僵尸网络技术发展正在挑战蜜罐技术，研究僵尸控制者如何控制僵尸主机的主要方法之一。中部佛罗里达大学Cliff Zou所领导的计算机科学家和其他同事提醒：僵尸控制者现在可以绕过安全公司建立的蜜罐——装有监控软件的未保护计算机。蜜罐的建立者通常都尊守一个道德准线，不让他们的系统被用来发送垃圾邮件或者发动对其他计算机的攻击。通过监测这一规则，网络犯罪份子有可能管理指挥和控制服务器终断联系或绕过这些机器，这样使安全公司难以获得僵尸网络实际运行情况的宝贵情报。Zou和他的团队正在研究更隐蔽的手段来迷惑僵尸控制者，“蜜罐研究和部署仍是安全界可以使用的重要手段，我们希望这篇文章提醒蜜罐研究者研究隐蔽型蜜罐的重要性，以及在安全防御中部署蜜罐的局限性。如果所有蜜罐都像现在这样容易被发现，再多的努力都是没有价值的”

Innovations in botnet technology threaten the usefulness of honeypots, one of the main ways to study how bot herders control networks of zombie PCs.

Computer scientists led by Cliff Zou and colleagues at the University of Central Florida warn that bot herders can now avoid honeypots - unprotected computers outfitted with monitoring software - set up by security firms.

Ethical concerns mean that security firms do not allow their infrastructure to be used in sending spam or running attacks against victims. By monitoring such instructions it's therefore possible for cybercrooks to program command and control servers to disable or simply ignore these machines, thus depriving security firms of vital intelligence in how zombie botnets are operating in the real world.

Zou and his team are working on techniques to make stealthier honeypot traps to trick bot herders. "Honeypot research and deployment still has significant value for the security community, but we hope this paper will remind honeypot researchers of the importance of studying ways to build covert honeypots, and the limitation in deploying honeypots in security defence," Zou said. "But all that effort will be for naught if honeypots remain as easily detectable as they are presently."

Preliminary findings from the Florida team's research were published in a recent edition of the International Journal of Information and Computer Security, as explained (http://www.eurekalert.org/pub_releases/2010-02/ip-hth022610.php).

Security and anti-virus firms say that the problem is already on their agenda.

Luis Corrons, PandaLabs technical director at Spanish anti-virus firm Panda Security, explained: "While you can and must filter the traffic generated by the bot inside a honeypot, you can filter and decide what will go out, and what does not. For example, if the bot herder is telling the bot to send spam, you can let the bot receive all the information, and even let him send out the spam messages but redirect them with a proxy to avoid it reaching any victims.

If the bot then contacts the Command and Control server to say the messages have been sent, you can let that info pass through, so the bot herder will think everything works fine.

There are some other ideas the bot herder could take, such as being one of the recipients to check that the spam is really being sent. In this case, there’s little that can be done from our side, as we won’t participate in letting threats spread.

Amichai Shulman, CTO at database security firm Imperva, suggested that rather than monitoring the behaviour of infected machines miscreants could instead attempt to identify virtual machines. "Most honeypot machines are based on a virtualisation platform (most often VMWare). By detecting this attribute of the infected platform, malware developers will probably be able to detect most honeypots out there,” he said.

While conceding that building a honeypot is tricky Shulman suggested a number of approaches designed to camouflage such systems from the eyes of cybercrooks:

Many Honeypot researchers are contemplating on the question of how to impersonate infected behaviour while not taking part in any evil, destructive activity.

许多蜜罐研究者正在努力解决这一问题，如何表现出感染后的行为，同时不参与任何邪恶破坏行为。

I do think however that the problem described by the researchers is much exaggerated. There are many techniques that Honeypot developers employ that would make it very difficult for the malware / botnet to detect honeypot behaviour. Some examples include unlimited outbound communications for a relatively short period of time, deflecting outbound communications to known attack targets, outbound bandwidth control and outbound signature detection.

然而，我想研究者所描述的问题被过分夸大了。有许多方法蜜罐开发人员可以采用，来使恶意软件/僵尸网络很难发现蜜罐行为。一些例子包括：相对较短时间无限制对外通信，将对外通信导向已知的攻击目标，对外带宽控制和对外特征发现。

Most often the time of infection and the time when a recruited zombie becomes maliciously active are far apart, thus there is no need to immediately shutdown any outbound communications of the infected computer upon infection.

绝大多数情况下，一台计算机从被感染到成为一台活跃的恶意主机之间要经过很长的一段时间，因此没必要在计算机感染后就马上关闭对外通信。