clientside attack using honeyclient technology
TRANSCRIPT
-
Page 2
Outline
Introduce to Client-Side Attack Shellcode Analysis () Malicious PDF Analysis () HoneyClient Technology High-interaction honeyclient: Capture-HPC Low-interaction honeyclient: PHoneyC Conclusions
-
Page 3
:Web Service
3
Web Service ():
-
Page 4
: Web Service (Cont.)
4
Firewall
Port 80 HTTP Traffic
Web Client
Web Server
Application
Application
Database Server
URL
JSPPHPHTMLASPJavascript
Apache, IIS,
-
Page 5
5
l (IEFirefox),URL l (Internet)RequestWeb Server l Web ServerRequest
:HTML (Hyper Text Markup Language)(javascript)
Internet
-
Page 6
: JavaScript
: :HTML : :Javascript
:
6
window.open(6ex.html', 'Joseph', config='height=300,width=300')
-
Page 7
(Malicious programsMalware) (From wiki)
hijacking )
-
Page 9
Server-Side Attack v.s Client-Side Attack
Server-Side Attack: Server
Worm
MalwareWeb Page
Malicious cra2ed HTTP Request Vulnerable Web Server
-
Page 10
Server-Side Attack v.s Client-Side Attack
Client-Side Attack: (Client Application)Malicious Server(Interact)Client Application Client Application Client/Server Web Browser, FTP, Email, MSN, Multimedia Stream, PDF reader Firewall/IPS/Proxy
Pass
-
Page 11
Client-Side Attack (Cont.)
1. Exploit code Obfuscation Javascript ( encoding, dynamical content with
Javascript, functions)
2. Redirect
window.open() window.location.href()
4. Drive-by
-download
3. Exploit Code
2. Exploit Cod
eClient Ap
plication
-
Page 12
Drive-by-download ()
(installing an unknown ActiveX component or Java applet). Download of malware through exploitation of a web browser,
e-mail client or operating system vulnerability, without any user intervention
-
Page 13
Client-Side Attack (Cont.)
Client-Side Attack: bot Proxy spywarekeylogger Browser Helper Objects (BHOs)
Client-Side Attack ? Client Application Malicious Server Blacklist
-
Page 14
14
Vulnerable Web Server
1. 2.
Phishing Site
ExploitCode
(
-
Page 15
15
Malicious Link
Malicious Link
Malicious Link
Malicious Link
Obfuscated JavascriptObfuscated Javascript
MalwareMalwareMalware
Exploit Code
Landing Sites Hopping Site Download Site
JavaScripts
(
Landing sites
-
Page 16
(Cont.)
JavascriptExploit Code (Malicious Link)
16
http://v.6t65r.cn/01/
-
Page 17
Exploit Code
17
Exploit Code
-
Page 18
Drive-by-Download
Drive-by-Download
IE
(Patch) (BrowserFlash PDF)
18
-
Page 19
Iframe JS: JS Flash PDF CSS
-
Page 20
20
Malicious Link
Malicious Link
Malicious Link
Malicious Link
Obfuscated JavascriptObfuscated Javascript
MalwareMalwareMalware
Exploit Code
Landing Sites Hopping Site
Download Site
JavaScripts
(
Landing sites
-
Page 21
xxx
xxxBotPHP Bot
xxx
21
-
Page 22
1.(Dynamic DNS): xxx.8866.org / xxxx.3322.org
2. :(setup)
3. :(Fast-Flux)
4.
22
-
Page 23 23
1. RFI
Site A Host ProxyABot
Compromise Web A
Malicious CodePage
1.
IPEmail CPUMSN (Web , Smtp)
Malicious Web + RFI + Fast-Flux+ Phishing=
3322.org
2. MalwareFile Server
SMTP Server SMTP
Server
Malicious Web Site B2
Malicious Web Site B1
3322.org
3322.org Malicious Web Site B3
3322.org
Phishing Web Site C1
3322.org Phishing Web Site C2
3322.org
-
Page 24
Exploit Code
:iframe
:
: 1000IP20020%
24
-
Page 25
Thinking from Users Viewpoint
Client-Side Attack (IE6.0 Vulnerability Exploit CodeShellcode (Botnet C&C ,
-
Page 26
Thinking from Website administrators Viewpoint
Exploit Code
-
Page 27
-
Page 29
29
Web Crawler
URL HTML Content
Content Analysis
Behavior Analysis
Mallink Sequence Sandboxing
Reporting
Content Analysis
Capture-HPC
Decoder
Interpreter
Behavior Log Mallink
Seq. Traffic malware
-
Page 30
Web Crawler
Web Crawler (): Web Spider
HTMLForm
Web Crawler : Web Crawler by Search Engine:
Search Engine
Web Crawler for Targeted Visiting: (Information Agent): URL Lists
-
Page 31
Web Crawler by Search Engine
http://www.webcrawler.com/
-
Page 32
Web Crawler for Targeted Visiting
Win Web Crawler: http://www.winwebcrawler.com/
HTTrack: http://www.httrack.com/
Websphinx: http://www.cs.cmu.edu/~rcm/websphinx/
-
Page 33
Win Web Crawler
Web Crawler : Keywords on search engine Targeted Visiting URLs from File
-
Page 34
Websphinx:
Tag Visualize part of the Web as a graph Save pages to disk Concatenate pages for printing
Extract images from a set of pages (?{logo})(?{caption})
: java 1.2 java jar websphinx.jar
-
Page 35
HoneyClient
nHoneyClient: n :Honeyclient is an active security devices/application in search of
malicious servers that attack clients. n Server
Server(Benign)(Malicious) n Web Browser, FTP, SSH, Email,
n v.s n v.s
-
Page 36
HoneyClient (Cont.)
HoneyClient (Browser)
36
-
Page 37
HoneyClient (Cont.)
: :
Queuer:URLListClient Honeypot Clinet Application: QueuerURLServer Analysis Engine: BenignMalicious Safety Strategy: Malicious ServerClient Honeypot
(firewalls and virtual machine sandboxes)
-
Page 38
HoneyClient (Cont.)
38
Queuer (Crawling): URLListClient Honeypot
ClientApplication:
Analysis engine: (Integrity Checks)
Security Strategy: Client (Revert)
:
-
Page 39
HoneyClient
High-Interaction: Client Real System Capture-HPC HoneyClient HoneyMonkey SHELIA UW Spycrawler Web Exploit Finder Low-Interaction: Client Application
HoneyC PHoneyC
39
-
Page 40
HoneyClient (Cont.)
High-InteracHon Low - InteracHon
Client APPServer
Client ApplicaJonServer Service
(Unauthorized StateChange)
Client Honeypot
Malicious Server
Client APP
Capture-HPCHoneyClient HoneyMonkeySHELIA UW Spycrawler Web Exploit Finder
HoneyC Monkey-Spider SpyBye PhoneyC
:()
-
Page 41
HoneyClient (Cont.)
ClientHoneypot TradiHonal Honeypot
Client-Side Service
Service
(Client APPServer Service)
()
-
Page 43
Capture-HPC
High-Interaction Client Honeypot Open Source Tool
Developed by Victoria University of Wellington and NZ Honeynet Project
Purpose: Capture-HPC Client HoneypotMalicious Web servers (Client-Side Attacks) Client Virtual Machine Based Client-Server (Logs Centralized) Browser file system, registry, process of a system
43
-
Page 44
Capture-HPC (Cont.)
: Monitor our client system for unauthorized modifications with client-
side attack code
(CreateWrite) Malicious Server
: https://projects.honeynet.org/capture-hpc/ Mailing List:
https://public.honeynet.org/mailman/listinfo/capture-hpc
44
-
Page 45
Capture-HPC (Cont.)
45
-
Page 46
Capture-HPC (Cont.)
report
-
Page 47
Capture-HPC Architecture:
47
-
Page 48
Client Honeypot (cont.)
(Malicious Code) ? Search Engine: keywordsSearch Engine
Blacklists: Client Honeypot Links from spam or phishing message: Links from newgroups Links form chat tools
http://www.knownsec.com/indexzh.html http://www.sacour.cn/
-
Page 49
Capture-HPC (Cont.)
Capture-BAT : Win 32 OS API hooking Registry, ProcessFile exclusion lists log
-
Page 50
Capture-HPC (Cont.)
Capture-HPC Capture-BATClient ApplicationRemoteServer Capture-BAT: Drives compete O/S and application Extended to control and monitor VMware instances Control server for client control and data collection Provide proxies to access Internet
-
Page 51
Capture-HPC
51
-
Page 52
Step 1: :
Java Capture-HPC Server VMware-Server 1.0.6
n Step 1: (OS)Vmware serverVMware-server-installer-1.0.6-91891.exe
FirewallPort 902 (By Pass) n Step 2: VmwarePort 902Capture Server
Port 902 Guest OS (WinXP Sp2)
n Step 3: Guest OSVMware ServerGuest OSWindows XP SP2 (Custom VMnet8 (NAT))
-
Page 53
Step 2: : Guest OS(WinXP SP2) nCapture-HPC Client Guest OS
n Step 1:Vmware Tools
n Step 2: Micosoft Visual C++ 2008 Redistributable Libraries (SP0) vcredist_x86.exe
n Step 3:GuestOS(WinXP SP2)winpcap4.0.2
n Step 4:Capture-ClientCaptureClient-Setup.exe
n Step 5:ex: WiresharkFirefox, Adobe Reader 8.0 ( http://oldapps.com)
n Step 6: ()
n Step 7:Windows Update ()
n Step 8:
n Adobe Flash Player
n IE:
n IE:
n IE: Cookies
n Cache
n Step 10:Take Snapshot (!)
-
Page 54
Step 3: Capture-HPC Client
HPC-Client C:\Program Files\Capture :
Application.conf : ( iexplore C:\Program Files\Internet Explorer\iexplore.exe) CaptureClient.bat /CaptureClient.exe:
, ProcessMonitor.exl RegistryMonitor.exl FileMonitor.exl (Regular Expression+(exclude) - (explicitly include) )
54
-
Page 55
Step 3: Capture-HPC Client
HPC-Client C:\Program Files\Capture
Application.conf : ( iexplore C:\Program Files\Internet Explorer\iexplore.exe)
n CaptureClient.bat /CaptureClient.exe:
n , ProcessMonitor.exlRegistryMonitor.exlFileMonitor.exl
(Regular Expression+(exclude) - (explicitly include) ) :
1. Windows prefetch 2. Windows update
3. Adobe update 4. Internet Explorer activities
5. Capture-HPC client activities
55
-
Page 56
Step 4: Capture-HPC Server
: CaptureServer.jar :
config.xml:
revert :WindowsLinuxVmware Server 1.0.6Vmware Server 1.0.7
input_urls_example.txt : URL
logs :Capture-Client
56
-
Page 57
:config.xml
:Global options Virtual Machine Global options < global collect-modified-files="true client-default=iexploreiexplore bulk -> iexplore client-default-visit-time=300 capture-network-packets-malicious="true" capture-network-packets-benign="false" send-exclusion-lists=false" terminate=false" group_size="10"
57
-
Page 58
vm_stalled_after_revert_timeout=300HPC ServervixapiHPC-Client revert_timeout=300HPC Clientrevert client_inactivity_timeout=60Ping vm_stalled_during_operation_timeout=300HPC ServerURL
HPC-Client same_vm_revert_delay=6revert vmwareHPC-
Clientdelay different_vm_revert_delay=24revertvmareHPC-
Client delay />
58
-
Page 59
Virtual Machine Server n
-
Page 60
5.
java -Djava.net.preferIPv4Stack=true jar CaptureServer.jar -s : -f input_url.txt
60
-
Page 61
Log Information on Capture-Server
Safe.log : the clear and deemed benign URLs Process.log : visiting information for URLs Error.log : URLs that could not be visited States.log: the performance of the Capture-System Malicious.log : the list of deemed malicious URLs Server_timestamp.log : a list of state changes for visiting each URLs Server_timestamp.zip: the files with modified or deleted off on the client
machine during the interaction with a malicious servers
-
Page 62
Capture-Client Readme Capture-Server Readme Capture Communication Protocol Capture FAQ :
https://projects.honeynet.org/capture-hpc/wiki/FAQ Preprocessor_README TroubleshootingGuide
62
-
Page 63
Capture-HPC
Capture-HPC Malicious Web Server Capture-HPCURL
: malicious website
CaptureClient Malware Website Re-Visit Malicious Websites Capture-HPCClient Application:PDF
Reader
-
Page 65
PHoneyC -- Pure Python honeyclient implementation
Low interactionvirtualhoneyclient http://code.google.com/p/phoneyc/ Code License : GNU GPL v2 Design Concept:
emulates the core functionality of a web cliente emulates specific vulnerabilities to pinpoint the attack vector
-
Page 66
System Architecture:
-
Page 67
PhoneyC Installation:
libemu-svnhttp://libemu.carnivore.it/ Install python-pycurl Curl http://curl.haxx.se/ Source Code: svn checkout http://phoneyc.googlecode.com/svn/phoneyc/trunk/ phoneyc
Phoneyc cdphoneyc make ubuntu cd modules Make make install
-
Page 68
PHoneyC running
Usage: python phoneyc.py [ options ] url
Options: -h, --help Display this help information. -l , --logfile= Output file name for logs. -v, --verbose Explain what is being done (DEBUG mode). -d , --debug= Debug Level, 1-10. -r, --retrieval-all, Retrieval all inline linking data. -c , --cache-response Cache the responses from the remote sites. -u, --user-agent= Select a user agent (see below for values, default: 1) -n, Replace all non-ASCII characters with spaces(0x20) in all HTML or JS contents -m Enable Universal ActiveX object User Agents: [1] Internet Explorer 6.1 (Windows XP) [2] Internet Explorer 7.0 (Windows XP) [3] Internet Explorer 8.0 (Windows XP) [4] Internet Explorer 6.0 (Windows 2000)
-
Page 69
Python phoneyc.py v http://. Python phoneyc.py v file://test/xxx.html
Python phoneyc.py -v anzuzettelndem.com/u7LsArUV_-p.php
-
- FreShow + Malzilla
-
Page 71
Javascript Functions
eval : escape/unescape: / document.write:
fromCharCode(): Unicode
71
document.writealert( )eval( )document.write
-
Page 72
Name Obfuscation: Javascript
String Splitting: Exploit Code
Code Encryption
72
-
Page 73
-- On-line Javascript
OMARC MalwareGuru http://malwareguru.com/JSPacker/JavaScriptPacker.php
cha88.cn http://www.cha88.cn/
yellowpipe.com http://www.yellowpipe.com/yis/tools/encrypter/index.php
auditmyp http://www.auditmypc.com/html-encoder.asp
Dean Edward's javascript packer http://dean.edwards.name/packer/
Monyer http://monyer.cn/demo/monyerjs.html
JavaScript online obfuscator and packer http://packer.50x.eu/
73
-
Page 74
Obfuscated Javascript
(Debugger/Interpreter/Decoder/Sandbox) Rhino http://www.mozilla.org/rhino/ NJS http://www.njs-javascript.org/ SpiderMonkey http://www.mozilla.org/js/
spidermonkey/ Malzilla http://malzilla.sourceforge.net FreShow
http://www.jimmyleo.com/work/FreShowStart.htm Coder http://www.bindshell.net/tools/coder
74
-
Page 75
Decode JavaScripts-- example.htm
1. example.htmleval and document.writealert
example1.html 2. IEexample1.html
75
-
Page 76
Decode JavaScripts--Malzilla
76
-
Page 77
Decode JavaScripts-- 0614.txt
evalalert evaldocument.write
77
-
Page 78
Decode JavaScripts-- 0614.txtby Malzilla
78
-
Page 79
FreShow:
: n Google Freshow
URL :iframe a+b ASCII US-ASCII ALPHA2Base64Winwebmail
79
-
Page 80
FreShow:
80
URL
1 2. Check 3. Internet URL
4. 5. 6.jsiframescriptURL 7.
4. 5. 6.
7.
8. 9. 10
8. lQeyeMal-link lConnecta+bab lNuls: lReplace lReverse
10. :IE7.0
12 13
14 11
16 17 18 19
20
-
Page 81
FreShow: (Cont.)
81
9. lEsc : %%u\xenumXOR lASCII: 1,2,3ASCII lUS-ASCII: lAlpha2Replayer\x lEnumXOR: lBase64 lWinwebmail
-
Page 82
FreShow: (Cont.)
12. 13. 14.
16. URL Link 17. 18. 19. 20.
82
-
Page 83
Malzilla
Malzilla :
http://malzilla.sourceforge.net/
83
-
Page 84
Joint web-based malware fighting projects
Develope to allow you to verify a website's content before you visit it
http://www.it-mate.co.uk/
Fiddler : Web Debugging Proxy which logs all HTTP(S) traffic between your computer and the Internet
http://www.fiddlertool.com/fiddler/
84
-
Julia Cheng [email protected]