An introduction to honeyclient technologies Christian Seifert Angelo Dell'Aera.

Slides:



Advertisements
Similar presentations
Configuration management
Advertisements

ITIS 1210 Introduction to Web-Based Information Systems Chapter 44 How Firewalls Work How Firewalls Work.
Networking Problems in Cloud Computing Projects. 2 Kickass: Implementation PROJECT 1.
Honeypot 서울과학기술대학교 Jeilyn Molina Honeypot is the software or set of computers that are intended to attract attackers, pretending to be weak.
Copyright 2004 Monash University IMS5401 Web-based Systems Development Topic 2: Elements of the Web (g) Interactivity.
Server-Side vs. Client-Side Scripting Languages
Kashif Jalal CA-240 (072) Web Development Using ASP.NET CA – 240 Kashif Jalal Welcome to week – 2 of…
Web Servers How do our requests for resources on the Internet get handled? Can they be located anywhere? Global?
Introduction to Web Application Architectures Web Application Architectures 18 th March 2005 Bogdan L. Vrusias
Ragib Hasan Johns Hopkins University en Spring 2011 Lecture 10 04/18/2011 Security and Privacy in Cloud Computing.
CS 290C: Formal Models for Web Software Lecture 1: Introduction Instructor: Tevfik Bultan.
Computer Security and Penetration Testing
Browser Exploitation Framework (BeEF) Lab
CSC 2720 Building Web Applications JavaScript. Introduction  JavaScript is a scripting language most often used for client-side web development.  JavaScript.
Maintaining and Updating Windows Server 2008
Web Programming Language Dr. Ken Cosh Week 1 (Introduction)
Lesson 46: Using Information From the Web copy and paste information from a Web site print a Web page download information from a Web site customize Web.
Lesson 46: Using Information From the Web copy and paste information from a Web site print a Web page download information from a Web site customize Web.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the Creative Commons Attribution-ShareAlike.
Norman SecureSurf Protect your users when surfing the Internet.
SHASHANK MASHETTY security. Introduction Electronic mail most commonly referred to as or e- mail. Electronic mail is one of the most commonly.
Presentation by Kathleen Stoeckle All Your iFRAMEs Point to Us 17th USENIX Security Symposium (Security'08), San Jose, CA, 2008 Google Technical Report.
Introduction to Honeypot, Botnet, and Security Measurement
Computer Concepts 2014 Chapter 7 The Web and .
DHTML. What is DHTML?  DHTML is the combination of several built-in browser features in fourth generation browsers that enable a web page to be more.
A Hybrid Framework to Analyze Web and OS Malware Vitor M. Afonso, Dario S. Fernandes Filho, André R. A. Grégio1, PauloL.de Geus, Mario Jino.
Niels Provos and Panayiotis Mavrommatis Google Google Inc. Moheeb Abu Rajab and Fabian Monrose Johns Hopkins University 17 th USENIX Security Symposium.
14 Publishing a Web Site Section 14.1 Identify the technical needs of a Web server Evaluate Web hosts Compare and contrast internal and external Web hosting.
1 All Your iFRAMEs Point to Us Mike Burry. 2 Drive-by downloads Malicious code (typically Javascript) Downloaded without user interaction (automatic),
Web 2.0: Concepts and Applications 6 Linking Data.
Web Browser Security Prepared By Mohammed EL-Batta Mohammed Soubih Supervised By Eng. Eman alajrami Explain Date 10. may University of Palestine.
Windows Vista Security Center Chapter 5(WV): Protecting Your Computer 9/17/20151Instructor: Shilpa Phanse.
Detecting Client-side Exploits with Honeyclients Kathy Wang The Honeyclient Project 9/17/2008RAID 2008.
Honeypots. Introduction A honeypot is a trap set to detect, deflect, or in some manner counteract attempts at unauthorized use of information systems.
Microsoft and Community Tour 2011 – Infrastrutture in evoluzione Community Tour 2011 Infrastrutture in evoluzione.
1 Vulnerability Analysis and Patches Management Using Secure Mobile Agents Presented by: Muhammad Awais Shibli.
CHAPTER 14 Viruses, Trojan Horses and Worms. INTRODUCTION Viruses, Trojan Horses and worm are malicious programs that can cause damage to information.
INTRODUCTION TO JAVASCRIPT AND DOM Internet Engineering Spring 2012.
A Multifaceted Approach to Understanding the Botnet Phenomenon Authors : Moheeb Abu Rajab, Jay Zarfoss, Fabian Monrose, Andreas Terzis Computer Science.
An Introduction to JavaScript Summarized from Chapter 6 of “Web Programming: Building Internet Applications”, 3 rd Edition.
CSCE 201 Web Browser Security Fall CSCE Farkas2 Web Evolution Web Evolution Past: Human usage – HTTP – Static Web pages (HTML) Current: Human.
Web Pages with Features. Features on Web Pages Interactive Pages –Shows current date, get server’s IP, interactive quizzes Processing Forms –Serach a.
Interception and Analysis Framework for Win32 Scripts (not for public release) Tim Hollebeek, Ph.D.
Defending Browsers against Drive-by Downloads:Mitigating Heap-Spraying Code Injection Attacks Authors:Manuel Egele, Peter Wurzinger, Christopher Kruegel,
Presented by Spiros Antonatos Distributed Computing Systems Lab Institute of Computer Science FORTH.
Week 10-11c Attacks and Malware III. Remote Control Facility distinguishes a bot from a worm distinguishes a bot from a worm worm propagates itself and.
CN2140 Server II Kemtis Kunanuraksapong MSIS with Distinction MCT, MCITP, MCTS, MCDST, MCP, A+
Database Systems: Design, Implementation, and Management Eighth Edition Chapter 14 Database Connectivity and Web Technologies.
Honeypots Today & Tomorrow. Speaker Involved in information security for over 10 years, 4 with Sun Microsystems as Senior Security Architect. Founder.
Web Pages with Features. Features on Web Pages Interactive Pages –Shows current date, get server’s IP, interactive quizzes Processing Forms –Serach a.
Trends in Circumventing Web-Malware Detection UTSA Moheeb Abu Rajab, Lucas Ballard, Nav Jagpal, Panayiotis Mavrommatis, Daisuke Nojiri, Niels Provos, Ludwig.
Protecting Browsers from Extension Vulnerabilities Paper by: Adam Barth, Adrienne Porter Felt, Prateek Saxena at University of California, Berkeley and.
Plug-in Architectures Presented by Truc Nguyen. What’s a plug-in? “a type of program that tightly integrates with a larger application to add a special.
Database Systems: Design, Implementation, and Management Eighth Edition Chapter 14 Database Connectivity and Web Technologies.
BUFFERZONE Advanced Endpoint Security Data Connectors-Charlotte January 2016 Company Confidential.
1 Figure 9-3: Webserver and E-Commerce Security Browser Attacks  Take over a client via the browser Interesting information on the client Can use browser.
Testing Exploits and Malware in an isolated environment Luca Allodi – Fabio Massacci – Vadim Kotov
Vulnerabilities in Operating Systems Michael Gaydeski COSC December 2008.
Microsoft NDA Material Adwait Joshi Sr. Technical Product Manager Microsoft Corporation.
Maintaining and Updating Windows Server 2008 Lesson 8.
Powerpoint presentation on Drive-by download attack -By Yogita Goyal.
Heat-seeking Honeypots: Design and Experience John P. John, Fang Yu, Yinglian Xie, Arvind Krishnamurthy and Martin Abadi WWW 2011 Presented by Elias P.
Using Honeypots to Improve Network Security Dr. Saleh Ibrahim Almotairi Research and Development Centre National Information Centre - Ministry of Interior.
Open Solutions for a Changing World™ Eddy Kleinjan Copyright 2005, Data Access WordwideNew Techniques for Building Web Applications June 6-9, 2005 Key.
BUILD SECURE PRODUCTS AND SERVICES
DHTML.
University of Victoria
Web Servers (IIS and Apache)
Web Application Development Using PHP
Presentation transcript:

An introduction to honeyclient technologies Christian Seifert Angelo Dell'Aera

Speakers Christian Seifert Full Member of the Honeynet Project since 2007 PhD from Victoria University of Wellington, NZ Research Software Microsoft Bing Angelo Dell'Aera Full Member of the Honeynet Project since 2009 Senior Threat Security Reply (7 years) Information Security Independent Antifork Research (13 years)

Agenda  Introduction  Honeyclient technologies  Low-Interaction (PhoneyC)  High-Interaction (Capture-HPC)  Malware Distribution Networks  Challenges and Future Work

New trends, new tools  In the last years more and more attacks against client systems  The end user as the weakest link of the security chain  New tools are required to learn more about such client-side attacks

New trends, new tools  The browser is the most popular client system deployed on every user system  A lot of vulnerabilities are daily identified and (almost always) reported in the most used browsers  The browser is currently the preferred way to own an host

Honeyclients  What we need is something which seems like a real browser the same way as a classical honeypot system seems like a real vulnerable server  A real system (high-interaction)  Or an emulated one (low-interaction)? Queuer Visitor Analysis Engine

Low-interaction strengths and weaknesses + Different browser versions (“personalities”) + Different ActiveX and plugins modules (even different versions) + Much more safer + More scalable - Easy to detect

PhoneyC - Brief History  A pure Python low-interaction honeyclient  First version developed by Jose Nazario  Great improvements during GSoC 2009  And the history continues...

PhoneyC – DOM Emulation “The Document Object Model is a platform- and language-neutral interface that will allow programs and scripts to dynamically access and update the content, structure and style of documents. The document can be further processed and the results of that processing can be incorporated back into the presented page.” (W3C definition) Huge improvements during GSoC 2009  Python object __getattr__ and __setattr__ methods

PhoneyC - Browser Personalities  Currently supported personalities:  Internet Explorer 6.0 (Windows XP)  Internet Explorer 6.1 (Windows XP)  Internet Explorer 7.0 (Windows XP)  Internet Explorer 8.0 (Windows XP)  Internet Explorer 6.0 (Windows 2000)  Internet Explorer 8.0 (Windows 2000)  Easy to add new personalities

PhoneyC - Javascript Engine  Based on SpiderMonkey, the Mozilla implementation of the Javascript engine  HoneyJS: a bridge between Python and SpiderMonkey which wraps a subset of its APIs  HoneyJS based on python-spidermonkey

PhoneyC - Vulnerability Modules  Python-based vulnerability modules  Core browser functionalities  Browser plugins  (Mock) ActiveX controls

PhoneyC - Shellcode detection and emulation  HoneyJS “The shellcode manipulation and the spraying of the fillblock involve assignments.The shellcode will be detected immediately on its assignment if we are able to interrupt spidermonkey at the interpretion of certain bytecodes related to an assignment and check its arguments and values for shellcodes”  Libemu integration (shellcode detection, execution and profiling)

PhoneyC - Future Improvements  A new and more reliable DOM (Document Object Model) emulation  Replacing Spidermonkey with Google V8  Mixed static/dynamic analysis for detecting potential attacks

High-interaction Client Honeypot Real system Observe effects of attack Request Response Request Attack Malicious Server Benign Server No state changes detected New file appeared in start up folder Client Honeypots

High-interaction strengths and weaknesses + No emulation necessary + Accurate classification (extremely low false positive rate) + Ability to detect zero-day attacks + More difficult to evade - Miss attacks - “Dangerous” - More computationally expensive

Capture-HPC (v2.5) - Functionality Platform Independence * Flexibility around client application Forensically ready Records information at kernel level Collects modified files (e.g. malware) Collects network traffic (pcap) Maintained by the New Zealand Honeynet Project Chapter

Malware Distribution Networks

Malware Distribution Networks Overview Set of web servers (network) controlled by a group of cyber criminals to distribute malware efficiently Specialized structures that support specialized roles of the cyber criminal Malware distribution networks allow for campaigns and temp renting out components of the distribution network

Malware Distribution Networks Source: Microsoft Security Intelligence Threat Report (

Malware Distribution Network

Exploit Servers 12.8% of exploit servers responsible for 84.1% of drive-by- download pages Source: Microsoft Security Intelligence Threat Report (

Challenges and Future Work

Malware Distribution Network

Malware Distribution Networks Fast-Flux LP1LP2 R1 ES1 ES2 R2 LP infected with script that contacts twitter to obtain popular topics (e.g. japan) From popular query from last week, script constructs host name (e.g. “j” + date) Next day, the same LP will contact twitter to obtain popular topics (e.g. tunesia) Now, it will construct different host name (e.g. “t” + date) Attacker registers hostname a few days in advance twitter.comh1h2h3h4h5h6h7h8h9h10 3/19/ /20/ /21/ /22/ /23/ /24/ /25/ /26/ /27/ /28/ /29/201111

Evasion Techniques Technology Differences (Browser vs Honeyclient) Human vs Machine Interaction Decrease visibility

The Threats Integrity Availability Confidentiality Drive-by-Downloads Cookie, history, file, and clipboard stealing Network scanners Phishing Crashes Popup floods Network floods/ Puppetnets Web spam/ junk pages Cross-X attacks Hosting of malware Drive-by-pharming Social Engineering

References Jose Nazario, “PhoneyC: A virtual client honeypot”, LEET 2009  The Honeynet Project, KYE: Malicious Web Servers,  Junjie Zhang, Jack Stokes, Christian Seifert and Wenke Lee, ARROW: Generating Signatures to Detect Drive-By Downloads, in proceedings of www conference, Hyderabad, India, 2011  Microsoft, Security Intelligence Threat Report,

Thanks for the attention Questions? Christian Seifert Angelo Dell'Aera

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.