Agenda

1
(No Transcript)
2
Agenda
1
Honeypot
2
Honeypot types
3
Client Honeypot
Related work
4
Challenges of low interaction client honeypots
5
Honeyware
6
7
Honeyware overcoming client honeypot challenges
Honeyware architecture
8
Honeyware experiment
9
Hybrid system
10
3
Honeypot
What is Honeypot?
security resource whose value lies in being
probed, attacked or compromised (Spitzner 2003)
Main difference between a honeypot and other
security techniques (Firewall, IDS)
The log files reveal the traffic of the attacker
without any false positives that could be logged
from a firewall or an IDS
4
Honeypot
Honeypot types
Passive
Active (Client Honeypot)
Passive Honeypot
1
Use of a very vulnerable system or services, or
possibly simulating them, then waiting to detect
any attacker trying to crack the system
Active Honeypot
2
The client Honeypot acts as a client and
interacts with the server to study it and
determine if an attack has happened
5
Honeypot
Honeypot types
High Interaction Honeypot
A
Low Interaction Honeypot
B
6
Related work
HoneyC
A

• Developed by Christian Seifert.
• Examine the web page code via Snort

SpyBye
B

• Developed by Niels Prvos.
• Uses the ClamAV anti-virus engine to check web
  pages.

Monkey-Spider
C

• Developed by Ali Ikinci.

7
Honeyware
Honeyware
a new low interaction client honeypot tool which
aims to combine the benefits of web-based
technology that run on local or remote servers,
it gives the user the ability to scan the target
server with some of web browsers and to scan the
target with five different scan engines.
8
Honeyware
Honeyware Challenges

1. Detect Drive-By Download exploits.
2. Study and analyse malicious code.
3. Detect more malicious web pages by using a hybrid
   system with a high interaction client honeypot.
4. Detect modern web-based malicious exploit tools
   such as Mpack and IcePack.
5. IP tracking.
6. Geolocation dependence.

9
Challenges of low interaction client honeypots
web-based malicious framework
1
Mpack
IcePack
10
Challenges of low interaction client honeypots
web-based malicious framework
1
11
Challenges of low interaction client honeypots
IP tracking
1

• Track the IP address of visitors

• If a client honeypot tries to visit a malicious
  website running the Mpack tool with the IP
  tracking feature enabled, it will not detect any
  malicious behaviour and may assume the site is
  clean

12
Challenges of low interaction client honeypots
Geo-location dependence
2

• This feature, provided by a number of malware
  tools, will cause the malware only to affect
  visitors from certain countries, while behaving
  normally with visitors from other countries.

13
Honeyware
Honeyware
1. Web browsers
2. Scan Engine
3. Honeyware Client
4. Crawling
14
Honeyware overcoming client honeypot challenges
Honeyware Client
15
Honeyware overcoming client honeypot challenges
Honeyware Client
Geolocation-dependent
A
16
Honeyware overcoming client honeypot challenges
Honeyware Client
IP tracking
B
Mpack web-based exploit tool
17
Honeyware overcoming client honeypot challenges
Honeyware Client
IP tracking
B
Mpacks attack method using visitor browser
product and version
Mpack web-based exploit tool
18
Honeyware overcoming client honeypot challenges
Honeyware Client
IP tracking
B

1. First request between Honeyware and target.
2. The send/receive between Honeyware and its
   client.
3. Send multiple requests to the target, to simulate
   the usual human visitor behaviour.
4. Second request, to get the target web page after
   the multiple requests.
5. Compare both requests to detect any changes.

19
Honeyware architecture
Honeyware architecture
20
Honeyware architecture
Honeyware user agent
The browser The user agent
Internet explorer 5 Mozilla/4.0 (compatible MSIE 5.0 Windows NT 5.1 .NET CLR 1.1.4322)
Internet explorer 5 Mozilla/4.0 (compatible MSIE 6.0 Windows NT 5.1 .NET CLR 1.1.4322)
Internet explorer 6 Mozilla/4.0 (compatible MSIE 7.0 Windows NT 5.1)
Internet explorer 7 Mozilla/4.0 (compatible MSIE 8.0 Windows NT 5.1 Trident/4.0)
Firefox 2 Mozilla/5.0 (Windows U Windows NT 5.1 en-GB rv1.8.1.6) Gecko/20070725 Firefox/2.0.0.6
Firefox 3 Mozilla/5.0 (Windows U Windows NT 6.0 en-GB rv1.9.0.6) Gecko/2009011913 Firefox/3.0.6
Safari Mozilla/5.0 (Windows U Windows NT 6.0 en-US) AppleWebKit/528.16 (KHTML, like Gecko) Version/4.0 Safari/528.16
Google Chrome Mozilla/5.0 (Windows U Windows NT 6.0 en-US) AppleWebKit/525.19 (KHTML, like Gecko) Chrome/1.0.154.48 Safari/525.19
Opera Opera/9.00 (Windows NT 5.1 U en)
Konqueror Mozilla/5.0 (compatible Konqueror/4.1 Linux) KHTML/4.1.2 (like Gecko)
21
Honeyware architecture
Honeyware Screenshot
1
2
22
Honeyware experiment
Honeyware experiment
The experiment scenario involved 94 URLs
collected from a search engine of which 84 were
malicious and 10 benign
VS
Capture-HPC (High interaction client honeypot)
Honeyware (Low interaction client honeypot)
23
Honeyware experiment
Honeyware experiment
24
Honeyware experiment
Honeyware experiment
25
Honeyware Limitations
Slow
1

• Approximately 1 minute to scan a target.
• Reduce time by
• Select few scan engines.
• Separate the scan interact engine from PHP (Use
  Perl or Shell and then pass the result to
  Honeyware )

Not able to detect 0-day exploits
2
26
Hybrid system
The hybrid system starts by scanning all URLs
with Capture-HPC and then forwards all benign
URLs from Capture-HPC to Honeyware to scan.
27
Honeyware future work
Plug-in simulation
1
Intrusion detection system (IDS)
2
Honeyware Crawling
3
Improve Honeyware client
4
Honeyware Project
http//www.sourceforge.net/projects/honeyware
28
(No Transcript)