Automated Web Patrol with Strider Honey Monkeys Y.Wang, D.Beck, S.Chen, S.King, X.Jiang, R.Roussev, C.Verbowski Microsoft Research, Redmond Justin Miller.

Slides:

Advertisements

Similar presentations

By Hiranmayi Pai Neeraj Jain

Advertisements

Internet Safety Topic 2 Malware This presentation by Tim Fraser Malware is short for malicious software VirusesViruses SpywareSpyware AdwareAdware other.

Automated Web Patrol with Strider Honey Monkeys: Finding Web Sites That Exploit Browser Vulnerabilities AUTHORS: Yi-Min Wang, Doug Beck, Xuxian Jiang,

Investigating Malicious Software Steve Romig The Ohio State University April 2002.

A Crawler-based Study of Spyware on the Web Author: Alexander Moshchuk, Tanya Bragin, Steven D.Gribble, Henry M.Levy Presented At: NDSS, 2006 Prepared.

Automated Web Patrol with Strider HoneyMonkeys: Finding Web Sites That Exploit Browser Vulnerabilities Y.-M. Wang, D. Beck, X. Jiang in Proceedings of.

Threat Overview: The Italian Job / HTML_IFRAME.CU June 18, 2007.

Introduction to Security Computer Networks Computer Networks Term B10.

Network Security. Network security starts from authenticating any user. Once authenticated, firewall enforces access policies such as what services are.

Malicious Attacks. Introduction Commonly referred to as: malicious software/ “malware”, computer viruses Designed to enter computers without the owner’s.

What’s New in WatchGuard XCS 10.0 Update 3 WatchGuard Training.

Automated Web Patrol with Strider HoneyMonkeys Present by Zhichun Li.

Viruses, Hacking, and AntiVirus. What is a Virus? A type of Malware – Malware is short for malicious software A virus – a computer program – Can replicate.

Norman SecureTide Powerful cloud solution to stop spam and threats before it reaches your network.

Securing Your Home Computer Presenter: Donnie Green Date: February 11, 2009 National Aeronautics and Space Administration

Antivirus Software Detects malware (not just viruses) May eliminate malware as well Often sold with firewalls Two approaches: Dictionary-based - Compares.

W3af LUCA ALEXANDRA ADELA – MISS 1. w3af  Web Application Attack and Audit Framework  Secures web applications by finding and exploiting web application.

Internet Safety Basics Being responsible -- and safer -- online Visit age-appropriate sites Minimize chatting with strangers. Think critically about.

Basic Computer Security Sankardas Roy Department of Computing and Information Sciences Kansas State University.

Presentation by Kathleen Stoeckle All Your iFRAMEs Point to Us 17th USENIX Security Symposium (Security'08), San Jose, CA, 2008 Google Technical Report.

11 The Ghost In The Browser Analysis of Web-based Malware Reporter: 林佳宜 Advisor: Chun-Ying Huang /3/29.

With Microsoft Windows 7© 2012 Pearson Education, Inc. Publishing as Prentice Hall1 PowerPoint Presentation to Accompany GO! with Microsoft ® Windows 7.

MSIT 458 – The Chinchillas. Offense Overview Botnet taxonomies need to be updated constantly in order to remain “complete” and are only as good as their.

Outline  Infections  1) r57 shell  2) rogue software  What Can We Do?  1) Seccheck  2) Virus total  3) Sandbox  Prevention  1) Personal Software.

© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public ITE PC v4.0 Chapter 1 1 Basic Security Networking for Home and Small Businesses – Chapter 8.

Malicious Code Brian E. Brzezicki. Malicious Code (from Chapter 13 and 11)

Hacker Zombie Computer Reflectors Target.

Malware Fighting Spyware, Viruses, and Malware Ch 4.

1 Spyware, Adware, and Browser Hijacking. ECE Agenda What is Spyware? What is Adware? What is Browser Hijacking? Security concerns and risks Prevention,

1 All Your iFRAMEs Point to Us Mike Burry. 2 Drive-by downloads Malicious code (typically Javascript) Downloaded without user interaction (automatic),

Windows Internet Explorer 9 Chapter 1 Introduction to Internet Explorer.

A Crawler-based Study of Spyware in the Web Alex Moshchuk, Tanya Bragin, Steve Gribble, Hank Levy.

Windows Vista Security Center Chapter 5(WV): Protecting Your Computer 9/17/20151Instructor: Shilpa Phanse.

A Crawler-based Study of Spyware on the Web A.Moshchuk, T.Bragin, D.Gribble, M.Levy NDSS, 2006 * Presented by Justin Miller on 3/6/07.

Honeypot and Intrusion Detection System

A Crawler-based Study of Spyware on the Web Authors: Alexander Moshchuk, Tanya Bragin, Steven D.Gribble, and Henry M. Levy University of Washington 13.

ITIS 1210 Introduction to Web-Based Information Systems Chapter 45 How Hackers can Cripple the Internet and Attack Your PC How Hackers can Cripple the.

Bots Used to Facilitate Spam Matt Ziemniak. Discuss Snort lab improvements Spam as a vehicle behind cyber threats Bots and botnets What can be done.

3-Protecting Systems Dr. John P. Abraham Professor UTPA.

Final Introduction ---- Web Security, DDoS, others

Software Security Testing Vinay Srinivasan cell:

1 Internet Browsing Vulnerabilities and Security ECE4112 Final Lab Ye Yan Frank Park Scott Kim Neil Joshi.

Virus Detection Mechanisms Final Year Project by Chaitanya kumar CH K.S. Karthik.

A Multifaceted Approach to Understanding the Botnet Phenomenon Authors : Moheeb Abu Rajab, Jay Zarfoss, Fabian Monrose, Andreas Terzis Computer Science.

CSCE 201 Web Browser Security Fall CSCE Farkas2 Web Evolution Web Evolution Past: Human usage – HTTP – Static Web pages (HTML) Current: Human.

Denial of Service (DoS) DoS attacks are aggressive attacks on an individual computer or groups of computers with the intent to deny services to intended.

All Your iFRAMEs Point to Us Cheng Wei. Acknowledgement This presentation is extended and modified from The presentation by Bruno Virlet All Your iFRAMEs.

Week 10-11c Attacks and Malware III. Remote Control Facility distinguishes a bot from a worm distinguishes a bot from a worm worm propagates itself and.

Presented by: Reem Alshahrani. Outlines What is Virtualization Virtual environment components Advantages Security Challenges in virtualized environments.

Automated Web Patrol with Strider HoneyMonkeys: Finding Web Sites That Exploit Browser Vulnerabilities Yi-Min Wang, Doug Beck, Xuxian Jiang, Roussi Roussev,

Vulnerability Scanning Vulnerability scanners are automated tools that scan hosts and networks for known vulnerabilities and weaknesses Credentialed vs.

Sid Stamm, Zulfikar Ramzan and Markus Jokobsson Erkang Xu.

Worm Defense Alexander Chang CS239 – Network Security 05/01/2006.

ASP. What is ASP? ASP stands for Active Server Pages ASP is a Microsoft Technology ASP is a program that runs inside IIS IIS stands for Internet Information.

Search Worms, ACM Workshop on Recurring Malcode (WORM) 2006 N Provos, J McClain, K Wang Dhruv Sharma

Malicious Software.

Understand Malware LESSON Security Fundamentals.

© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public ITE PC v4.0 Chapter 1 1 Basic Security Networking for Home and Small Businesses – Chapter 8.

Internet Safety Topic 2 Malware Malware is short for malicious software VirusesViruses SpywareSpyware AdwareAdware other dangerous software exists, such.

Adware and Browser Hijacker – Symptoms and Preventions /killmalware /u/2/b/ /alexwaston14/viru s-removal/ /channel/UC90JNmv0 nAvomcLim5bUmnA.

Vulnerabilities in Operating Systems Michael Gaydeski COSC December 2008.

Securing a Host Computer BY STEPHEN GOSNER. Definition of a Host  Host  In networking, a host is any device that has an IP address.  Hosts include.

Unit 2 Personal Cyber Security and Social Engineering Part 2.

Powerpoint presentation on Drive-by download attack -By Yogita Goyal.

Heat-seeking Honeypots: Design and Experience John P. John, Fang Yu, Yinglian Xie, Arvind Krishnamurthy and Martin Abadi WWW 2011 Presented by Elias P.

Windows Vista Configuration MCTS : Internet Explorer 7.0.

Managing Windows Security

Backdoor Attacks.

WJEC GCSE Computer Science

Introduction to Internet Worm

Presentation transcript:

Automated Web Patrol with Strider Honey Monkeys Y.Wang, D.Beck, S.Chen, S.King, X.Jiang, R.Roussev, C.Verbowski Microsoft Research, Redmond Justin Miller February 27, 2007

2 Outline Internet Attacks Web Browser Vulnerabilities HoneyMonkey System Experiments Analysis/Future Work

3 Internet Attacks Exploit vulnerability of user web browser Install malicious code on machine No user interaction required later VM-based honeypots are used to detect these attacks

4 HoneyMonkeys OS’s of various patch levels Mimic human web browsing Uses StriderTracer to catch unauthorized file creation and system configuration changes Discover malicious web sites

5 HoneyMonkeys OS3 OS2 OS1 Malcode

6 Browser vulnerabilities Code Obfuscation Dynamic code injection using document.write() Unreadable, long strings with encoded chars “%28” or “&#104” Decoded by function script or browser Escapes anti-virus software

7 Browser vulnerabilities URL Redirection Protocol redirection using HTTP 302 temp redir HTML tags inside Script functions window.location.replace() or window.open() Redirection is common in non-malicious sites

8 Browser vulnerabilities Malware Installation Viruses Backdoor functions Bot programs Trojan downloaders – DL other programs Trojan droppers – delete (drop) files Trojan proxies – redirect network traffic Spyware programs

9 HoneyMonkey System Attempts to automatically detect and analyze web sites that exploit web browsers 3-stage pipeline of virtual machines Stage 1: scalable mode Stage 2: recursive redirection analysis Stage 3: scan fully patched VM’s

10 HoneyMonkey: Stage 1 Visit N URLs simultaneously If exploit detected, re-visit each one individually until exploit URL is found VM U1 U2 U3 U4 U5 U6 U2 U3

11 HoneyMonkey: Stage 2 Re-scan exploit URLs Perform recursive redirection analysis Identify all web pages involved VM U2 U3 U2 U3 U2 U3 U9 U10

12 HoneyMonkey: Stage 3 Re-scan exploit URLs Scan using fully patched VMs Identify attacks exploiting the latest vulnerabilities VM U2 U3 U9 U10 U2 U9

13 HoneyMonkey Flowchart Scan up to URL’s per day

14 Web Site Visits Monkey program launches URL Wait 2 minutes Allow all malicious code to DL Detect persistent-state changes New registry entries and.exe files Allows uniform detection of: Known vulnerability attack Zero-day exploits

15 HoneyMonkey Report Generates XML report at end of each visit.exe files created or modified Processes created Registry entries created or modified Vulnerability exploited Redirect-URLs visited Cleanup infected state machine Monkey Controller

16 Web Site Redirection URL1 URL2 URL3 Redirect Redirect Data collecteddata data

17 Input URL Lists Suspicious URLs Known to host spyware or malware Links appearing in phishing or spam messages Most popular web sites Top 100,000 by browser traffic ranking Local URLs Organization want to verify web pages have not been compromised

18 Output URL Data Exploit URLs Measures risk of visiting similar web sites Topology Graphs Several URLs shut down Provide leads for anti-spyware research Zero-day exploits Monitors URL “upgrades”

19 Experimental Results Collected 16,000+ URLs Web search of “known-bad” web sites Web search for Windows “hosts” files Depth-2 crawling of previous URLs 207/16,190 = 1.28% of web sites

20 Experimental Results All tests done using IEv6

21 Topology Graphs 17 exploit URLs for SP2-PP Most powerful exploit pages

22 Site Ranking Key role in anti-exploit process Determines how to allocate resources Monitoring URLs Investigation of URLs Blocking URLs Legal actions against host sites

23 Site Ranking 2 types of site ranking, based on: Connection counts Links URLs to other malicious URLs Number of hosted exploit-URLs Web sites with important internal page hierarchy Includes transient URLs with random strings

24 Site Ranking Based on connection counts

25 Site Ranking Based on number of exploit-URLs hosted

26 Effective Monitoring Easy-to-find exploit URLs Useful for detecting zero day exploits Content providers with well-known URLs Must maintain these URLs to keep high traffic Highly ranked URLs More likely to upgrade exploits

27 Scanning Popular URLs

28 HoneyMonkey Evasion Target IP addresses Blacklist IP addresses of HoneyMonkey machines Determine if a human is present Create cookie to suppress future visits One-time dialog pop up box disables cookie Detect VM or HoneyMonkey code Test for fully virtualizable machine Becomes less effective as VMs increase

29 Bad Web Site Rankings Celebrity info Song lyrics Wallpapers Video game cheats Wrestling

30 Related Work quarantine Intercepts every incoming message Shadow honeypots Diverts suspicious traffic to a shadow version Detects potential attacks, filters out false positives Honeyclient Tries to identify browser-based attacks

31 Strengths HoneyMonkey will detect most Trojan viruses Backdoor functions Spyware programs Uniform detection of exploits Known vulnerability attack Zero-day exploits Generates XML report for each visit

32 Weaknesses Takes time to clean infected machine after each web site visit Code obfuscation escapes anti-virus software Only detects persistent-state changes HoneyMonkey only waits 2 minutes per URL Delay exploit on web pages

33 Improvements Run HoneyMonkey with random wait times Combat delayed exploits on web sites Randomize HoneyMonkey attack Vulnerability-specific exploit detector (VSED) Insert break points within bad code Stops execution before potentially malicious code

34 Questions? ??? ?? ?? ? ?? ? ?? ? ?? ????? ?? ?? ? ? ? ? ??? ?? ?? ? ?? ? ?? ? ?? ????? ?? ?? ? ? ? ?