Automated Web Patrol with Strider Honey Monkeys: Finding Web Sites That Exploit Browser Vulnerabilities AUTHORS: Yi-Min Wang, Doug Beck, Xuxian Jiang,

Slides:

Advertisements

Similar presentations

What is code injection? Code injection is the exploitation of a computer bug that is caused by processing invalid data. Code injection can be used by.

Advertisements

WEB BROWSER SECURITY By Robert Sellers Brian Bauer.

By Hiranmayi Pai Neeraj Jain

Copyright © 2012 Certification Partners, LLC -- All Rights Reserved Lesson 4: Web Browsing.

Fast and Precise In-Browser JavaScript Malware Detection

Lesson 4: Web Browsing.

A Crawler-based Study of Spyware on the Web Author: Alexander Moshchuk, Tanya Bragin, Steven D.Gribble, Henry M.Levy Presented At: NDSS, 2006 Prepared.

Automated Web Patrol with Strider HoneyMonkeys: Finding Web Sites That Exploit Browser Vulnerabilities Y.-M. Wang, D. Beck, X. Jiang in Proceedings of.

Detection of Attacks with Proxy-based Execution Alex Kiaie, Benjamin Prosnitz, Yi Tang, Yinzhi Cao.

Server-Side vs. Client-Side Scripting Languages

Creating WordPress Websites. Creating a site on your computer Local server Local WordPress installation Setting Up Dreamweaver.

Automated Web Patrol with Strider Honey Monkeys Y.Wang, D.Beck, S.Chen, S.King, X.Jiang, R.Roussev, C.Verbowski Microsoft Research, Redmond Justin Miller.

Security Awareness: Applying Practical Security in Your World, Second Edition Chapter 3 Internet Security.

©2009 Justin C. Klein Keane PHP Code Auditing Session 6 Auditing Strategies & Demonstration Justin C. Klein Keane

Automated Web Patrol with Strider HoneyMonkeys Present by Zhichun Li.

 Proxy Servers are software that act as intermediaries between client and servers on the Internet.  They help users on private networks get information.

Hands-On Microsoft Windows Server 2008 Chapter 8 Managing Windows Server 2008 Network Services.

Web Page A page displayed by the browser. Website Collection of multiple web pages Web Browser: A software that displays web pages on client computer.

Chapter 9 Collecting Data with Forms. A form on a web page consists of form objects such as text boxes or radio buttons into which users type information.

W3af LUCA ALEXANDRA ADELA – MISS 1. w3af  Web Application Attack and Audit Framework  Secures web applications by finding and exploiting web application.

eScan Total Security Suite with Cloud Security

Presentation by Kathleen Stoeckle All Your iFRAMEs Point to Us 17th USENIX Security Symposium (Security'08), San Jose, CA, 2008 Google Technical Report.

11 The Ghost In The Browser Analysis of Web-based Malware Reporter: 林佳宜 Advisor: Chun-Ying Huang /3/29.

MSIT 458 – The Chinchillas. Offense Overview Botnet taxonomies need to be updated constantly in order to remain “complete” and are only as good as their.

Introduction to HP LoadRunner Getting Familiar with LoadRunner >>>>>>>>>>>>>>>>>>>>>>

HTML5 Group 3: Dongyang Zhang, Wei Liu, Weizhou He, Yutong Wei, Yuxin Zhu.

B OTNETS T HREATS A ND B OTNETS DETECTION Mona Aldakheel

The Ghost In The Browser Analysis of Web-based Malware Niels Provos, Dean McNamee, Panayiotis Mavrommatis, Ke Wang and Nagendra Modadugu Google, Inc. The.

A Hybrid Framework to Analyze Web and OS Malware Vitor M. Afonso, Dario S. Fernandes Filho, André R. A. Grégio1, PauloL.de Geus, Mario Jino.

Prevent Cross-Site Scripting (XSS) attack

Niels Provos and Panayiotis Mavrommatis Google Google Inc. Moheeb Abu Rajab and Fabian Monrose Johns Hopkins University 17 th USENIX Security Symposium.

1 All Your iFRAMEs Point to Us Mike Burry. 2 Drive-by downloads Malicious code (typically Javascript) Downloaded without user interaction (automatic),

All Your iFRAMEs Point to Us Niels provos,Panayiotis mavrommatis - Google Inc Moheeb Abu Rajab, Fabian Monrose - Johns Hopkins University Google Technical.

Detecting Client-side Exploits with Honeyclients Kathy Wang The Honeyclient Project 9/17/2008RAID 2008.

A Crawler-based Study of Spyware on the Web A.Moshchuk, T.Bragin, D.Gribble, M.Levy NDSS, 2006 * Presented by Justin Miller on 3/6/07.

A Crawler-based Study of Spyware on the Web Authors: Alexander Moshchuk, Tanya Bragin, Steven D.Gribble, and Henry M. Levy University of Washington 13.

3-Protecting Systems Dr. John P. Abraham Professor UTPA.

1 Internet Browsing Vulnerabilities and Security ECE4112 Final Lab Ye Yan Frank Park Scott Kim Neil Joshi.

CSCE 201 Web Browser Security Fall CSCE Farkas2 Web Evolution Web Evolution Past: Human usage – HTTP – Static Web pages (HTML) Current: Human.

Interception and Analysis Framework for Win32 Scripts (not for public release) Tim Hollebeek, Ph.D.

All Your iFRAMEs Point to Us Cheng Wei. Acknowledgement This presentation is extended and modified from The presentation by Bruno Virlet All Your iFRAMEs.

Week 10-11c Attacks and Malware III. Remote Control Facility distinguishes a bot from a worm distinguishes a bot from a worm worm propagates itself and.

Hands-On Microsoft Windows Server Implementing Microsoft Internet Information Services Microsoft Internet Information Services (IIS) –Software included.

Intro to PHP IST2101. Review: HTML & Tags 2IST210.

Automated Web Patrol with Strider HoneyMonkeys: Finding Web Sites That Exploit Browser Vulnerabilities Yi-Min Wang, Doug Beck, Xuxian Jiang, Roussi Roussev,

An Intro to Webhackery Parisa Tabriz. How the web was born Stage 1 : Network Protocols Stage 2 : HTTP Stage 3 : Server Side Scripting Stage 4 : Client.

Module 7: Advanced Application and Web Filtering.

ASP. What is ASP? ASP stands for Active Server Pages ASP is a Microsoft Technology ASP is a program that runs inside IIS IIS stands for Internet Information.

Search Worms, ACM Workshop on Recurring Malcode (WORM) 2006 N Provos, J McClain, K Wang Dhruv Sharma

Malicious Software.

ASP. ASP is a powerful tool for making dynamic and interactive Web pages An ASP file can contain text, HTML tags and scripts. Scripts in an ASP file are.

Shasta Console Operations February 2010 Tony Caleb.

BZUPAGES.COM WEB SERVER PRESENTED TO: SIR AHMAD KAREEM.

1 Figure 9-3: Webserver and E-Commerce Security Browser Attacks  Take over a client via the browser Interesting information on the client Can use browser.

Puppetnets: Misusing Web Browsers as a Distributed Attack Infrastructure Paper By : V.T.Lam, S.Antonatos, P.Akritidis, K.G.Anagnostakis Conference : ACM.

Session 11: Cookies, Sessions ans Security iNET Academy Open Source Web Development.

Vulnerabilities in Operating Systems Michael Gaydeski COSC December 2008.

By Collin Donaldson. Hacking is only legal under the following circumstances: 1.You hack (penetration test) a device/network you own. 2.You gain explicit,

Powerpoint presentation on Drive-by download attack -By Yogita Goyal.

Heat-seeking Honeypots: Design and Experience John P. John, Fang Yu, Yinglian Xie, Arvind Krishnamurthy and Martin Abadi WWW 2011 Presented by Elias P.

Windows Vista Configuration MCTS : Internet Explorer 7.0.

BUILD SECURE PRODUCTS AND SERVICES

TMG Client Protection 6NPS – Session 7.

Lesson 4: Web Browsing.

Microsoft FrontPage 2003 Illustrated Complete

Today’s Malicious Code Threat ~ JS.Scob.Trojan Analysis

Lesson 4: Web Browsing.

Introduction to JavaScript

Exploring DOM-Based Cross Site Attacks

Presentation transcript:

Automated Web Patrol with Strider Honey Monkeys: Finding Web Sites That Exploit Browser Vulnerabilities AUTHORS: Yi-Min Wang, Doug Beck, Xuxian Jiang, Roussi Roussev, Chad Verbowski, Shuo Chen, and Sam King PUBLISHED IN: MICROSOFT RESEARCH,Redmond

 EMERGING ATTACK : INTERNET ATTACKS BY MALICIOUS WEBSITE  EXPLOIT BROWSER VULNERABILITIES  INSTALL MALICIOUS CONTENTS  USE OF HONEYMONKEYS FOR SOLUTION PROPOSED PROBLEM

BROWSER BASED VULNERABILITY Code Obfuscation URL redirection Vulnerability exploitation Malware installation

CODE OBFUSCATION

To escape from signature based scanning Custom decoding routine included inside the script Unreadable long strings that are encoded and decoded later by the script or by the browser

ENCODED MALICIOUS CODE

DECODED MALICIOUS CODE

URL REDIRECTION

PRIMARY URL TO SECONDARY URL PROTOCOL REDIRECTION USING HTTP 302 TEMPORARY REDIRECT HTML TAGS Script functions including w indow.location.replace().

URL REDIRECTION PRIMARY SECONDARY USER address] /[8 chars]/test2/iejp.htm address]

VULNERABILITY EXPLOITATION

Malicious Website attempt to exploit multiple vulnerabilities HTML fragment – multiple files from different URL’S Dynamic code injection using Document.write Trojan downloader works after exploits Most attacked browser is IE

EXAMPLE FOR VULNERABILITY * {CURSOR: url(" Try{ document.write('<object data=`&#109&#115&#45&#105&#116&#115&#58&#109&#104&#116&#1 09&#108&#58&#102&#105&#108&#101:// C:\fo'+'o.mht!'+' rg'+'et.htm` type=`text/x-scriptlet`> '); }catch(e){} Exploit 1 Exploit 2 Exploit 3

Honey Monkey Exploit Detection System Active client side virtual machines called honeypots Large scale, systematic and automated web patrol It mimics human browsing Different patches and different levels of vulnerability

HONEYMONKEY SYSTEM Stage 1 – scalable mode by visiting N- URLs. Stage 2 – perform recursive redirected analysis. Stage 3 – scan exploit URLs using fully patched VMs.

HONEY MONKEY SYSTEM

TOPOLOGY GRAPH AND NODE RANKING Rectangular nodes represent Exploit URL’s Arrows represent traffic redirection Circles represent nodes that act as an aggregation point for exploit pages hosted R is the most likely exploit provider

TOPOLOGY GRAPH AND NODE RANKING

GENERATING URL LISTS Generating URL LISTS - Suspicious URL’s - Popular websites – if attacked potentially attack larger population - Localized space websites

Exploit Detection Report Executable files created or modified outside the browser sandbox folders Processes created Windows registry entry created or modified Vulnerability exploited Redirect URL visited

Patch level statistics

RESULTS

ADVANTAGES Automatic Scalable Non-signature based approach Stage-wise detection

DISADVANTGES Exploiters may randomize the attack confusing the honey monkeys Exploiters were able to detect honey monkeys by sending dialog box They didn’t explain about topology graphs very clearly

IMPROVEMENTS  They need to work on accuracy  They need more classification according to contents  They should improve on avoiding detection by the honey monkeys