Automated Web Patrol with Strider HoneyMonkeys: Finding Web Sites That Exploit Browser Vulnerabilities Yi-Min Wang, Doug Beck, Xuxian Jiang, Roussi Roussev,

Slides:



Advertisements
Similar presentations
What is code injection? Code injection is the exploitation of a computer bug that is caused by processing invalid data. Code injection can be used by.
Advertisements

Thank you to IT Training at Indiana University Computer Malware.
By Hiranmayi Pai Neeraj Jain
Automated Web Patrol with Strider Honey Monkeys: Finding Web Sites That Exploit Browser Vulnerabilities AUTHORS: Yi-Min Wang, Doug Beck, Xuxian Jiang,
1 Topic 1 – Lesson 3 Network Attacks Summary. 2 Questions ► Compare passive attacks and active attacks ► How do packet sniffers work? How to mitigate?
A Crawler-based Study of Spyware on the Web Author: Alexander Moshchuk, Tanya Bragin, Steven D.Gribble, Henry M.Levy Presented At: NDSS, 2006 Prepared.
Automated Web Patrol with Strider HoneyMonkeys: Finding Web Sites That Exploit Browser Vulnerabilities Y.-M. Wang, D. Beck, X. Jiang in Proceedings of.
Web Defacement Anh Nguyen May 6 th, Organization Introduction How Hackers Deface Web Pages Solutions to Web Defacement Conclusions 2.
Presented by Justin Bode CS 450 – Computer Security February 17, 2010.
Server-Side vs. Client-Side Scripting Languages
The Most Dangerous Places on The Web (according to PC World)
Automated Web Patrol with Strider Honey Monkeys Y.Wang, D.Beck, S.Chen, S.King, X.Jiang, R.Roussev, C.Verbowski Microsoft Research, Redmond Justin Miller.
©2009 Justin C. Klein Keane PHP Code Auditing Session 6 Auditing Strategies & Demonstration Justin C. Klein Keane
© 2012 IBM Corporation IBM Security Systems 1 © 2014 IBM Corporation IBM Security Network Protection (XGS) Advanced Threat Protection Integration Framework.
Automated Web Patrol with Strider HoneyMonkeys Present by Zhichun Li.
Process Coloring: an Information Flow-Preserving Approach to Malware Investigation Eugene Spafford, Dongyan Xu Department of Computer Science and Center.
1 The Botherd is Coming! Part II The Technical Response Justin Azoff University at Albany EDUCAUSE Live! June 21 st, 2006.
Norman SecureSurf Protect your users when surfing the Internet.
With Internet Explorer 9 Getting Started© 2013 Pearson Education, Inc. Publishing as Prentice Hall1 Exploring the World Wide Web with Internet Explorer.
Presentation by Kathleen Stoeckle All Your iFRAMEs Point to Us 17th USENIX Security Symposium (Security'08), San Jose, CA, 2008 Google Technical Report.
11 The Ghost In The Browser Analysis of Web-based Malware Reporter: 林佳宜 Advisor: Chun-Ying Huang /3/29.
MSIT 458 – The Chinchillas. Offense Overview Botnet taxonomies need to be updated constantly in order to remain “complete” and are only as good as their.
Outline  Infections  1) r57 shell  2) rogue software  What Can We Do?  1) Seccheck  2) Virus total  3) Sandbox  Prevention  1) Personal Software.
HTML5 Group 3: Dongyang Zhang, Wei Liu, Weizhou He, Yutong Wei, Yuxin Zhu.
The Ghost In The Browser Analysis of Web-based Malware Niels Provos, Dean McNamee, Panayiotis Mavrommatis, Ke Wang and Nagendra Modadugu Google, Inc. The.
Malicious Code Brian E. Brzezicki. Malicious Code (from Chapter 13 and 11)
Computer Safety Workshop Presented by Roy Coleman April 14, 2015 © 2015 Roy Coleman.
Cosc 4765 Server side Web security. Web security issues From Cenzic Vulnerability report
Prevent Cross-Site Scripting (XSS) attack
1 All Your iFRAMEs Point to Us Mike Burry. 2 Drive-by downloads Malicious code (typically Javascript) Downloaded without user interaction (automatic),
Web Browser Security Prepared By Mohammed EL-Batta Mohammed Soubih Supervised By Eng. Eman alajrami Explain Date 10. may University of Palestine.
Windows Vista Security Center Chapter 5(WV): Protecting Your Computer 9/17/20151Instructor: Shilpa Phanse.
Detecting Client-side Exploits with Honeyclients Kathy Wang The Honeyclient Project 9/17/2008RAID 2008.
A Crawler-based Study of Spyware on the Web Authors: Alexander Moshchuk, Tanya Bragin, Steven D.Gribble, and Henry M. Levy University of Washington 13.
3-Protecting Systems Dr. John P. Abraham Professor UTPA.
CSAS 2009 Running Windows as a Non- Administrator or how I learned to love “User” By: Kasey Dennler.
SDN based Network Security Monitoring in Dynamic Cloud Networks Xiuzhen CHEN School of Information Security Engineering Shanghai Jiao Tong University,
Stealthy Malware Detection Through VMM-based “Out-of-the-Box” Semantic View Reconstruction CCS’07, Alexandria, VA, Oct 29 – Nov 2, 2007 Xuxian Jiang, Xinyuan.
A virus is software that spreads from program to program, or from disk to disk, and uses each infected program or disk to make copies of itself. Basically.
CSCE 201 Web Browser Security Fall CSCE Farkas2 Web Evolution Web Evolution Past: Human usage – HTTP – Static Web pages (HTML) Current: Human.
HIPS Host-Based Intrusion Prevention System By Ali Adlavaran & Mahdi Mohamad Pour (M.A. Team) Life’s Live in Code Life.
All Your iFRAMEs Point to Us Cheng Wei. Acknowledgement This presentation is extended and modified from The presentation by Bruno Virlet All Your iFRAMEs.
Week 10-11c Attacks and Malware III. Remote Control Facility distinguishes a bot from a worm distinguishes a bot from a worm worm propagates itself and.
Presented by: Reem Alshahrani. Outlines What is Virtualization Virtual environment components Advantages Security Challenges in virtualized environments.
CSCE 201 Windows XP Firewalls Fall Reading Windows XP help and Support: search on “Firewall” Tony Bradley, CISSP-ISSAP, Windows XP SP2 Firewall,
Hacking Windows 9X/ME. Hacking framework Initial access physical access brute force trojans Privilege escalation Administrator, root privileges Consolidation.
Vulnerability Scanning Vulnerability scanners are automated tools that scan hosts and networks for known vulnerabilities and weaknesses Credentialed vs.
Worm Defense Alexander Chang CS239 – Network Security 05/01/2006.
CNIT 124: Advanced Ethical Hacking Ch 10: Client-Side Exploitation.
Spectator: Detection and Containment of JavaScriptWorms
SubVirt: Implementing malware with virtual machines Authors: Samuel T. King, Peter M. Chen University of Michigan Yi-Min Wang, Chad Verbowski, Helen J.
Web Browsing *TAKE NOTES*. Millions of people browse the Web every day for research, shopping, job duties and entertainment. Installing a web browser.
BUFFERZONE Advanced Endpoint Security Data Connectors-Charlotte January 2016 Company Confidential.
1 Figure 9-3: Webserver and E-Commerce Security Browser Attacks  Take over a client via the browser Interesting information on the client Can use browser.
SpyProxy SpyProxy Execution-based Detection of MaliciousWeb Content Execution-based Detection of MaliciousWeb Content Hongjin, Lee.
Vulnerabilities in Operating Systems Michael Gaydeski COSC December 2008.
Virus Infections By: Lindsay Bowser. Introduction b What is a “virus”? b Brief history of viruses b Different types of infections b How they spread b.
Unit 2 Personal Cyber Security and Social Engineering Part 2.
Powerpoint presentation on Drive-by download attack -By Yogita Goyal.
Heat-seeking Honeypots: Design and Experience John P. John, Fang Yu, Yinglian Xie, Arvind Krishnamurthy and Martin Abadi WWW 2011 Presented by Elias P.
Windows Vista Configuration MCTS : Internet Explorer 7.0.
Cosc 4765 Antivirus Approaches. In a Perfect world The best solution to viruses and worms to prevent infected the system –Generally considered impossible.
Backdoor Attacks.
Chapter 2. Malware Analysis in VMs
Virus Attack Final Presentation
Malware March 26, 2018.
Designing IIS Security (IIS – Internet Information Service)
Exploring DOM-Based Cross Site Attacks
Presentation transcript:

Automated Web Patrol with Strider HoneyMonkeys: Finding Web Sites That Exploit Browser Vulnerabilities Yi-Min Wang, Doug Beck, Xuxian Jiang, Roussi Roussev, Chad Verbowski, Shuo Chen, and Sam King Microsoft Research, Redmond Presented by Jianqing Zhang

Motivation Malicious or hacked web site exploiting client-side vulnerabilities of visiting clients Limitations of existing approaches –Not scalable –No comprehensive picture of the network of exploit web sites –Generally ineffective at finding new malicious sites 2

Approach Hunt using a shotgun, rather than a trap “ Web patrolling" sounds a lot similar to the scanning technique used by worms to locate other vulnerable machines. “ Strider HoneyMonkeys: an automated web patrol system –A pipeline of “monkey programs” –Vulnerable browsers in different patch levels –Virtual machines based 3

Exploit Detection Steps –Run browsers in a VM with “monkey program” –Black-box, non-signature-based Detect a group of persistent-state changes Any executable files or registry entries created outside the browser sandbox –Log exploit and restart VM if infected Features –No risk to the production system by isolation –Detect known-vulnerability and zero-day exploits in a uniform way –Cannot detect exploits making no persistent-state changes or only making changes inside browser sandbox 4

Basic mode Un-patched VM One-URL-per-VM Recursive redirection analysis Topology graph of exploit URLs 2 HoneyMonkey System 5 Scalable mode Un-patched VM N URLs inside one VM Basic mode Un-patched VM One-URL-per-VM Exploit URLs Traffic- Redirection Topology Graphs Interesting URLs Zero-Day Exploit- URLs and Topology Graphs Why does HoneyMonkey fetch N web sites simultaneously? Is it really scalable? Why not more VMs on a single physical computer? Why not just detect vulnerabilities? What if N-stage attack? – HoneyMonkey is stateless? 1 Stage 3: basic mode Full patched VM Zero-day exploits URLs 3

Topology Graph of Exploit URLs 6 URL-level Topology Graph for WinXP SP1 Un-patched: 688 URLs from 270 sites MSR-TR Individual exploit-URL Site nods Content provider Exploit provider

Contributions Capability –Detect Zero-Day exploits effectively Monitor easy-to-find exploit-URLs Monitor highly ranked and advanced exploit-URLs –Detect dynamic exploit provider effectively Monitor well-known content providers Implication Don’t visit high-risk web sites –1.28% vs % Necessary to scan popular web pages constantly –710 popular exploit pages among top 10,000 popular URLs 7

HoneyMonkeys vs. Exploit- URLs Evasion of HoneyMonkeys –Avoid HoneyMonkey IP address Use unused links to detect HoneyMonkeys –Human or Machine? “most non-exploiting sites do not use CAPTCHA Turing Test ” ( Reverse Turing test) Why not? Input box, Flash ads? –Detection of virtual machines –Use cookies to track browser history –Insert busy-work code to waste HoneyMonkey’s time What if the exploit code tries to disable Strider Tracer first ? An attack that retrieves information from the browser? 8

Would you like use HoneyMonkey? Build the VM into the browser so everyone can effectively run a HoneyMonkey? –Overhead? –Interruption during web-surfing? –Run “monkey program” without VM? –Vista? Will you remove/block links that *Microsoft* deems to be "dangerous“? –Sam says “I am ok…” –But what if Microsoft block a victim which was compromised into an exploit provider? –McAfee SiteAdvisor? 9

Open Discussion “Why can't browsers be prevented from writing file and registry anyways?” –Temporary files? What can attackers learn? –“Not mix machines using zero-day exploits with discovered exploits” What can defenders learn? –“Good worm?” 10

Open Discussion (cont.) How can we share the exploit URLs with popular search engines, and/or friends? Any psychological heuristic scan? Besides connection counts, anything else?

Terms Zero-day exploit: a vulnerability exploit that exists before the patch for the vulnerability is released 12

Output of one HoneyMonkey Executable files modification outside the browsers sandbox Process created Windows registry entries modification Vulnerability exploited Redirect-URLs 13

Browser-based Vulnerability Exploits Code obfuscation URL redirection Vulnerability exploitation Malware installation 14