Automated Web Patrol with Strider Honey Monkeys

1
Automated Web Patrolwith Strider Honey Monkeys

• Y.Wang, D.Beck, S.Chen, S.King,
• X.Jiang, R.Roussev, C.Verbowski
• Microsoft Research, Redmond
• Justin Miller
• February 27, 2007

2
Outline

• Internet Attacks
• Web Browser Vulnerabilities
• HoneyMonkey System
• Experiments
• Analysis/Future Work

3
Internet Attacks

• Exploit vulnerability of user web browser
• Install malicious code on machine
• No user interaction required later
• VM-based honeypots are used to detect these
  attacks

4
HoneyMonkeys

• OSs of various patch levels
• Mimic human web browsing
• Uses StriderTracer to catch unauthorized file
  creation and system configuration changes
• Discover malicious web sites

5
HoneyMonkeys

• OS3
• OS2
• OS1
• Malcode

6
Browser vulnerabilities

• Code Obfuscation
• Dynamic code injection using document.write()
• Unreadable, long strings with encoded chars
• 28 or 104
• Decoded by function script or browser
• Escapes anti-virus software

7
Browser vulnerabilities

• URL Redirection
• Protocol redirection using HTTP 302 temp redir
• HTML tags inside ltframesetgt
• Script functions
• window.location.replace() or window.open()
• Redirection is common in non-malicious sites

8
Browser vulnerabilities

• Malware Installation
• Viruses
• Backdoor functions
• Bot programs
• Trojan downloaders DL other programs
• Trojan droppers delete (drop) files
• Trojan proxies redirect network traffic
• Spyware programs

9
HoneyMonkey System

• Attempts to automatically detect and analyze web
  sites that exploit web browsers
• 3-stage pipeline of virtual machines
• Stage 1 scalable mode
• Stage 2 recursive redirection analysis
• Stage 3 scan fully patched VMs

10
HoneyMonkey Stage 1

• Visit N URLs simultaneously
• If exploit detected, re-visit each one
  individually until exploit URL is found
• VM VM
• U1 U2 U3
• U4 U5 U6 U2 U3

11
HoneyMonkey Stage 2

• Re-scan exploit URLs
• Perform recursive redirection analysis
• Identify all web pages involved
• VM VM
• U2 U3 U2 U3
• U2 U3 U9 U10

12
HoneyMonkey Stage 3

• Re-scan exploit URLs
• Scan using fully patched VMs
• Identify attacks exploiting the latest
  vulnerabilities
• VM VM
• U2 U3
• U9 U10 U2 U9

13
HoneyMonkey Flowchart

• Scan up to 500-700 URLs per day

14
Web Site Visits

• Monkey program launches URL
• Wait 2 minutes
• Allow all malicious code to DL
• Detect persistent-state changes
• New registry entries and .exe files
• Allows uniform detection of
• Known vulnerability attack
• Zero-day exploits

15
HoneyMonkey Report

• Generates XML report at end of each visit
• .exe files created or modified
• Processes created
• Registry entries created or modified
• Vulnerability exploited
• Redirect-URLs visited
• Cleanup infected state machine
• Monkey Controller

16
Web Site Redirection

• URL1 URL2 URL3
• Redirect Redirect
• Data collected data data

17
Input URL Lists

• Suspicious URLs
• Known to host spyware or malware
• Links appearing in phishing or spam messages
• Most popular web sites
• Top 100,000 by browser traffic ranking
• Local URLs
• Organization want to verify web pages have not
  been compromised

18
Output URL Data

• Exploit URLs
• Measures risk of visiting similar web sites
• Topology Graphs
• Several URLs shut down
• Provide leads for anti-spyware research
• Zero-day exploits
• Monitors URL upgrades

19
Experimental Results

• Collected 16,000 URLs
• Web search of known-bad web sites
• Web search for Windows hosts files
• Depth-2 crawling of previous URLs
• 207/16,190 1.28 of web sites

20
Experimental Results

• All tests done using IEv6

21
Topology Graphs

• 17 exploit URLs for SP2-PP
• Most powerful exploit pages

22
Site Ranking

• Key role in anti-exploit process
• Determines how to allocate resources
• Monitoring URLs
• Investigation of URLs
• Blocking URLs
• Legal actions against host sites

23
Site Ranking

• 2 types of site ranking, based on
• Connection counts
• Links URLs to other malicious URLs
• Number of hosted exploit-URLs
• Web sites with important internal page hierarchy
• Includes transient URLs with random strings

24
Site Ranking

• Based on connection counts

25
Site Ranking

• Based on number of exploit-URLs hosted

26
Effective Monitoring

• Easy-to-find exploit URLs
• Useful for detecting zero day exploits
• Content providers with well-known URLs
• Must maintain these URLs to keep high traffic
• Highly ranked URLs
• More likely to upgrade exploits

27
Scanning Popular URLs
28
HoneyMonkey Evasion

• Target IP addresses
• Blacklist IP addresses of HoneyMonkey machines
• Determine if a human is present
• Create cookie to suppress future visits
• One-time dialog pop up box disables cookie
• Detect VM or HoneyMonkey code
• Test for fully virtualizable machine
• Becomes less effective as VMs increase

29
Bad Web Site Rankings

• Celebrity info
• Song lyrics
• Wallpapers
• Video game cheats
• Wrestling

30
Related Work

• Email quarantine
• Intercepts every incoming message
• Shadow honeypots
• Diverts suspicious traffic to a shadow version
• Detects potential attacks, filters out false
  positives
• Honeyclient
• Tries to identify browser-based attacks

31
Strengths

• HoneyMonkey will detect most
• Trojan viruses
• Backdoor functions
• Spyware programs
• Uniform detection of exploits
• Known vulnerability attack
• Zero-day exploits
• Generates XML report for each visit

32
Weaknesses

• Takes time to clean infected machine after each
  web site visit
• Code obfuscation escapes anti-virus software
• Only detects persistent-state changes
• HoneyMonkey only waits 2 minutes per URL
• Delay exploit on web pages

33
Improvements

• Run HoneyMonkey with random wait times
• Combat delayed exploits on web sites
• Randomize HoneyMonkey attack
• Vulnerability-specific exploit detector (VSED)
• Insert break points within bad code
• Stops execution before potentially malicious code

34
Questions?

• ? ? ? ? ? ? ?
• ? ? ? ? ? ? ? ? ?
• ? ? ? ? ?
• ? ? ? ? ? ? ? ?
• ? ? ? ? ? ? ?
• ? ? ? ? ? ? ? ? ?
• ? ? ? ? ?
• ? ? ? ? ? ? ? ?