Skip to content
Go to file

Ghost USB honeypot

Ghost is a honeypot for malware that spreads via USB storage devices. It detects infections with such malware without the need of any further information. If you would like to see a video introduction to the project, have a look at this Youtube video.

The honeypot was first developed for a bachelor thesis at Bonn University in Germany. Now development is continued by the same developer within the Honeynet Project.

Ghost was one of the projects supported by Rapid7's Magnificent7 program (see the press release).

How does it work?

Basically, the honeypot emulates a USB storage device. If your machine is infected by malware that uses such devices for propagation, the honeypot will trick it into infecting the emulated device. See the wiki for details.

What do I need to run it?

Ghost supports Windows XP 32 bit and Windows 7 32 bit. You can either download a binary distribution from the old website or compile the code yourself. If you choose to build the code, you will need the Windows Driver Kit. For detailed instructions on how to do so, refer to the build and install guides in the wiki.


The project's logo was created by Mark Eibes. The project is supported by Rapid7 as a member of their Magnificent7 program.

You can’t perform that action at this time.