Automated Web Patrol with Strider Honey Monkeys - PowerPoint PPT Presentation

1 / 34
About This Presentation
Title:

Automated Web Patrol with Strider Honey Monkeys

Description:

Automated Web Patrol with Strider Honey Monkeys Y.Wang, D.Beck, S.Chen, S.King, X.Jiang, R.Roussev, C.Verbowski Microsoft Research, Redmond Justin Miller – PowerPoint PPT presentation

Number of Views:108
Avg rating:3.0/5.0
Slides: 35
Provided by: Jared92
Learn more at: http://www.cs.ucf.edu
Category:

less

Transcript and Presenter's Notes

Title: Automated Web Patrol with Strider Honey Monkeys


1
Automated Web Patrolwith Strider Honey Monkeys
  • Y.Wang, D.Beck, S.Chen, S.King,
  • X.Jiang, R.Roussev, C.Verbowski
  • Microsoft Research, Redmond
  • Justin Miller
  • February 27, 2007

2
Outline
  • Internet Attacks
  • Web Browser Vulnerabilities
  • HoneyMonkey System
  • Experiments
  • Analysis/Future Work

3
Internet Attacks
  • Exploit vulnerability of user web browser
  • Install malicious code on machine
  • No user interaction required later
  • VM-based honeypots are used to detect these
    attacks

4
HoneyMonkeys
  • OSs of various patch levels
  • Mimic human web browsing
  • Uses StriderTracer to catch unauthorized file
    creation and system configuration changes
  • Discover malicious web sites

5
HoneyMonkeys
  • OS3
  • OS2
  • OS1
  • Malcode

6
Browser vulnerabilities
  • Code Obfuscation
  • Dynamic code injection using document.write()
  • Unreadable, long strings with encoded chars
  • 28 or 104
  • Decoded by function script or browser
  • Escapes anti-virus software

7
Browser vulnerabilities
  • URL Redirection
  • Protocol redirection using HTTP 302 temp redir
  • HTML tags inside ltframesetgt
  • Script functions
  • window.location.replace() or window.open()
  • Redirection is common in non-malicious sites

8
Browser vulnerabilities
  • Malware Installation
  • Viruses
  • Backdoor functions
  • Bot programs
  • Trojan downloaders DL other programs
  • Trojan droppers delete (drop) files
  • Trojan proxies redirect network traffic
  • Spyware programs

9
HoneyMonkey System
  • Attempts to automatically detect and analyze web
    sites that exploit web browsers
  • 3-stage pipeline of virtual machines
  • Stage 1 scalable mode
  • Stage 2 recursive redirection analysis
  • Stage 3 scan fully patched VMs

10
HoneyMonkey Stage 1
  • Visit N URLs simultaneously
  • If exploit detected, re-visit each one
    individually until exploit URL is found
  • VM VM
  • U1 U2 U3
  • U4 U5 U6 U2 U3

11
HoneyMonkey Stage 2
  • Re-scan exploit URLs
  • Perform recursive redirection analysis
  • Identify all web pages involved
  • VM VM
  • U2 U3 U2 U3
  • U2 U3 U9 U10

12
HoneyMonkey Stage 3
  • Re-scan exploit URLs
  • Scan using fully patched VMs
  • Identify attacks exploiting the latest
    vulnerabilities
  • VM VM
  • U2 U3
  • U9 U10 U2 U9

13
HoneyMonkey Flowchart
  • Scan up to 500-700 URLs per day

14
Web Site Visits
  • Monkey program launches URL
  • Wait 2 minutes
  • Allow all malicious code to DL
  • Detect persistent-state changes
  • New registry entries and .exe files
  • Allows uniform detection of
  • Known vulnerability attack
  • Zero-day exploits

15
HoneyMonkey Report
  • Generates XML report at end of each visit
  • .exe files created or modified
  • Processes created
  • Registry entries created or modified
  • Vulnerability exploited
  • Redirect-URLs visited
  • Cleanup infected state machine
  • Monkey Controller

16
Web Site Redirection
  • URL1 URL2 URL3
  • Redirect Redirect
  • Data collected data data

17
Input URL Lists
  • Suspicious URLs
  • Known to host spyware or malware
  • Links appearing in phishing or spam messages
  • Most popular web sites
  • Top 100,000 by browser traffic ranking
  • Local URLs
  • Organization want to verify web pages have not
    been compromised

18
Output URL Data
  • Exploit URLs
  • Measures risk of visiting similar web sites
  • Topology Graphs
  • Several URLs shut down
  • Provide leads for anti-spyware research
  • Zero-day exploits
  • Monitors URL upgrades

19
Experimental Results
  • Collected 16,000 URLs
  • Web search of known-bad web sites
  • Web search for Windows hosts files
  • Depth-2 crawling of previous URLs
  • 207/16,190 1.28 of web sites

20
Experimental Results
  • All tests done using IEv6

21
Topology Graphs
  • 17 exploit URLs for SP2-PP
  • Most powerful exploit pages

22
Site Ranking
  • Key role in anti-exploit process
  • Determines how to allocate resources
  • Monitoring URLs
  • Investigation of URLs
  • Blocking URLs
  • Legal actions against host sites

23
Site Ranking
  • 2 types of site ranking, based on
  • Connection counts
  • Links URLs to other malicious URLs
  • Number of hosted exploit-URLs
  • Web sites with important internal page hierarchy
  • Includes transient URLs with random strings

24
Site Ranking
  • Based on connection counts

25
Site Ranking
  • Based on number of exploit-URLs hosted

26
Effective Monitoring
  • Easy-to-find exploit URLs
  • Useful for detecting zero day exploits
  • Content providers with well-known URLs
  • Must maintain these URLs to keep high traffic
  • Highly ranked URLs
  • More likely to upgrade exploits

27
Scanning Popular URLs
28
HoneyMonkey Evasion
  • Target IP addresses
  • Blacklist IP addresses of HoneyMonkey machines
  • Determine if a human is present
  • Create cookie to suppress future visits
  • One-time dialog pop up box disables cookie
  • Detect VM or HoneyMonkey code
  • Test for fully virtualizable machine
  • Becomes less effective as VMs increase

29
Bad Web Site Rankings
  • Celebrity info
  • Song lyrics
  • Wallpapers
  • Video game cheats
  • Wrestling

30
Related Work
  • Email quarantine
  • Intercepts every incoming message
  • Shadow honeypots
  • Diverts suspicious traffic to a shadow version
  • Detects potential attacks, filters out false
    positives
  • Honeyclient
  • Tries to identify browser-based attacks

31
Strengths
  • HoneyMonkey will detect most
  • Trojan viruses
  • Backdoor functions
  • Spyware programs
  • Uniform detection of exploits
  • Known vulnerability attack
  • Zero-day exploits
  • Generates XML report for each visit

32
Weaknesses
  • Takes time to clean infected machine after each
    web site visit
  • Code obfuscation escapes anti-virus software
  • Only detects persistent-state changes
  • HoneyMonkey only waits 2 minutes per URL
  • Delay exploit on web pages

33
Improvements
  • Run HoneyMonkey with random wait times
  • Combat delayed exploits on web sites
  • Randomize HoneyMonkey attack
  • Vulnerability-specific exploit detector (VSED)
  • Insert break points within bad code
  • Stops execution before potentially malicious code

34
Questions?
  • ? ? ? ? ? ? ?
  • ? ? ? ? ? ? ? ? ?
  • ? ? ? ? ?
  • ? ? ? ? ? ? ? ?
  • ? ? ? ? ? ? ?
  • ? ? ? ? ? ? ? ? ?
  • ? ? ? ? ?
  • ? ? ? ? ? ? ? ?
Write a Comment
User Comments (0)
About PowerShow.com