automated web patrol with strider honey monkeys
DESCRIPTION
Automated Web Patrol with Strider Honey Monkeys. Y.Wang, D.Beck, S.Chen, S.King, X.Jiang, R.Roussev, C.Verbowski Microsoft Research, Redmond Justin Miller February 27, 2007. Outline. Internet Attacks Web Browser Vulnerabilities HoneyMonkey System Experiments Analysis/Future Work. - PowerPoint PPT PresentationTRANSCRIPT
Automated Web Patrolwith Strider Honey
MonkeysY.Wang, D.Beck, S.Chen, S.King,X.Jiang, R.Roussev, C.Verbowski
Microsoft Research, Redmond
Justin MillerFebruary 27, 2007
2
Outline Internet Attacks Web Browser Vulnerabilities HoneyMonkey System Experiments Analysis/Future Work
3
Internet Attacks Exploit vulnerability of user web browser Install malicious code on machine
No user interaction required later VM-based honeypots are used to detect
these attacks
4
HoneyMonkeys OS’s of various patch levels Mimic human web browsing
Uses StriderTracer to catch unauthorized file creation and system configuration changes
Discover malicious web sites
5
HoneyMonkeys
OS3
OS2
OS1
Malcode
6
Browser vulnerabilities Code Obfuscation
Dynamic code injection using document.write() Unreadable, long strings with encoded chars
“%28” or “h” Decoded by function script or browser
Escapes anti-virus software
7
Browser vulnerabilities URL Redirection
Protocol redirection using HTTP 302 temp redir HTML tags inside <frameset> Script functions
window.location.replace() or window.open() Redirection is common in non-malicious sites
8
Browser vulnerabilities Malware Installation
Viruses Backdoor functions Bot programs Trojan downloaders – DL other programs Trojan droppers – delete (drop) files Trojan proxies – redirect network traffic Spyware programs
9
HoneyMonkey System Attempts to automatically detect and analyze
web sites that exploit web browsers 3-stage pipeline of virtual machines
Stage 1: scalable mode Stage 2: recursive redirection analysis Stage 3: scan fully patched VM’s
10
HoneyMonkey: Stage 1 Visit N URLs simultaneously If exploit detected, re-visit each one
individually until exploit URL is found
VM VM U1 U2 U3 U4 U5 U6 U2 U3
11
HoneyMonkey: Stage 2 Re-scan exploit URLs Perform recursive redirection analysis
Identify all web pages involved
VM VM U2 U3 U2 U3 U2 U3 U9 U10
12
HoneyMonkey: Stage 3 Re-scan exploit URLs Scan using fully patched VMs
Identify attacks exploiting the latest vulnerabilities
VM VM U2 U3 U9 U10 U2 U9
13
HoneyMonkey Flowchart Scan up to 500-700 URL’s per day
14
Web Site Visits Monkey program launches URL Wait 2 minutes
Allow all malicious code to DL Detect persistent-state changes
New registry entries and .exe files Allows uniform detection of:
Known vulnerability attack Zero-day exploits
15
HoneyMonkey Report Generates XML report at end of each visit
.exe files created or modified Processes created Registry entries created or modified Vulnerability exploited Redirect-URLs visited
Cleanup infected state machine Monkey Controller
16
Web Site Redirection
URL1 URL2 URL3 Redirect Redirect
Data collected data data
17
Input URL Lists Suspicious URLs
Known to host spyware or malware Links appearing in phishing or spam messages
Most popular web sites Top 100,000 by browser traffic ranking
Local URLs Organization want to verify web pages have not
been compromised
18
Output URL Data Exploit URLs
Measures risk of visiting similar web sites Topology Graphs
Several URLs shut down Provide leads for anti-spyware research
Zero-day exploits Monitors URL “upgrades”
19
Experimental Results Collected 16,000+ URLs
Web search of “known-bad” web sites Web search for Windows “hosts” files Depth-2 crawling of previous URLs
207/16,190 = 1.28% of web sites
20
Experimental Results All tests done using IEv6
21
Topology Graphs 17 exploit URLs for SP2-PP Most powerful exploit pages
22
Site Ranking Key role in anti-exploit process Determines how to allocate resources
Monitoring URLs Investigation of URLs Blocking URLs Legal actions against host sites
23
Site Ranking 2 types of site ranking, based on: Connection counts
Links URLs to other malicious URLs Number of hosted exploit-URLs
Web sites with important internal page hierarchy Includes transient URLs with random strings
24
Site Ranking Based on connection counts
25
Site Ranking Based on number of exploit-URLs hosted
26
Effective Monitoring Easy-to-find exploit URLs
Useful for detecting zero day exploits Content providers with well-known URLs
Must maintain these URLs to keep high traffic Highly ranked URLs
More likely to upgrade exploits
27
Scanning Popular URLs
28
HoneyMonkey Evasion Target IP addresses
Blacklist IP addresses of HoneyMonkey machines Determine if a human is present
Create cookie to suppress future visits One-time dialog pop up box disables cookie
Detect VM or HoneyMonkey code Test for fully virtualizable machine Becomes less effective as VMs increase
29
Bad Web Site Rankings Celebrity info Song lyrics Wallpapers Video game cheats Wrestling
30
Related Work Email quarantine
Intercepts every incoming message Shadow honeypots
Diverts suspicious traffic to a shadow version Detects potential attacks, filters out false positives
Honeyclient Tries to identify browser-based attacks
31
Strengths HoneyMonkey will detect most
Trojan viruses Backdoor functions Spyware programs
Uniform detection of exploits Known vulnerability attack Zero-day exploits
Generates XML report for each visit
32
Weaknesses Takes time to clean infected machine after
each web site visit Code obfuscation escapes anti-virus software Only detects persistent-state changes HoneyMonkey only waits 2 minutes per URL
Delay exploit on web pages
33
Improvements Run HoneyMonkey with random wait times
Combat delayed exploits on web sites Randomize HoneyMonkey attack Vulnerability-specific exploit detector (VSED)
Insert break points within bad code Stops execution before potentially malicious code
34
Questions?? ? ? ? ? ? ?
? ? ? ? ? ? ? ? ?? ? ? ? ? ? ? ? ? ? ? ? ?? ? ? ? ? ? ?
? ? ? ? ? ? ? ? ?? ? ? ? ? ? ? ? ? ? ? ? ?