1 / 23

Automated Web Patrol with Strider HoneyMonkeys

Learn about the browser-based vulnerabilities and the HoneyMonkey system proposed as a solution to detect and analyze websites exploiting browsers, using active VM-based honeypots. Evaluation of the system, exploit detection stages, and statistics are also discussed.

aetter
Download Presentation

Automated Web Patrol with Strider HoneyMonkeys

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Automated Web Patrol with Strider HoneyMonkeys Present by Zhichun Li

  2. Overview… • Problem @ hand. • Proposed solution. • Browser based vulnerabilities. • The HoneyMonkey system. • Evaluation. • Questions & Discussion.

  3. Problem @ hand… • Several attacks exploit browser vulnerabilities and install malware software. • E.g. • Download.Ject • Bofra • Xpire.info • Current state –manual analysis • Unable to scale. • Do not provide a comprehensive picture.

  4. Proposed solution… • Active, client-side, VM – based honeypots called Strider HoneyMonkey. • Performs large-scale, systematic & automated web patrol. • Uses monkey programs of various OS level patches to mimic human browsing. • Adopts a state-management methodology. • Use of Strider Tracer.

  5. Browser based vulnerability exploits… Code obfuscation URL redirection Vulnerability exploitation Malware installation

  6. Code obfuscation… • Dynamic code injection – document.write() function inside a script. • Unreadable code – decoded using unescape() function. • Custom decoding routine. • Substring replacement using replace() function.

  7. URL redirection… Secondary URL • Primary URL • Protocol redirection using HTTP 302 temporary redirect. • HTML tags. • Script functions including window.location.replace().

  8. Vulnerability exploitation… • Exploiting of multiple browser vulnerabilities. • Owing to its popularity IE is attacked a lot. Malware installation… • Introduce some piece of arbitrary code on the victim machine in order to achieve a larger attack goal.

  9. HoneyMonkey system… • Automatically detect and analyze a network of websites that exploit browsers.

  10. Exploit detection system… • Stage 1 – scalable mode by visiting N-URLs. • Stage 2 – perform recursive redirected analysis. • Stage 3 – scan exploit URLs using fully patched VMs.

  11. Exploit detection - XML report… • Executable files created or modified outside the browser sandbox folders. • Processes created. • Windows registry entries created or modified. • Vulnerability exploited. • Redirect-URLs visited.

  12. Redirection analysis… • Stage 1 – act as front end content providers. • Traffic redirection – tracked with a BHO – Browser Helper Objects. • Recursive scanning. • Construction of topology graphs based on traffic redirection. • Identify web pages that actually perform the exploit and stop redirection.

  13. Topology graphs…

  14. Anti-Exploit Process… • Generating Input URL Lists – source • Suspicious URLs for analysis. • Popular web sites – if attacked can potentially infect a large population. (measured search engines). • URLs of more localized scope – within organizations or based on history etc… • Acting on output exploit-URL data • Stage 1 – output-exploit-URLs. • Stage 2 – output-traffic-redirection topology graph. • Stage 3 – output-zero-day exploit URLs & topology graphs.

  15. Overview… • Problem @ hand. • Proposed solution. • Browser based vulnerabilities. • The HoneyMonkey system. • Evaluation. • Questions & Discussion.

  16. Statistics of different patch level

  17. Node ranking… Node ranking no. of exploit URLs Connection counts

  18. Node ranking contd…

  19. Zero day exploit detection… • Two zero-day exploits discovered • Early July 2005, javaprxy.dll • Second in next hour. • Important observations: • Monitoring easy-to-find exploit-URLs is effective. • Monitoring content providers with well known URLs is effective. • Monitoring highly ranked & advanced exploit URLs is effective.

  20. Scanning Popular URLs • Summary Statistics

  21. Node ranking

  22. Discussions… • Identifying HoneyMonkeys • Targeting HoneyMonkey IP addresses. • Performing a test to determine if a human is present. • Detecting the presence of a VM or the HoneyMonkey code. • Exploiting without triggering HoneyMonkey detection – code within browser sandbox. • Randomizing the attacks. • VSED – vulnerability specific exploit detector.

  23. Pros… • Automatic. • Scalability. • Non-signature based approach. • Stage-wise. • Zero-day exploits.

More Related