Capricorn: the header update

Malware is always changing and evolving, and so should anti-malware solutions. Because of the nature of the anti-malware solutions, they’re always ‘defending’ a system: only after the user downloads or executes something, the solution interacts with the newly created file or process. Based on sample analysis, new mitigation techniques are created and deployed. Ideally, one would know (or predict) what the malware authors will implement in the coming versions and updates. However, this is rather difficult to do.

Mitigating a possible future weakness
The same counts for Capricorn: it is always reactive based on changes in the honeypot folders. Therefore I used the same approach I used during the concepting phase of Capricorn: I used the perspective of a malicious programmer to find weaknesses in my own application. I already mitigated a lot of weaknesses programs similar to Capricorn have during the beta development and testing. One example is the usage of the most used English words instead of a set text. This set text would be a dead giveaway that the file is in a honeypot, rather than someone’s personal file. By using the most used words in the English language in a random order, this possible workaround is mitigated.
This new update, amongst other changes, mitigates another problem. Each file has its own corresponding header. Currently, there are around 700 unique extensions in the extension-list in Capricorn. The problem is that each of the files that is written in the honeypot folder, is only filled with ASCII characters (the most used English words). If the header of a file is compared to the file extension, only a few will match (such as “.txt”) because they’re ASCII-only by default. I’ve included functionality that uses a hardcoded list filled with extension and header key-value pairs. This way, each extension has the correct header and the possibility for ransomware to compare the header with the actual header is therefore mitigated. I’ve not yet seen ransomware use this technique, but I do expect future versions of ransomware to implement it, especially if more people use anti-ransomware tools with hardcoded text messages in the honeypot files.

Improved usability
Additionally, there improvements have been made regarding the usability. The verbosity level of the output that is shown to the user has been improved. The user can now see the progress during the installation of the honeypot files. The removal of the honeypot files and folders is also shown to the user during the removal.