SPECTER
SPECTER contains many unique features but doesn't have the detailed Windows emulation and flexibility of its competitors. SPECTER is among the easiest honeypots to install and configure, although perhaps this ease results from its lack of features and customization.
SPECTER's GUI is unique in that it attempts to display almost every possible configuration option on one screen, as Figure 3, page 37, shows. I found the GUI too busy, and during testing, the GUI edges were cut off when the screen was in 800 * 600 resolution. In addition, most of the configuration windows don't have the Close and Minimize control buttons typically found in Windows applications. Both the online Help file and the help available on SPECTER's Web site could be greatly improved.
SPECTER can emulate 14 OSs (Windows OSs include Windows XP, Win2K, NT, and Windows 98 but not Windows 2003) and many of the ports an intruder might expect to see. However, SPECTER emulates only 11 legitimate (i.e., nonmalicious) network services: DNS, Finger, FTP, POP3, IMAP4, HTTP, Secure Shell (SSH), SMTP, Sun RPC, Telnet, and a generic trap. Three of those services (i.e., Finger, SSH, and Sun RPC) aren't routinely found on Windows systems. SPECTER also emulates three potentially malicious Trojan horse ports: NetBus, SubSeven, and Back Orifice 2000 (BO2K).
You can only enable or disable the ports or services; you can't customize them, add ports or scripts, or extend the honeypot's response beyond what's already hard-coded. Furthermore, SPECTER won't display or log intruder attempts to any other ports on the host, which is a significant limitation for what could be a real honeypot contender. You would almost have to be lucky to notice an intruder with this honeypot.
On the plus side, the banner emulation of SMTP, FTP, HTTP, and POP return Windows-specific information but not updated versions. You can configure each emulated OS with a character. You can choose from five characters: Open (the OS acts like a badly secured system), Secure (the OS acts like a well-secured system), Failing (the OS acts like a machine with various hardware and software problems), Strange (the OS acts unpredictably), and Aggressive (the OS communicates as long as necessary to collect information about the intruder, then reveals its true identity to try to scare the intruder away). It would be better if you could customize the security setting for each emulated service on each OS.
For every point of inflexibility or strangeness, SPECTER offers a unique feature that I would like to see included in the other contenders. One such feature is the ability to collect information about the intruder by using intelligence modules, such as finger, traceroute, and portscan. This feature can save you time in the forensic analysis after an attack, although using these options might alert the intruder. I wish other honeypots would offer this option.
SPECTER comes with decoy data that you can use to make the honeypot look more legitimate, thereby enticing intruders. For example, SPECTER comes with fake password files, with varying levels of difficulty. Or instead of sending the password file when the intruder requests it, the honeypot can send a warning text message. SPECTER also generates programs that the intruder can download. These programs leave hidden markers on the intruder's computer. Supposedly, law enforcement agencies can use these markers as evidence in court. The concept is intriguing. However, to date, no law enforcement agency has used them this way, so their validity and legality remains untested. (Another untested legality concerns administrators' liability when using any honeypot. For more information about this topic, see the sidebar "A Small Consideration.")
SPECTER offers other interesting features as well. For example, it has a remote administration client that's nearly as functional as the local client, an online update button to check for new releases, several methods of alerting and logging, and a log-analyzer engine to parse logs for notable events.
I've been following SPECTER for the past year. Although it has an opportunity to be a major player in the Windows honeypot market, it appears dated and a bit neglected by its developer. Its biggest drawback is the lack of port emulations and customization options. Pricing starts at $599 for a light version and $899 for the full version.
Hell March 31, 2004