Automated Web Patrolwith Strider Honey
Monkeys
Y.Wang, D.Beck, S.Chen, S.King,X.Jiang, R.Roussev, C.Verbowski
Microsoft Research, Redmond
Justin MillerFebruary 27, 2007
2
Outline
Internet Attacks Web Browser Vulnerabilities HoneyMonkey System Experiments Analysis/Future Work
3
Internet Attacks
Exploit vulnerability of user web browser Install malicious code on machine
No user interaction required later VM-based honeypots are used to detect
these attacks
4
HoneyMonkeys
OS’s of various patch levels Mimic human web browsing
Uses StriderTracer to catch unauthorized file creation and system configuration changes
Discover malicious web sites
6
Browser vulnerabilities
Code Obfuscation Dynamic code injection using document.write() Unreadable, long strings with encoded chars
“%28” or “h” Decoded by function script or browser
Escapes anti-virus software
7
Browser vulnerabilities
URL Redirection Protocol redirection using HTTP 302 temp redir HTML tags inside <frameset> Script functions
window.location.replace() or window.open() Redirection is common in non-malicious sites
8
Browser vulnerabilities
Malware Installation Viruses Backdoor functions Bot programs Trojan downloaders – DL other programs Trojan droppers – delete (drop) files Trojan proxies – redirect network traffic Spyware programs
9
HoneyMonkey System
Attempts to automatically detect and analyze web sites that exploit web browsers
3-stage pipeline of virtual machines Stage 1: scalable mode Stage 2: recursive redirection analysis Stage 3: scan fully patched VM’s
10
HoneyMonkey: Stage 1
Visit N URLs simultaneously If exploit detected, re-visit each one
individually until exploit URL is found
VM VM
U1 U2 U3
U4 U5 U6 U2 U3
11
HoneyMonkey: Stage 2
Re-scan exploit URLs Perform recursive redirection analysis
Identify all web pages involved
VM VM
U2 U3 U2 U3
U2 U3 U9 U10
12
HoneyMonkey: Stage 3
Re-scan exploit URLs Scan using fully patched VMs
Identify attacks exploiting the latest vulnerabilities
VM VM
U2 U3
U9 U10 U2 U9
14
Web Site Visits
Monkey program launches URL Wait 2 minutes
Allow all malicious code to DL Detect persistent-state changes
New registry entries and .exe files Allows uniform detection of:
Known vulnerability attack Zero-day exploits
15
HoneyMonkey Report
Generates XML report at end of each visit .exe files created or modified Processes created Registry entries created or modified Vulnerability exploited Redirect-URLs visited
Cleanup infected state machine Monkey Controller
17
Input URL Lists
Suspicious URLs Known to host spyware or malware Links appearing in phishing or spam messages
Most popular web sites Top 100,000 by browser traffic ranking
Local URLs Organization want to verify web pages have not
been compromised
18
Output URL Data
Exploit URLs Measures risk of visiting similar web sites
Topology Graphs Several URLs shut down Provide leads for anti-spyware research
Zero-day exploits Monitors URL “upgrades”
19
Experimental Results
Collected 16,000+ URLs Web search of “known-bad” web sites Web search for Windows “hosts” files Depth-2 crawling of previous URLs
207/16,190 = 1.28% of web sites
22
Site Ranking
Key role in anti-exploit process Determines how to allocate resources
Monitoring URLs Investigation of URLs Blocking URLs Legal actions against host sites
23
Site Ranking
2 types of site ranking, based on: Connection counts
Links URLs to other malicious URLs Number of hosted exploit-URLs
Web sites with important internal page hierarchy Includes transient URLs with random strings
26
Effective Monitoring
Easy-to-find exploit URLs Useful for detecting zero day exploits
Content providers with well-known URLs Must maintain these URLs to keep high traffic
Highly ranked URLs More likely to upgrade exploits
28
HoneyMonkey Evasion
Target IP addresses Blacklist IP addresses of HoneyMonkey machines
Determine if a human is present Create cookie to suppress future visits One-time dialog pop up box disables cookie
Detect VM or HoneyMonkey code Test for fully virtualizable machine Becomes less effective as VMs increase
30
Related Work
Email quarantine Intercepts every incoming message
Shadow honeypots Diverts suspicious traffic to a shadow version Detects potential attacks, filters out false positives
Honeyclient Tries to identify browser-based attacks
31
Strengths
HoneyMonkey will detect most Trojan viruses Backdoor functions Spyware programs
Uniform detection of exploits Known vulnerability attack Zero-day exploits
Generates XML report for each visit
32
Weaknesses
Takes time to clean infected machine after each web site visit
Code obfuscation escapes anti-virus software Only detects persistent-state changes HoneyMonkey only waits 2 minutes per URL
Delay exploit on web pages
33
Improvements
Run HoneyMonkey with random wait times Combat delayed exploits on web sites
Randomize HoneyMonkey attack Vulnerability-specific exploit detector (VSED)
Insert break points within bad code Stops execution before potentially malicious code