On Sustaining Prolonged Interaction with Attackers

Abstract

Webcams are commonly used by advanced malware to spy on computer users. Victims are silently filmed without their knowledge for extended periods of time. Recent attack trends show that webcam video covertly recorded by malware is used beyond the boundaries of the cyber domain, and thus is combined with human factors. The Delilah malware, for example, lurks on a compromised machine while using the webcam to capture details about family, work, social connections, and any other element involved in the life of a target user. The attackers then blackmail the target user with the goal of turning him/her into an insider threat to his/her employer. The attackers ask the victim to give them industrial secrets in return for not disclosing video that is highly sensitive to him/her. In this paper we discuss an approach that enables the defender to sustain prolonged interaction with attackers for defensive and forensics purposes. The approach uses a decoy webcam on machines in production. It relies on a decoy video traffic injector module, as well as on the learning of the operational dynamics of real webcams. A webcam shadowing mechanism alternates between the real webcam and the decoy webcam. That mechanism causes malware to target the decoy webcam, but still enables the user to only see and hence use the real webcam. The approach can feed decoy webcam traffic into the data stream that malware intercept and send to attackers. The decoy webcam is robust to probes, and is able to coexist with production functions.