit. onBeforeUnload The Javascript event han- Referrer As discussed in Immediate History, dler onBeforeUnload fires immediately before a a human user is more likely to visit a mali- browser window is closed. This attack has two cious page through direct hyperlinks rather than key components: through a compiled list of URLs. We check for • A negative stimulus to the client browser. the existence of a referring website. If one exists, In the current implementation, this is an of- we launch the exploit. fensive image.

4.2 Behavior-based Attacks • A function bound to the onBeforeUnload event handler to deliver the exploit. Alert A Javascript alert() window is shown to the user. A completely passive honeyclient The intuition behind this attack is a human user, will not interact with the loaded page, never when presented with an offensive image, will launching the exploit. A curious user, however, quickly close the window in a short period of will close the alert, triggering the exploit. time. A honeyclient, however, will not process

6 and understand the offensive nature of the im- Attack HIP Suspicious age, and will simply wait. We bind the event Alert X X handler to a function responsible for loading at- Camera tack code and present the user with the pere- CAPTCHA X Connection Speed nially popular Goatse image2. If the window is X Browser History closed within 15 seconds, the exploit is launched. Date Otherwise, the event handler is unloaded to pre- Immediate History vent accidentally exploiting a honeyclient. Message Box X Microphone Message Box A Javascript confirm() mes- onMouseMove X sage box is presented to the client with a ran- onBeforeUnload X X domly generated question and two possible an- Plugins Referrer swers. One button launches the attack, while the other executes only benign code. To a hu- Table 2: Summary of Obtrusiveness Evaluation man, the answer is readily apparent based on the random question. For example, the question “Do you want to do this awesome thing?” is answered attacks to use. We rate each attack based on “correctly” with the user responding “Yes”. This two factors: does the attack require human in- reduces the likelihood of infecting a honeyclient teraction, as in a human interactive proof (HIP), to a coinflip but, in general, guarantees human and does the attack have potential to rouse sus- infection. picion. We present a summary of our evaluation in Table 5.1. 5 Evaluation

Our evaluation is divided into two parts: attack Transparent Attacks Some of our attacks obtrusiveness, and evasion effectiveness. In at- operate transparently to the user, using only tack obtrusiveness, we discuss individual attacks state information that can be gathered from that introduces a deviation from expected user client-side languages. These attacks include: experience. For example, an attack that uses a camera, browser history, date, immediate his- CAPTCHA is more likely to raise suspicion with tory, microphone, plugins, and referrer. Cam- the user than an attack which executes its test era and microphone both use an information leak invisibly. In evasion effectiveness, we discuss how that allows a malicious Flash executable to query well our attack discerns a honeyclient from a de- the presence of devices without explicit user per- sired human user. We address some limitations mission. Browser history uses an information in our evaluation and ways to improve the anal- leak in the bridge between Javascript and CSS ysis of our approach. that allows browser history to be inferred. Some attacks, like immediate history, plugins, date, 5.1 Attack Obtrusiveness and referrer use only standard DOM object ac- cesses that are seen in many common web appli- Understanding how obtrusive our attacks will be cations to mount successful honeyclient detec- on a human client’s browsing experience is an im- tion. The remaining attacks all introduce some portant metric to consider when choosing which kind of HIP or may make human viewers suspi- 2http://en.wikipedia.org/wiki/Goatse.cx cious of the webpage’s trustworthiness.

7 Connection Speed The connection speed at- Message Box The message box attack re- tack requires no HIP, but does introduce some quires direct user intervention to answer a ques- overhead to download an additional large image. tion correctly to launch the exploit. As described This overhead may be substantial on very low before, the question will be simple enough for a bandwidth systems, making the attack notice- human to solve, but difficult for a computer to able in low throughput situations. without sufficient language processing capabili- The following attacks all use some kind of hu- ties. If the honeyclient resorts to chance, we still man interaction, whether direct or indirect, to increase evasion to 50% from 0%. determine the type of client.

Alert The alert attack requires direct user 5.2 Evasion Effectiveness intervention to close a popup alert window. Javascript popups are considered irritating, but To test our attacks, we set up the Honeynet the propensity of humans to simply close the Project’s honeyclient, HoneyC [13]. HoneyC popup window will likely overcome any user sus- consists of a number of Ruby scripts that ac- picion. cess web pages and use predefined signatures to indicate successful attacks. Thus, it is a low- interaction honeyclient, as it does not attempt CAPTCHA The CAPTCHA requires direct to simulate a full OS. user intervention to interpret an image as text and submit a correct solution. CAPTCHAs have We ran HoneyC in the default configuration, become very common on the web, and most users using the ListQueuer module to visit our test would not think twice before submitting the an- pages. We then used the default Visitor mod- swer to a CAPTCHA to access web content. ule to visit each page, and passed the results to a Snort-based analysis module. To determine if the attack had been successfully launched, onMouseMove onMouseMove requires indi- we configured the AJAX server to reply with a rect user intervention to determine if the attack unique phrase (“wibble”) when the attack code should be deployed or not. We observe the stan- had been sent. In order to use HoneyC to detect dard user behavior of mouse movement to iden- successful attacks, then, we simply set up a Snort tify a client as human. The current honeyclient rule that searched for “wibble” in the incoming implementations do not simulate user input of traffic. any kind. As we expected, HoneyC was unable to detect any of our test pages as malicious. This is likely onBeforeUnload onBeforeUnload requires because of its poor support for JavaScript – as direct user interaction of closing the browser HoneyC was unable to execute any scripts on the window to launch the attack. The user is shown page, it was unable to download the attack code an offensive image hoping she will quickly close (which was delivered via AJAX). the browser window in disgust. Since current We ran the attacks on our personal machines (and future) honeyclients are unlikely to include to determine reasonable initial threshold values complex image processing to determine the and to confirm our assumptions implicit in each perceived offensiveness of an image, we use this attack. All the attacks successfully ran on our to differentiate them from humans. machines.

8 6 Defenses time syncrhonization, moving the mouse, visit- ing other pages, and using a low-bandwidth con- Many of the evasions proposed in this paper can nection will increase the amount of time required be countered by more careful emulation of a hu- to test each page, and installing additional plug- man attacker on the client side. Many of the ins in the virtual machine increases the amount state-based evasions we describe can be coun- of space required. tered by taking care to prepare the honeyclient The behavior-based attacks are more difficult virtual machine in a way that mimics a real to counter. In particular, the interactive attacks user’s system. We describe mitigations that can (i.e., requiring that the user confirm a message be used to counter many of the attacks we have box or solve a CAPTCHA) are likely to be im- presented below. possible to detect automatically, as they require a human to read and understand the message Camera/Microphone presented. On the other hand, these attacks are Modify the virtual machine to report that a extremely obtrusive, and run the risk of alerting camera and microphone are attached. users that something amiss. Likewise, attacks Referrer Check that involve unpleasant stimuli will easily evade Either spoof a legitimate referrer, or simply honeyclients, but will quickly be detected if they have the honeyclient navigate to the attack are used on a high-profile web site. page from another site. History 7 Discussion and Future Work Visit other pages before going to the attack site. There are a number of attacks we considered that did not turn out to reliably distinguish be- Plugins tween humans and malware, or that were simply Install a number of commonly used plugins technically infeasible to test for. For example, in the honeyclient. we considered using Flash Local Shared Objects Date/Time (better known as Flash cookies), which provide Before visiting the attack site, synchronize similar functionality to that of HTTP cookies, the date and time with a centralized time but can be accessed across domains. By check- server. ing for the presence of Flash cookies from pop- ular web sites, we might be able to detect hon- Mouse Movement eyclients by their lack of cookies. However, we Instrument the VM to move the mouse over discovered that while Flash does permit cross- the attack page. domain cookie access, permission to access the Connection Speed cookie must be granted explicitly by the site that Throttle bandwidth to the honeyclient VM, set the cookie, making enumeration of stored or simply run the honeyclient from a slower Flash cookies impossible. connection. Similarly, we had hoped that by loading pop- ular sites that require authentication (such as Although the defenses to these attacks are Gmail) inside an iframe, we could determine relatively easy to implement, they may ad- whether a user was already logged into one of versely affect the scalability and performance of these sites. Because persistent login sessions are a honeyclient system. For example, performing common among human users and unlikely to be

9 found in honeyclients, this would have provided 8 Conclusion a simple test to distinguish the two. Unfortu- nately, it appears that many sites, and Gmail We have presented a new attack that aids in in particular, can detect when they have been evading honeyclient/HoneyMonkey detection of loaded in an iframe and instead redirect the web pages with malicious downloadable content. browser to the full site (with no iframe), which This will serve two purposes, to delay both causes the browser to navigate away from the at- drive-by download website takedowns and ma- tack page. Worse, it appears that Javascript is licious binary analysis. By determining whether forbidden from accessing the contents of iframes a client is human or not, we can selectively tar- in other domains, so any determinations must be get only humans to prevent early detection and made on the basis of side channel features such prevention of compromising websites. We de- as timing. Although we hope to explore this at- scribed and implemented 13 different attacks to tack vector in future work, we were unable to detect a honeyclient and show they launch at- find a way to use this in our current effort. tacks against human users. We will supplement additional experimental information in the near Looking forward, we can envision other types future. of attacks that may be both unobtrusive and ex- tremely difficult to counter. Rather than simply A Undecidability of Malicious checking for mouse movement, client-side code Web Page Detection could track and analyze the path of the user’s mouse cursor on the page to determine whether Proof. Suppose that detection of malicious web the movement corresponds to a human. This pages is possible. Then there exists a detector H approach, which is known as a Human Observa- that can distinguish between malicious and non- tional Proof, has been proposed to detect bots in malicious pages (for some non-trivial definition online games [2], and it may serve equally well to of “malicious”). Now, we can design a new page detect honeyclients. We hope to explore this at- P that does the following: tack, as well as possible defenses, in future work. 1. Simulate running H on P . This can be done Finally, in addition to specific defenses, it using Javascript, as Javascript is Turing- is worth considering whether there are general complete, and so it can be used to emulate techniques that could be used to expose the ma- H. For example, supposing H is a VM- licious functionality of web pages. With tradi- based Windows system, one could imple- tional malware analysis, a similar problem ap- ment a Javascript-based x86 emulator pears: given a malware sample, how can an au- tomated system ensure that it has exercised all 2. If H decides that P is malicious, do nothing. of the malicious functionality present in the exe- 3. If H decides that P is benign, launch the cutable? By applying techniques such as multi- attack. path exploration [9], it may be possible to ex- plore code paths within web page content, allow- By construction, P is malicious if and only ing an automated system to trigger the malicious if H says it is not malicious. This contradicts payload. However, the highly dynamic nature of the assumption that H can distinguish between common web languages such as Javascript and malicious and non-malicious pages, and hence H Flash may make the number of paths to be ex- cannot exist. plored too high to be feasible.

10 References in the browser: Analysis of web-based mal- ware. In Proceedings of the Workshop on [1] F. Cohen. Computer viruses: theory and ex- Hot Topics in Understanding Botnets (Hot- periments. Computer Security, 6(1), 1987. Bots), 2007.

[2] S. Gianvecchio, Z. Wu, M. Xie, and [12] The Honeynet Project. http://www. H. Wang. Battle of botcraft: fighting bots honeynet.org/. in online games with human observational proofs. Jan 2009. [13] The Honeynet Project. Honeyc. https:// projects.honeynet.org/honeyc/. [3] Google, Inc. Google safe browsing [14] Y.-M. Wang, D. Beck, X. Jiang, and API. http://code.google.com/apis/ R. Roussev. Automated web patrol with safebrowsing/. Strider HoneyMonkeys: Finding web sites [4] J. Grossman. CSS history hack. that exploit browser vulnerabilities. In Pro- http://ha.ckers.org/weird/ ceedings of the Network and Distributed Sys- CSS-history-hack.html. tem Security Symposium (NDSS), 2006.

[5] T. Holz and F. Raynal. Detecting honey- pots and other suspicious environments. In Proceedings of the IEEE Workshop on In- formation Assurance and Security, 2005.

[6] X. Jiang and D. Xu. Collapsar: a VM- based architecture for network attack deten- tion center. In Proceedings of the USENIX Security Symposium, 2004.

[7] N. Krawetz. Anti-honeypot technology. IEEE Security and Privacy, 2(1):76–79, 2004.

[8] MITRE Corp. Honeyclient project. http: //www.honeyclient.org/trac.

[9] A. Moser, C. Kruegel, and E. Kirda. Ex- ploring multiple execution paths for mal- ware analysis. In Proceedings of the IEEE Symposium on Security and Privacy (Oak- land), 2007.

[10] N. Provos. A virtual honeypot frame- work. In Proceedings of the USENIX Se- curity Symposium, 2004.

[11] N. Provos, D. McNamee, P. Mavrommatis, K. Wang, and N. Modadugu. The ghost

11