an introduction to honeyclient technologies
DESCRIPTION
An introduction to honeyclient technologies. Christian Seifert Angelo Dell'Aera. Speakers. Christian Seifert Full Member of the Honeynet Project since 2007 PhD from Victoria University of Wellington, NZ Research Software Engineer @ Microsoft Bing Angelo Dell'Aera - PowerPoint PPT PresentationTRANSCRIPT
![Page 1: An introduction to honeyclient technologies](https://reader036.vdocuments.site/reader036/viewer/2022062517/5681399d550346895da13845/html5/thumbnails/1.jpg)
An introduction to honeyclient technologies
Christian Seifert
Angelo Dell'Aera
![Page 2: An introduction to honeyclient technologies](https://reader036.vdocuments.site/reader036/viewer/2022062517/5681399d550346895da13845/html5/thumbnails/2.jpg)
Speakers
Christian Seifert
• Full Member of the Honeynet Project since 2007
• PhD from Victoria University of Wellington, NZ
• Research Software Engineer @ Microsoft Bing
Angelo Dell'Aera
• Full Member of the Honeynet Project since 2009
• Senior Threat Analyst @ Security Reply (7 years)
• Information Security Independent Researcher @ Antifork Research (13 years)
![Page 3: An introduction to honeyclient technologies](https://reader036.vdocuments.site/reader036/viewer/2022062517/5681399d550346895da13845/html5/thumbnails/3.jpg)
Agenda
Introduction Honeyclient technologies Low-Interaction (PhoneyC) High-Interaction (Capture-HPC) Malware Distribution Networks Challenges and Future Work
![Page 4: An introduction to honeyclient technologies](https://reader036.vdocuments.site/reader036/viewer/2022062517/5681399d550346895da13845/html5/thumbnails/4.jpg)
New trends, new tools
In the last years more and more attacks against client systems
The end user as the weakest link of the security chain
New tools are required to learn more about such client-side attacks
![Page 5: An introduction to honeyclient technologies](https://reader036.vdocuments.site/reader036/viewer/2022062517/5681399d550346895da13845/html5/thumbnails/5.jpg)
New trends, new tools
The browser is the most popular client system deployed on every user system
A lot of vulnerabilities are daily identified and (almost always) reported in the most used browsers
The browser is currently the preferred way to own an host
![Page 6: An introduction to honeyclient technologies](https://reader036.vdocuments.site/reader036/viewer/2022062517/5681399d550346895da13845/html5/thumbnails/6.jpg)
Honeyclients
What we need is something which seems like a real browser the same way as a classical honeypot system seems like a real vulnerable server
A real system (high-interaction)
Or an emulated one (low-interaction)?
Queuer
Visitor
Analysis Engine
![Page 7: An introduction to honeyclient technologies](https://reader036.vdocuments.site/reader036/viewer/2022062517/5681399d550346895da13845/html5/thumbnails/7.jpg)
Low-interaction strengths and weaknesses
+ Different browser versions (“personalities”)
+ Different ActiveX and plugins modules (even different versions)
+ Much more safer
+ More scalable
- Easy to detect
![Page 8: An introduction to honeyclient technologies](https://reader036.vdocuments.site/reader036/viewer/2022062517/5681399d550346895da13845/html5/thumbnails/8.jpg)
PhoneyC - Brief History
A pure Python low-interaction honeyclient First version developed by Jose Nazario Great improvements during GSoC 2009 And the history continues...
![Page 9: An introduction to honeyclient technologies](https://reader036.vdocuments.site/reader036/viewer/2022062517/5681399d550346895da13845/html5/thumbnails/9.jpg)
PhoneyC – DOM Emulation
“The Document Object Model is a platform- and language-neutral interface that will allow programs and scripts to dynamically access and update the content, structure and style of documents. The document can be further processed and the results of that processing can be incorporated back into the presented page.” (W3C definition)
• Huge improvements during GSoC 2009 Python object __getattr__ and __setattr__ methods
![Page 10: An introduction to honeyclient technologies](https://reader036.vdocuments.site/reader036/viewer/2022062517/5681399d550346895da13845/html5/thumbnails/10.jpg)
PhoneyC - Browser Personalities
Currently supported personalities: Internet Explorer 6.0 (Windows XP) Internet Explorer 6.1 (Windows XP) Internet Explorer 7.0 (Windows XP) Internet Explorer 8.0 (Windows XP) Internet Explorer 6.0 (Windows 2000) Internet Explorer 8.0 (Windows 2000)
Easy to add new personalities
![Page 11: An introduction to honeyclient technologies](https://reader036.vdocuments.site/reader036/viewer/2022062517/5681399d550346895da13845/html5/thumbnails/11.jpg)
PhoneyC - Javascript Engine
Based on SpiderMonkey, the Mozilla implementation of the Javascript engine HoneyJS: a bridge between Python and SpiderMonkey which wraps a subset of its APIs HoneyJS based on python-spidermonkey
![Page 12: An introduction to honeyclient technologies](https://reader036.vdocuments.site/reader036/viewer/2022062517/5681399d550346895da13845/html5/thumbnails/12.jpg)
PhoneyC - Vulnerability Modules
Python-based vulnerability modules Core browser functionalities Browser plugins (Mock) ActiveX controls
![Page 13: An introduction to honeyclient technologies](https://reader036.vdocuments.site/reader036/viewer/2022062517/5681399d550346895da13845/html5/thumbnails/13.jpg)
PhoneyC - Shellcode detection and emulation
HoneyJS“The shellcode manipulation and the spraying of the fillblock involve assignments.The shellcode will be detected immediately on its assignment if we are able to interrupt spidermonkey at the interpretion of certain bytecodes related to an assignment and check its arguments and values for shellcodes”
Libemu integration (shellcode detection, execution and profiling)
![Page 14: An introduction to honeyclient technologies](https://reader036.vdocuments.site/reader036/viewer/2022062517/5681399d550346895da13845/html5/thumbnails/14.jpg)
PhoneyC - Future Improvements
A new and more reliable DOM (Document Object Model) emulation
Replacing Spidermonkey with Google V8 Mixed static/dynamic analysis for detecting
potential attacks
![Page 15: An introduction to honeyclient technologies](https://reader036.vdocuments.site/reader036/viewer/2022062517/5681399d550346895da13845/html5/thumbnails/15.jpg)
High-interaction Client Honeypot
• Real system• Observe effects of attack
Request
Response
Request
Attack MaliciousServer
BenignServer
No state changesdetectedNew file appearedin start up folder
Client Honeypots
![Page 16: An introduction to honeyclient technologies](https://reader036.vdocuments.site/reader036/viewer/2022062517/5681399d550346895da13845/html5/thumbnails/16.jpg)
High-interaction strengths and weaknesses
+ No emulation necessary
+ Accurate classification (extremely low false positive rate)
+ Ability to detect zero-day attacks
+ More difficult to evade
- Miss attacks
- “Dangerous”
- More computationally expensive
![Page 17: An introduction to honeyclient technologies](https://reader036.vdocuments.site/reader036/viewer/2022062517/5681399d550346895da13845/html5/thumbnails/17.jpg)
Capture-HPC (v2.5) - Functionality
• Platform Independence *
• Flexibility around client application
• Forensically ready• Records information at kernel level• Collects modified files (e.g. malware)• Collects network traffic (pcap)
• Maintained by the New Zealand Honeynet Project Chapter
![Page 18: An introduction to honeyclient technologies](https://reader036.vdocuments.site/reader036/viewer/2022062517/5681399d550346895da13845/html5/thumbnails/18.jpg)
Malware Distribution Networks
![Page 19: An introduction to honeyclient technologies](https://reader036.vdocuments.site/reader036/viewer/2022062517/5681399d550346895da13845/html5/thumbnails/19.jpg)
Malware Distribution NetworksOverview
• Set of web servers (network) controlled by a group of cyber criminals to distribute malware efficiently
• Specialized structures that support specialized roles of the cyber criminal
• Malware distribution networks allow for campaigns and temp renting out components of the distribution network
![Page 20: An introduction to honeyclient technologies](https://reader036.vdocuments.site/reader036/viewer/2022062517/5681399d550346895da13845/html5/thumbnails/20.jpg)
Malware Distribution Networks
Source: Microsoft Security Intelligence Threat Report (http://www.microsoft.com/sir)
![Page 21: An introduction to honeyclient technologies](https://reader036.vdocuments.site/reader036/viewer/2022062517/5681399d550346895da13845/html5/thumbnails/21.jpg)
Malware Distribution Network
![Page 22: An introduction to honeyclient technologies](https://reader036.vdocuments.site/reader036/viewer/2022062517/5681399d550346895da13845/html5/thumbnails/22.jpg)
Exploit Servers12.8% of exploit servers responsible for 84.1% of drive-by-download pages
Source: Microsoft Security Intelligence Threat Report (http://www.microsoft.com/sir)
![Page 23: An introduction to honeyclient technologies](https://reader036.vdocuments.site/reader036/viewer/2022062517/5681399d550346895da13845/html5/thumbnails/23.jpg)
Challenges and Future Work
![Page 24: An introduction to honeyclient technologies](https://reader036.vdocuments.site/reader036/viewer/2022062517/5681399d550346895da13845/html5/thumbnails/24.jpg)
Malware Distribution Network
![Page 25: An introduction to honeyclient technologies](https://reader036.vdocuments.site/reader036/viewer/2022062517/5681399d550346895da13845/html5/thumbnails/25.jpg)
Malware Distribution NetworksFast-Flux
LP1 LP2
R1
ES1 ES2
R2
• LP infected with script that contacts twitter to obtain popular topics (e.g. japan)
• From popular query from last week, script constructs host name (e.g. “j” + date)
• Next day, the same LP will contact twitter to obtain popular topics (e.g. tunesia)
• Now, it will construct different host name (e.g. “t” + date)
• Attacker registers hostname a few days in advance twitter.com h1 h2 h3 h4 h5 h6 h7 h8 h9 h10
3/19/2011 1 13/20/2011 1 13/21/2011 1 1 13/22/2011 1 1 13/23/2011 1 1 13/24/2011 1 1 13/25/2011 1 1 13/26/2011 1 1 13/27/2011 1 1 13/28/2011 1 1 13/29/2011 1 1
![Page 26: An introduction to honeyclient technologies](https://reader036.vdocuments.site/reader036/viewer/2022062517/5681399d550346895da13845/html5/thumbnails/26.jpg)
Evasion Techniques
• Technology Differences (Browser vs Honeyclient)
• Human vs Machine Interaction
• Decrease visibility
![Page 27: An introduction to honeyclient technologies](https://reader036.vdocuments.site/reader036/viewer/2022062517/5681399d550346895da13845/html5/thumbnails/27.jpg)
The Threats
IntegrityAvailability
Confidentiality
Drive-by-Downloads
Cookie, history, file, and clipboard stealing
Network scanners
Phishing
Crashes
Popup floods
Network floods/ Puppetnets
Web spam/ junk pages
Cross-X attacksHosting of malware
Drive-by-pharming
Social Engineering
![Page 28: An introduction to honeyclient technologies](https://reader036.vdocuments.site/reader036/viewer/2022062517/5681399d550346895da13845/html5/thumbnails/28.jpg)
References
• Jose Nazario, “PhoneyC: A virtual client honeypot”, LEET 2009
The Honeynet Project, KYE: Malicious Web Servers, http://www.honeynet.org/papers
Junjie Zhang, Jack Stokes, Christian Seifert and Wenke Lee, ARROW: Generating Signatures to Detect Drive-By Downloads, in proceedings of www conference, Hyderabad, India, 2011
Microsoft, Security Intelligence Threat Report, http://www.microsoft.com/sir
![Page 29: An introduction to honeyclient technologies](https://reader036.vdocuments.site/reader036/viewer/2022062517/5681399d550346895da13845/html5/thumbnails/29.jpg)
Thanks for the attention
Questions?Christian Seifert <[email protected]>Angelo Dell'Aera <[email protected]>
http://code.google.com/p/phoneyc/https://projects.honeynet.org/capture-hpc