Automated Web Patrolwith Strider Honey

Monkeys

Y.Wang, D.Beck, S.Chen, S.King,X.Jiang, R.Roussev, C.Verbowski

Microsoft Research, Redmond

Justin MillerFebruary 27, 2007

2

Outline

Internet Attacks Web Browser Vulnerabilities HoneyMonkey System Experiments Analysis/Future Work

3

Internet Attacks

Exploit vulnerability of user web browser Install malicious code on machine

No user interaction required later VM-based honeypots are used to detect

these attacks

4

HoneyMonkeys

OS’s of various patch levels Mimic human web browsing

Uses StriderTracer to catch unauthorized file creation and system configuration changes

Discover malicious web sites

5

HoneyMonkeys

OS3

OS2

OS1

Malcode

6

Browser vulnerabilities

Code Obfuscation Dynamic code injection using document.write() Unreadable, long strings with encoded chars

“%28” or “&#104” Decoded by function script or browser

Escapes anti-virus software

7

Browser vulnerabilities

URL Redirection Protocol redirection using HTTP 302 temp redir HTML tags inside <frameset> Script functions

window.location.replace() or window.open() Redirection is common in non-malicious sites

8

Browser vulnerabilities

Malware Installation Viruses Backdoor functions Bot programs Trojan downloaders – DL other programs Trojan droppers – delete (drop) files Trojan proxies – redirect network traffic Spyware programs

9

HoneyMonkey System

Attempts to automatically detect and analyze web sites that exploit web browsers

3-stage pipeline of virtual machines Stage 1: scalable mode Stage 2: recursive redirection analysis Stage 3: scan fully patched VM’s

10

HoneyMonkey: Stage 1

Visit N URLs simultaneously If exploit detected, re-visit each one

individually until exploit URL is found

VM VM

U1 U2 U3

U4 U5 U6 U2 U3

11

HoneyMonkey: Stage 2

Re-scan exploit URLs Perform recursive redirection analysis

Identify all web pages involved

VM VM

U2 U3 U2 U3

U2 U3 U9 U10

12

HoneyMonkey: Stage 3

Re-scan exploit URLs Scan using fully patched VMs

Identify attacks exploiting the latest vulnerabilities

VM VM

U2 U3

U9 U10 U2 U9

13

HoneyMonkey Flowchart

Scan up to 500-700 URL’s per day

14

Web Site Visits

Monkey program launches URL Wait 2 minutes

Allow all malicious code to DL Detect persistent-state changes

New registry entries and .exe files Allows uniform detection of:

Known vulnerability attack Zero-day exploits

15

HoneyMonkey Report

Generates XML report at end of each visit .exe files created or modified Processes created Registry entries created or modified Vulnerability exploited Redirect-URLs visited

Cleanup infected state machine Monkey Controller

16

Web Site Redirection

URL1 URL2 URL3 Redirect Redirect

Data collected data data

17

Input URL Lists

Suspicious URLs Known to host spyware or malware Links appearing in phishing or spam messages

Most popular web sites Top 100,000 by browser traffic ranking

Local URLs Organization want to verify web pages have not

been compromised

18

Output URL Data

Exploit URLs Measures risk of visiting similar web sites

Topology Graphs Several URLs shut down Provide leads for anti-spyware research

Zero-day exploits Monitors URL “upgrades”

19

Experimental Results

Collected 16,000+ URLs Web search of “known-bad” web sites Web search for Windows “hosts” files Depth-2 crawling of previous URLs

207/16,190 = 1.28% of web sites

20

Experimental Results

All tests done using IEv6

21

Topology Graphs

17 exploit URLs for SP2-PP Most powerful exploit pages

22

Site Ranking

Key role in anti-exploit process Determines how to allocate resources

Monitoring URLs Investigation of URLs Blocking URLs Legal actions against host sites

23

Site Ranking

2 types of site ranking, based on: Connection counts

Links URLs to other malicious URLs Number of hosted exploit-URLs

Web sites with important internal page hierarchy Includes transient URLs with random strings

24

Site Ranking

Based on connection counts

25

Site Ranking

Based on number of exploit-URLs hosted

26

Effective Monitoring

Easy-to-find exploit URLs Useful for detecting zero day exploits

Content providers with well-known URLs Must maintain these URLs to keep high traffic

Highly ranked URLs More likely to upgrade exploits

27

Scanning Popular URLs

28

HoneyMonkey Evasion

Target IP addresses Blacklist IP addresses of HoneyMonkey machines

Determine if a human is present Create cookie to suppress future visits One-time dialog pop up box disables cookie

Detect VM or HoneyMonkey code Test for fully virtualizable machine Becomes less effective as VMs increase

29

Bad Web Site Rankings

Celebrity info Song lyrics Wallpapers Video game cheats Wrestling

30

Related Work

Email quarantine Intercepts every incoming message

Shadow honeypots Diverts suspicious traffic to a shadow version Detects potential attacks, filters out false positives

Honeyclient Tries to identify browser-based attacks

31

Strengths

HoneyMonkey will detect most Trojan viruses Backdoor functions Spyware programs

Uniform detection of exploits Known vulnerability attack Zero-day exploits

Generates XML report for each visit

32

Weaknesses

Takes time to clean infected machine after each web site visit

Code obfuscation escapes anti-virus software Only detects persistent-state changes HoneyMonkey only waits 2 minutes per URL

Delay exploit on web pages

33

Improvements

Run HoneyMonkey with random wait times Combat delayed exploits on web sites

Randomize HoneyMonkey attack Vulnerability-specific exploit detector (VSED)

Insert break points within bad code Stops execution before potentially malicious code

34

Questions?

? ? ? ? ? ? ?

? ? ? ? ? ? ? ? ?

? ? ? ? ?

? ? ? ? ? ? ? ?

? ? ? ? ? ? ?

? ? ? ? ? ? ? ? ?

? ? ? ? ?

? ? ? ? ? ? ? ?