390 likes | 634 Views
Using Honeyclients for Detection and Response Against New Attacks. Kathy Wang MITRE Corporation knwang@mitre.org. Problem. We lack a proactive detection technology for client-side attacks. Client-side exploits are a growing threat Lots of client-side vulnerabilities
E N D
Using Honeyclients for Detection and Response Against New Attacks Kathy Wang MITRE Corporation knwang@mitre.org
Problem We lack a proactive detection technology for client-side attacks • Client-side exploits are a growing threat • Lots of client-side vulnerabilities • Microsoft Internet Explorer has more than 50 serious vulnerabilities in last 6 months (SecurityFocus database) • Lots of client-side exploits • 90% of all PCs harbor spyware (Webroot, 2006) • We need to be able to proactively detect and characterize client-side attacks before we get hit
Example of an Emerging Threat • Contagion worm-like attacks • Paxson, et al, How to 0wn the Internet in Your Spare Time • Wheel-and-spoke client-server infection model • Requires two exploits, one for client, one for server Infected Contagion Worm Loaded Server Vulnerable Client Vulnerable Server Vulnerable Server Vulnerable Server Infected Infected Infected
Contagion Worm Model Assumptions • Assume: • 1M vulnerable clients in the world • 1M vulnerable web servers in the world • Out of 10M web servers • 1K popular servers • Clients surf one server per minute • Clients have 90% chance of visiting popular server, 10% chance of visiting unpopular server • Contagion worm begins on one unpopular server
Possible Contagion Worm Propagation Popular Web Servers Vulnerable Web Clients Unpopular Web Servers
Current Situation • Current coverage of client-side exploits is inadequate • Over 50% of recent vulnerabilities are client-based (SecurityFocus) • Only 1.5% of Snort Intrusion Detection System signatures are based on client-side attacks (www.snort.org) • Honeypots • Detect server-side attacks • Passive devices • Current methods of client-side exploit detection are reactive • Anti-virus • Anti-spyware • Clueful users
Background - Honeyclients • Honeyclients provide capability to proactively detect client-side exploits • A honeyclient is a system that drives a client application to potentially malicious servers • Any changes made on honeyclient system are unauthorized – no false positives! • We detect exploits even without prior signatures
Basic Honeyclient Package Internet • Prototype Capabilities • Baseline integrity • Drive IE • Extract URLs • Recurse (Internal) • Integrity checks • Recurse (External) • Virtual host • Protective firewall • Exploit DB • Image rotation • Modular clients • Traffic history • Secure logging • Memory checks Malicious Server Request Response Dedicated DSL Traffic logs Honeyclient Client-side Exploit Database Windows VM Linux Host
Current Situation • Attackers are starting to include honeyclient avoidance technologies on malicious servers • Repeated visits from identical IPs result in blocked access to some malicious sites (SANS Internet Storm Center) • Detection of spidering from honeyclients led to redirection to benign sites (Robert Danford)
Technical Approach: Add Advanced Capabilities to Counter Attackers • Honeyclients should be able to: • Detect kernel modifying rootkits • Improve our integrity checks further • Analyze virtual hard drives outside of VM environment • Thwart exploits that detect virtual machine environments • Add honeyclient capability for physical sandbox environment • PXE boot image may allow us to network boot images quickly on real hardware • Handle active content sites • Be able to access and download content from these sites • Automated mouse clicking technology is available • Be difficult to distinguish from human activity • Attackers now recognize, and will actively counter honeyclients • Develop human-like web crawling algorithms
Human-like Honeyclient Prototype • Link scoring (good vs bad words, link location) • Browsing order for links (breadth vs depth) • Bandwidth footprint (humans do not access links at the same speeds)
Current Situation • Each honeyclient can only cover so many sites • Need to coordinate efforts to improve coverage • No capability exists for distributed scanning • Individual honeyclients can scan redundant servers • There is no central reporting mechanism • The above restrictions limit the depth and breadth that we can effectively cover the Internet
Technical Approach: Increase Our Coverage of Servers • Design and deploy distributed honeyclients • Sponsors are asking for this in order to coordinate efforts • Berkeley Open Infrastructure for Network Computing (BOINC) Project has framework for distributed computing • This will result in much better coverage of the servers on the Internet
Distributed Honeyclient Prototype = Bad server Internet = Good server Honeyclient Honeyclient Virtual Host Virtual Host Report Report Central Repository Report Report Honeyclient Honeyclient Virtual Host Virtual Host
Technical Approach: Gather and Correlate Honeyclient Data • Trend spotting of collected data and statistical correlation • What percentage of all servers are malicious? • How do exploits spread from one server to another? • Are there clusters of servers that become malicious around the same time? (i.e., can we infer the control structure of the malicious server community?) • Expand existing exploit database • Share results of correlation with community
Future Application for Honeyclients Using Honeyclients to Detect Malicious Emails = Non-malicious email = Malicious email Honeyclient Virtual Host Email server sends email URLs and attachments to honeyclient for processing Honeyclient runs checks and notifies email server of bad URLs and/or attachments 2 1 Email Server Only emails that pass checks are forwarded to recipient 3
Impact and Technology Transition • We plan to pilot honeyclient technology for several sponsors • Industry plans to run honeyclients • Verizon • Google • Symantec • Products and standards • Contact vendors about new vulnerabilities in client applications
Why Should You Run Honeyclients? • Operational benefits • Increase your visibility of emerging client-side threats • Malware collection and analysis • Share your results, and obtain other organizations’ results • Networking benefits • Group forum meetings • Government, industry, academic participation • Discussion on latest trends in client-side exploits
Why Should You Run Honeyclients? • Cost benefits • HoneyClient package and Linux OSes are open-sourced • VMWare Server is free • Your costs: hardware, Internet connection, Windows license, analysts • Other factors to consider • Your private data will not be leaked • Opportunity to provide public service through data sharing
Some Honeyclient Case Examples <Disclaimer> Please DO NOT go to any of the sites on the following slides unless you REALLY know what you’re doing!!!) </Disclaimer>
www.world0fwarcraft.net (Changes) Suspiciousfile
www.world0fwarcraft.net (Changes) Definitely suspicious Where’s /etc/hosts file???
www.sharky.in (Changes) Suspicious behavior, let’s check it out further!
www.sharky.in (Changes) This definitely doesn’t look good…
www.sharky.in (Scan) Poor results on scans…
www.exploitoff.net (Changes) OK. Let’s check this out.
www.exploitoff.net (Changes) Definitely not normal…
www.exploitoff.net (Changes) More badness…
www.exploitoff.net (Scans) Note that this binary is very poorly identified…
www.haaretz.com (Changes) So many bad sites, so little time…
www.haaretz.com (Changes) What is this ’46W9GLCI.htm’ file anyway??? Trying to add a printer???
www.haaretz.com (Changes) Here it is again…
www.haaretz.com Clearly, a hacker with a political agenda!
ns1.hosting101.biz Yikes! Very, very bad sign…
Additional Project Information • Our project website http://honeyclient.mitre.org • Send us email, and we will add you to the mailing list honeyclient@mitre.org • We need beta testers! http://www.honeyclient.org/trac/wiki/download • Developers are welcome too! SVN repository is available, let us know if you’d like access