A smart honeypot-deception or intrusion-detection software package

NETSEC, based in Switzerland, has released Specter 5.01 Intrusion Detection System software for Windows 2000 and Windows NT. Although NETSEC calls the software an intrusion-detection system, it's actually a honeypot-deception software package.

Features and Benefits
A honeypot is a system or piece of software that disguises itself as a potentially vulnerable system or a system entirely different from what you are running. Specter's first goal is to trick intruders into either giving up because they don’t know how to access the OS or to throw themselves at the system because they think it's more vulnerable than it is.

The software's second goal is to monitor scans against the system and act on them. Once Specter detects a scan, it logs the attack and fingers the attacking system, trying to glean information about the intruder's system. The fine line between Specter's activity and typical intrusion-detection software is that Specter won’t tell you if someone has broken through your system.

Specter's honeypot package presents many options: It can make your OS appear to be one of many OSs other than Win2K or NT (e.g., Unisys UNIX, Linux, and Mac OS). Specter also provides various options for specific vulnerabilities (e.g., mimicking NetBus, Back Orifice, and Sub-7 back doors) or system services (e.g., FTP, Telnet, and Web service). You can even set up Specter to provide fake password lists to intruders who request them, causing the intruders to think they're making progress. You can select these passwords from predefined lists (e.g., easy, hard, fun, and warning). Once intruders open these lists, the software lets the intruders know they've been detected. Specter also provides remote management; system scan logging; and notification of events by email, event logging, or logging to local files.

Installation and Use
NETSEC recommends that you install Specter on at least a 450MHz Pentium II system with 128MB of RAM. If you run NT 4.0, you must have Service Pack 6A (SP6A), although NETSEC recommends a 600MHz Pentium III system with 256MB of RAM and SP6A running NT 4.0. Personally, I recommend a minimum of a 400MHz Pentium II system with 128MB or more of RAM. I installed the software easily in less than a minute on my 450MHz Pentium II system with 128MB of RAM running Win2K Server.

After installation, I ran SpecterControl, which is a single screen with check boxes and radio buttons for setting Specter’s options. On this screen, I configured the type of OS I wanted Specter to appear to be—I simply selected the radio button next to one of the 12 options. I also selected one of the six attitudes or characters I wanted Specter to take (e.g., aggressive, open, secure). The differences in these modes of operation is how the system acts—if the system is set to "aggressive," it will give off signs of strong security, but if it is set to "open," it will give up as much information as the intruder requests. There aren't any custom options, but there's enough variety with the preset options to satisfy most users, as Figure 1 shows.

The Services section let me set up to six types of services that Specter shows an intruder as being active to system scans, such as FTP or NetBus. I could also use the Traps section to set up to seven traps which resemble trap doors, such as POP3 or Sub-7. In SpecterControl, I chose one of the preset fake password lists I described earlier using the Password Type settings. Also, at the far upper-right corner of the SpecterControl window is a list of simulated services that are running or have stopped. This list provides quick monitoring of Specter's status. For help with any of these settings, I simply clicked the box with a question mark next to the item for a brief explanation of that particular setting.

The next section of options I used was Intelligence, where a user can choose to have Specter attempt to connect to intruders and profile what type of systems they're running. Some Specter users might decide to provide the information to authorities while others choose to attack the intruder. Although a counterattack is a type of vigilantism, many systems administrators choose to use the Intelligence feature for this purpose by setting the notification options to receive an alert when the intruder has caused something to happen. However, users should always think twice before taking action against intruders and should act within their own legal boundaries, remembering that an attacker might be in another jurisdiction.

After I turned on almost every option, I set the OS to Mac OS and began a scan with eEye's Retina 3.0.2. Retina reported the false information about the ports, services, and back door options that I'd selected. When I tried to connect to Telnet, a Mac OS banner requested that I log on. When my logon attempt failed, I saw the exit message "Specter Enabled"—the message I had typed earlier in the custom warning message window at the lower bottom of the SpecterControl screen. To help deter further attacks, users can change this message to something that might actually scare an intruder. (Note: I tried to run NMAP against the Specter-enabled system with the "fingerprint OS" option turned on and was able to quickly discover the actual OS every time regardless of what OS I used to try to fake it out.)

Once intruders have attempted to scan the system, or continue trying to access the false vulnerability or service, the Intelligence component comes into play. Specter fingers the attacking system to find its source. In my test case, Specter ran into my firewall computer and one open service, FTP. Not a lot of information to go on, but it did provide two things: an IP address and that I was running a Microsoft FTP service on my system. Knowing that it was a Microsoft OS, and if I chose to, I could use this information to attack the intruder's system. However, one problem exists with this type of counterattack—an intruder might be using someone else's system to launch the attack, and a counterattack can run the risk of hurting an innocent computer user.

To view the information that Specter logged, you click Log Analyzer under the message window on SpecterControl. From the Log Analyzer screen, you can choose various options in Services/Traps, Source IP address, and Time Frame, and select the check boxes for Service/Trap Filter, Source IP Address Filter, and Time Frame Filter. Once you click Search, the information appears in the window, as Figure 2 shows. You can sort the logs by type of port activity, time of attack, or IP range. For more details, double-click the incident in the background window (where the attacks are listed) to get a variety of information that Specter might have gleaned from the intruding system (for instance, any banners outputted when you use Telnet to connect to an FTP or Telnet server). By selecting the different service tabs, I was able to view the information in the main SpecterControl screen. I experienced heavy, but brief, CPU usage spikes when I performed any search in this window. When I selected an IP range I wanted to view and clicked Search, the system would halt, sometimes for up to 20 seconds, with the CPU usage showing 100 percent. Although regular CPU usage returned to normal, these spikes can be very annoying if the system is performing other tasks. Hopefully, NETSEC will correct this problem in future versions. This kind of delay should not happen on a system with twice the minimum specifications.

Specter also provides a remote administration application, SpecterRemote. After installing SpecterRemote, you can connect and change any settings on the SpecterControl system remotely. The interface looks almost the same as SpecterControl, as Figure 3 shows, and it's just as easy to use. However, you cannot view the Specter logs remotely; instead, you must go directly to the system to view the logs, which might not always be convenient. I think this is the one major failure of Specter's intrusion-detection software; it makes the SpecterRemote administration a little less useful and inconvenient as most people would likely want to go to the SpecterControl system directly to administer settings.

The Bottom Line
Although Specter does its job of providing a honeypot-deception software package, it's important to remember that there's no real intrusion detection involved. Specter is easy to configure and use, and it does provide good honeypot features. I hope that NETSEC will fix Specter's resource-hungry nature. Remote administration is not as useful as it could be with no remote reporting functions. The counter-intelligence options are helpful, but they don’t provide more than what you can discover with a little manual probing. The benefits and use of honeypots is an often-argued topic. This type of intrusion-detection software isn’t as useful as other intrusion-detection packages; however, if you're looking for a decent honeypot software package, take a look at Specter.

Specter 5.01 Intrusion Detection System
Contact: NETSEC, Tel: ++41 31 376 0534 (Switzerland)
Web: http://www.specter.com
Price: First software license $899; $399 for each additional license.
Decision Summary:
Pros: Affordable pricing plan; easy-to-configure settings; quick-Help boxes; works as a honeypot-deception system.
Cons: High resource usage; not an intrusion-detection package in the truest sense; running NMAP reveals the actual OS; remote management utility doesn’t permit the user to view logs; counter intelligence is not very robust.