Pöplau, S.S.PöplauGassen, J.J.GassenGerhards-Padilla, E.E.Gerhards-Padilla2022-03-122022-03-122012https://publica.fraunhofer.de/handle/publica/37832910.1109/CRISIS.2012.63789482-s2.0-84872086966Malware is a serious threat for modern information technology. It is therefore vital to be able to detect and analyze such malicious software in order to develop contermeasures. Honeypots are a tool supporting that task - they collect malware samples for analysis. Unfortunately, existing honeypots concentrate on malware that spreads over networks, thus missing any malware that does not use a network for propagation. A popular network-independent technique for malware to spread is copying itself to USB flash drives. In this article we present Ghost, a new kind of honeypot for such USB malware. It detects malware by simulating a removable device in software, thereby tricking malware into copying itself to the virtual device. We explain the concept in detail and evaluate it using samples of wide-spread malware. We conclude that this new approach works reliably even for sophisticated malware, thus rendering the concept a promising new idea.en004A honeypot for arbitrary malware on USB storage devicesconference paper