Ghost - an introduction

Last updated at Tue, 25 Jul 2017 14:16:28 GMT

Rapid7 has announced today that the Ghost USB honeypot will be one of the projects sponsored in their Magnificent7 program. In this blog post, I'm going to give an overview of what Ghost is all about, and I'll motivate our plans for the next year.

Our goal is to protect you from the threats of using USB devices. Despite being indisputably useful, USB devices in general and storage devices in particular bear a great risk: Malware can use them as a transport medium to get from one machine to the other, even if there's no network connection between the two. We've seen a particularly spectacular example of such behavior in 2010, when Stuxnet leveraged USB flash drives in addition to the usual propagation through networks to break into highly critical infrastructure for sabotage.

Ghost provides you with a way to detect if your machines are infected with such USB malware. How is that? Well, assume you did indeed fall prey to some USB malware. Then your machine will most likely copy malicious files to every USB storage device that you attach - after all, the malware was made to spread this way. So in theory, all it takes to identify the USB malware on your machine is to plug in a flash drive and examine its contents on another computer. You might be able and willing to do so once in a while, but will you check regularly? And what if you have a hundred or a thousand machines to take care of?

This is where Ghost comes into play. Basically, it just executes the procedure that we've discussed above. The only difference is that it doesn't use a physical USB flash drive, but instead it emulates a virtual "Ghost drive", thus being able to act completely automatically. From the malware's perspective, there is no difference between the real and the emulated device, so it will have to either infect none or both. (The former would be great, but the latter will be the case.)

We use the mere fact that data is written to the Ghost drive to infere that the machine is infected with USB malware. Legitimate processes don't usually write to removable devices without permission, after all. And since Ghost works in the operating system kernel, it doesn't only detect the infection - it's also able to collect information about the supposedly malicious process that's trying to write data to the emulated flash drive.

That's where we currently are: We can detect infections with USB malware and provide some useful information related to the detection. For a home user wanting to protect their personal computer this might be totally sufficient, but in a corporate environment with many networked, centrally administered machines, there is much more potential. We can use the network, e.g. to warn others if an infection is detected somewhere or to collect the reports from all machines in a central place. Also, we'd like to prevent infections rather than "just" detect them - if we know that there's USB malware on a neighboring machine, why not restrict access to (potentially infected) USB flash drives until the threat is removed? And isn't a process originating on a removable storage device a little suspicious?

Finally, there are other attacks via USB than those using storage devices. When executing hardware attacks, one uses devices that look innocuous (e.g. mouses) and modifies them in such a way that they behave like an entirely different type of device. A keyboard, for example, has the power to execute any command in the current user's context, just by reporting a series of keystrokes to the operating system. While it is very difficult to detect such attacks, we'll at least mitigate them by implementing a filter for USB devices that only accepts new devices if they match certain criteria.

So during the next year we'll be working on extending Ghost to a system that you can use to protect your company's network from the various threats that are implied by the use of USB devices. If you'd like to give the current version a try, have a look at the downloads section of our website - we have binaries as well as source code available (and here you'll find related documentation). As you can imagine, there are plenty of things to do, and input from the community is always welcome. So if you have suggestions or feedback or if you're interested in working on a cool open source project, don't hesitate to contact me! (There's no need to be an expert if you'd like to contribute - curiosity and enthusiasm are all we need.)

Let's look forward to an interesting year!