Automated Web Patrolwith Strider Honey

MonkeysY.Wang, D.Beck, S.Chen, S.King,X.Jiang, R.Roussev, C.Verbowski

Microsoft Research, Redmond

Justin MillerFebruary 27, 2007

2

Outline Internet Attacks Web Browser Vulnerabilities HoneyMonkey System Experiments Analysis/Future Work

3

Internet Attacks Exploit vulnerability of user web browser Install malicious code on machine

No user interaction required later VM-based honeypots are used to detect

these attacks

4

HoneyMonkeys OS’s of various patch levels Mimic human web browsing

Uses StriderTracer to catch unauthorized file creation and system configuration changes

Discover malicious web sites

5

HoneyMonkeys

OS3

OS2

OS1

Malcode

6

Browser vulnerabilities Code Obfuscation

Dynamic code injection using document.write() Unreadable, long strings with encoded chars

“%28” or “&#104” Decoded by function script or browser

Escapes anti-virus software

7

Browser vulnerabilities URL Redirection

Protocol redirection using HTTP 302 temp redir HTML tags inside <frameset> Script functions

window.location.replace() or window.open() Redirection is common in non-malicious sites

8

Browser vulnerabilities Malware Installation

Viruses Backdoor functions Bot programs Trojan downloaders – DL other programs Trojan droppers – delete (drop) files Trojan proxies – redirect network traffic Spyware programs

9

HoneyMonkey System Attempts to automatically detect and analyze

web sites that exploit web browsers 3-stage pipeline of virtual machines

Stage 1: scalable mode Stage 2: recursive redirection analysis Stage 3: scan fully patched VM’s

10

HoneyMonkey: Stage 1 Visit N URLs simultaneously If exploit detected, re-visit each one

individually until exploit URL is found

VM VM U1 U2 U3 U4 U5 U6 U2 U3

11

HoneyMonkey: Stage 2 Re-scan exploit URLs Perform recursive redirection analysis

Identify all web pages involved

VM VM U2 U3 U2 U3 U2 U3 U9 U10

12

HoneyMonkey: Stage 3 Re-scan exploit URLs Scan using fully patched VMs

Identify attacks exploiting the latest vulnerabilities

VM VM U2 U3 U9 U10 U2 U9

13

HoneyMonkey Flowchart Scan up to 500-700 URL’s per day

14

Web Site Visits Monkey program launches URL Wait 2 minutes

Allow all malicious code to DL Detect persistent-state changes

New registry entries and .exe files Allows uniform detection of:

Known vulnerability attack Zero-day exploits

15

HoneyMonkey Report Generates XML report at end of each visit

.exe files created or modified Processes created Registry entries created or modified Vulnerability exploited Redirect-URLs visited

Cleanup infected state machine Monkey Controller

16

Web Site Redirection

URL1 URL2 URL3 Redirect Redirect

Data collected data data

17

Input URL Lists Suspicious URLs

Known to host spyware or malware Links appearing in phishing or spam messages

Most popular web sites Top 100,000 by browser traffic ranking

Local URLs Organization want to verify web pages have not

been compromised

18

Output URL Data Exploit URLs

Measures risk of visiting similar web sites Topology Graphs

Several URLs shut down Provide leads for anti-spyware research

Zero-day exploits Monitors URL “upgrades”

19

Experimental Results Collected 16,000+ URLs

Web search of “known-bad” web sites Web search for Windows “hosts” files Depth-2 crawling of previous URLs

207/16,190 = 1.28% of web sites

20

Experimental Results All tests done using IEv6

21

Topology Graphs 17 exploit URLs for SP2-PP Most powerful exploit pages

22

Site Ranking Key role in anti-exploit process Determines how to allocate resources

Monitoring URLs Investigation of URLs Blocking URLs Legal actions against host sites

23

Site Ranking 2 types of site ranking, based on: Connection counts

Links URLs to other malicious URLs Number of hosted exploit-URLs

Web sites with important internal page hierarchy Includes transient URLs with random strings

24

Site Ranking Based on connection counts

25

Site Ranking Based on number of exploit-URLs hosted

26

Effective Monitoring Easy-to-find exploit URLs

Useful for detecting zero day exploits Content providers with well-known URLs

Must maintain these URLs to keep high traffic Highly ranked URLs

More likely to upgrade exploits

27

Scanning Popular URLs

28

HoneyMonkey Evasion Target IP addresses

Blacklist IP addresses of HoneyMonkey machines Determine if a human is present

Create cookie to suppress future visits One-time dialog pop up box disables cookie

Detect VM or HoneyMonkey code Test for fully virtualizable machine Becomes less effective as VMs increase

29

Bad Web Site Rankings Celebrity info Song lyrics Wallpapers Video game cheats Wrestling

30

Related Work Email quarantine

Intercepts every incoming message Shadow honeypots

Diverts suspicious traffic to a shadow version Detects potential attacks, filters out false positives

Honeyclient Tries to identify browser-based attacks

31

Strengths HoneyMonkey will detect most

Trojan viruses Backdoor functions Spyware programs

Uniform detection of exploits Known vulnerability attack Zero-day exploits

Generates XML report for each visit

32

Weaknesses Takes time to clean infected machine after

each web site visit Code obfuscation escapes anti-virus software Only detects persistent-state changes HoneyMonkey only waits 2 minutes per URL

Delay exploit on web pages

33

Improvements Run HoneyMonkey with random wait times

Combat delayed exploits on web sites Randomize HoneyMonkey attack Vulnerability-specific exploit detector (VSED)

Insert break points within bad code Stops execution before potentially malicious code

34

Questions?? ? ? ? ? ? ?

? ? ? ? ? ? ? ? ?? ? ? ? ? ? ? ? ? ? ? ? ?? ? ? ? ? ? ?

? ? ? ? ? ? ? ? ?? ? ? ? ? ? ? ? ? ? ? ? ?