1 / 34

Automated Web Patrol with Strider Honey Monkeys

Automated Web Patrol with Strider Honey Monkeys. Y.Wang, D.Beck, S.Chen, S.King, X.Jiang, R.Roussev, C.Verbowski Microsoft Research, Redmond Justin Miller February 27, 2007. Outline. Internet Attacks Web Browser Vulnerabilities HoneyMonkey System Experiments Analysis/Future Work.

cameo
Download Presentation

Automated Web Patrol with Strider Honey Monkeys

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Automated Web Patrolwith Strider Honey Monkeys Y.Wang, D.Beck, S.Chen, S.King, X.Jiang, R.Roussev, C.Verbowski Microsoft Research, Redmond Justin Miller February 27, 2007

  2. Outline • Internet Attacks • Web Browser Vulnerabilities • HoneyMonkey System • Experiments • Analysis/Future Work

  3. Internet Attacks • Exploit vulnerability of user web browser • Install malicious code on machine • No user interaction required later • VM-based honeypots are used to detect these attacks

  4. HoneyMonkeys • OS’s of various patch levels • Mimic human web browsing • Uses StriderTracer to catch unauthorized file creation and system configuration changes • Discover malicious web sites

  5. HoneyMonkeys OS3 OS2 OS1 Malcode

  6. Browser vulnerabilities • Code Obfuscation • Dynamic code injection using document.write() • Unreadable, long strings with encoded chars • “%28” or “&#104” • Decoded by function script or browser • Escapes anti-virus software

  7. Browser vulnerabilities • URL Redirection • Protocol redirection using HTTP 302 temp redir • HTML tags inside <frameset> • Script functions • window.location.replace() or window.open() • Redirection is common in non-malicious sites

  8. Browser vulnerabilities • Malware Installation • Viruses • Backdoor functions • Bot programs • Trojan downloaders – DL other programs • Trojan droppers – delete (drop) files • Trojan proxies – redirect network traffic • Spyware programs

  9. HoneyMonkey System • Attempts to automatically detect and analyze web sites that exploit web browsers • 3-stage pipeline of virtual machines • Stage 1: scalable mode • Stage 2: recursive redirection analysis • Stage 3: scan fully patched VM’s

  10. HoneyMonkey: Stage 1 • Visit N URLs simultaneously • If exploit detected, re-visit each one individually until exploit URL is found VM VM U1 U2 U3 U4 U5 U6 U2 U3

  11. HoneyMonkey: Stage 2 • Re-scan exploit URLs • Perform recursive redirection analysis • Identify all web pages involved VM VM U2 U3 U2 U3 U2 U3 U9 U10

  12. HoneyMonkey: Stage 3 • Re-scan exploit URLs • Scan using fully patched VMs • Identify attacks exploiting the latest vulnerabilities VM VM U2 U3 U9 U10 U2 U9

  13. HoneyMonkey Flowchart • Scan up to 500-700 URL’s per day

  14. Web Site Visits • Monkey program launches URL • Wait 2 minutes • Allow all malicious code to DL • Detect persistent-state changes • New registry entries and .exe files • Allows uniform detection of: • Known vulnerability attack • Zero-day exploits

  15. HoneyMonkey Report • Generates XML report at end of each visit • .exe files created or modified • Processes created • Registry entries created or modified • Vulnerability exploited • Redirect-URLs visited • Cleanup infected state machine • Monkey Controller

  16. Web Site Redirection URL1 URL2 URL3 Redirect Redirect Data collected data data

  17. Input URL Lists • Suspicious URLs • Known to host spyware or malware • Links appearing in phishing or spam messages • Most popular web sites • Top 100,000 by browser traffic ranking • Local URLs • Organization want to verify web pages have not been compromised

  18. Output URL Data • Exploit URLs • Measures risk of visiting similar web sites • Topology Graphs • Several URLs shut down • Provide leads for anti-spyware research • Zero-day exploits • Monitors URL “upgrades”

  19. Experimental Results • Collected 16,000+ URLs • Web search of “known-bad” web sites • Web search for Windows “hosts” files • Depth-2 crawling of previous URLs • 207/16,190 = 1.28% of web sites

  20. Experimental Results • All tests done using IEv6

  21. Topology Graphs • 17 exploit URLs for SP2-PP • Most powerful exploit pages

  22. Site Ranking • Key role in anti-exploit process • Determines how to allocate resources • Monitoring URLs • Investigation of URLs • Blocking URLs • Legal actions against host sites

  23. Site Ranking • 2 types of site ranking, based on: • Connection counts • Links URLs to other malicious URLs • Number of hosted exploit-URLs • Web sites with important internal page hierarchy • Includes transient URLs with random strings

  24. Site Ranking • Based on connection counts

  25. Site Ranking • Based on number of exploit-URLs hosted

  26. Effective Monitoring • Easy-to-find exploit URLs • Useful for detecting zero day exploits • Content providers with well-known URLs • Must maintain these URLs to keep high traffic • Highly ranked URLs • More likely to upgrade exploits

  27. Scanning Popular URLs

  28. HoneyMonkey Evasion • Target IP addresses • Blacklist IP addresses of HoneyMonkey machines • Determine if a human is present • Create cookie to suppress future visits • One-time dialog pop up box disables cookie • Detect VM or HoneyMonkey code • Test for fully virtualizable machine • Becomes less effective as VMs increase

  29. Bad Web Site Rankings • Celebrity info • Song lyrics • Wallpapers • Video game cheats • Wrestling

  30. Related Work • Email quarantine • Intercepts every incoming message • Shadow honeypots • Diverts suspicious traffic to a shadow version • Detects potential attacks, filters out false positives • Honeyclient • Tries to identify browser-based attacks

  31. Strengths • HoneyMonkey will detect most • Trojan viruses • Backdoor functions • Spyware programs • Uniform detection of exploits • Known vulnerability attack • Zero-day exploits • Generates XML report for each visit

  32. Weaknesses • Takes time to clean infected machine after each web site visit • Code obfuscation escapes anti-virus software • Only detects persistent-state changes • HoneyMonkey only waits 2 minutes per URL • Delay exploit on web pages

  33. Improvements • Run HoneyMonkey with random wait times • Combat delayed exploits on web sites • Randomize HoneyMonkey attack • Vulnerability-specific exploit detector (VSED) • Insert break points within bad code • Stops execution before potentially malicious code

  34. Questions? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ?

More Related