Presentation is loading. Please wait.

Presentation is loading. Please wait.

Automated Web Patrol with Strider Honey Monkeys Y.Wang, D.Beck, S.Chen, S.King, X.Jiang, R.Roussev, C.Verbowski Microsoft Research, Redmond Justin Miller.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "Automated Web Patrol with Strider Honey Monkeys Y.Wang, D.Beck, S.Chen, S.King, X.Jiang, R.Roussev, C.Verbowski Microsoft Research, Redmond Justin Miller."— Presentation transcript:

1 Automated Web Patrol with Strider Honey Monkeys Y.Wang, D.Beck, S.Chen, S.King, X.Jiang, R.Roussev, C.Verbowski Microsoft Research, Redmond Justin Miller February 27, 2007

2 2 Outline Internet Attacks Web Browser Vulnerabilities HoneyMonkey System Experiments Analysis/Future Work

3 3 Internet Attacks Exploit vulnerability of user web browser Install malicious code on machine No user interaction required later VM-based honeypots are used to detect these attacks

4 4 HoneyMonkeys OS’s of various patch levels Mimic human web browsing Uses StriderTracer to catch unauthorized file creation and system configuration changes Discover malicious web sites

5 5 HoneyMonkeys OS3 OS2 OS1 Malcode

6 6 Browser vulnerabilities Code Obfuscation Dynamic code injection using document.write() Unreadable, long strings with encoded chars “%28” or “&#104” Decoded by function script or browser Escapes anti-virus software

7 7 Browser vulnerabilities URL Redirection Protocol redirection using HTTP 302 temp redir HTML tags inside Script functions window.location.replace() or window.open() Redirection is common in non-malicious sites

8 8 Browser vulnerabilities Malware Installation Viruses Backdoor functions Bot programs Trojan downloaders – DL other programs Trojan droppers – delete (drop) files Trojan proxies – redirect network traffic Spyware programs

9 9 HoneyMonkey System Attempts to automatically detect and analyze web sites that exploit web browsers 3-stage pipeline of virtual machines Stage 1: scalable mode Stage 2: recursive redirection analysis Stage 3: scan fully patched VM’s

10 10 HoneyMonkey: Stage 1 Visit N URLs simultaneously If exploit detected, re-visit each one individually until exploit URL is found VM U1 U2 U3 U4 U5 U6 U2 U3

11 11 HoneyMonkey: Stage 2 Re-scan exploit URLs Perform recursive redirection analysis Identify all web pages involved VM U2 U3 U2 U3 U2 U3 U9 U10

12 12 HoneyMonkey: Stage 3 Re-scan exploit URLs Scan using fully patched VMs Identify attacks exploiting the latest vulnerabilities VM U2 U3 U9 U10 U2 U9

13 13 HoneyMonkey Flowchart Scan up to 500-700 URL’s per day

14 14 Web Site Visits Monkey program launches URL Wait 2 minutes Allow all malicious code to DL Detect persistent-state changes New registry entries and.exe files Allows uniform detection of: Known vulnerability attack Zero-day exploits

15 15 HoneyMonkey Report Generates XML report at end of each visit.exe files created or modified Processes created Registry entries created or modified Vulnerability exploited Redirect-URLs visited Cleanup infected state machine Monkey Controller

16 16 Web Site Redirection URL1 URL2 URL3 Redirect Redirect Data collecteddata data

17 17 Input URL Lists Suspicious URLs Known to host spyware or malware Links appearing in phishing or spam messages Most popular web sites Top 100,000 by browser traffic ranking Local URLs Organization want to verify web pages have not been compromised

18 18 Output URL Data Exploit URLs Measures risk of visiting similar web sites Topology Graphs Several URLs shut down Provide leads for anti-spyware research Zero-day exploits Monitors URL “upgrades”

19 19 Experimental Results Collected 16,000+ URLs Web search of “known-bad” web sites Web search for Windows “hosts” files Depth-2 crawling of previous URLs 207/16,190 = 1.28% of web sites

20 20 Experimental Results All tests done using IEv6

21 21 Topology Graphs 17 exploit URLs for SP2-PP Most powerful exploit pages

22 22 Site Ranking Key role in anti-exploit process Determines how to allocate resources Monitoring URLs Investigation of URLs Blocking URLs Legal actions against host sites

23 23 Site Ranking 2 types of site ranking, based on: Connection counts Links URLs to other malicious URLs Number of hosted exploit-URLs Web sites with important internal page hierarchy Includes transient URLs with random strings

24 24 Site Ranking Based on connection counts

25 25 Site Ranking Based on number of exploit-URLs hosted

26 26 Effective Monitoring Easy-to-find exploit URLs Useful for detecting zero day exploits Content providers with well-known URLs Must maintain these URLs to keep high traffic Highly ranked URLs More likely to upgrade exploits

27 27 Scanning Popular URLs

28 28 HoneyMonkey Evasion Target IP addresses Blacklist IP addresses of HoneyMonkey machines Determine if a human is present Create cookie to suppress future visits One-time dialog pop up box disables cookie Detect VM or HoneyMonkey code Test for fully virtualizable machine Becomes less effective as VMs increase

29 29 Bad Web Site Rankings Celebrity info Song lyrics Wallpapers Video game cheats Wrestling

30 30 Related Work Email quarantine Intercepts every incoming message Shadow honeypots Diverts suspicious traffic to a shadow version Detects potential attacks, filters out false positives Honeyclient Tries to identify browser-based attacks

31 31 Strengths HoneyMonkey will detect most Trojan viruses Backdoor functions Spyware programs Uniform detection of exploits Known vulnerability attack Zero-day exploits Generates XML report for each visit

32 32 Weaknesses Takes time to clean infected machine after each web site visit Code obfuscation escapes anti-virus software Only detects persistent-state changes HoneyMonkey only waits 2 minutes per URL Delay exploit on web pages

33 33 Improvements Run HoneyMonkey with random wait times Combat delayed exploits on web sites Randomize HoneyMonkey attack Vulnerability-specific exploit detector (VSED) Insert break points within bad code Stops execution before potentially malicious code

34 34 Questions? ??? ?? ?? ? ?? ? ?? ? ?? ????? ?? ?? ? ? ? ? ??? ?? ?? ? ?? ? ?? ? ?? ????? ?? ?? ? ? ? ?

Download ppt "Automated Web Patrol with Strider Honey Monkeys Y.Wang, D.Beck, S.Chen, S.King, X.Jiang, R.Roussev, C.Verbowski Microsoft Research, Redmond Justin Miller."

Similar presentations

By Hiranmayi Pai Neeraj Jain

By Hiranmayi Pai Neeraj Jain
Internet Safety Topic 2 Malware This presentation by Tim Fraser Malware is short for malicious software VirusesViruses SpywareSpyware AdwareAdware other.

Internet Safety Topic 2 Malware This presentation by Tim Fraser Malware is short for malicious software VirusesViruses SpywareSpyware AdwareAdware other.
Automated Web Patrol with Strider Honey Monkeys: Finding Web Sites That Exploit Browser Vulnerabilities AUTHORS: Yi-Min Wang, Doug Beck, Xuxian Jiang,

Automated Web Patrol with Strider Honey Monkeys: Finding Web Sites That Exploit Browser Vulnerabilities AUTHORS: Yi-Min Wang, Doug Beck, Xuxian Jiang,
Investigating Malicious Software Steve Romig The Ohio State University April 2002.

Investigating Malicious Software Steve Romig The Ohio State University April 2002.
A Crawler-based Study of Spyware on the Web Author: Alexander Moshchuk, Tanya Bragin, Steven D.Gribble, Henry M.Levy Presented At: NDSS, 2006 Prepared.

A Crawler-based Study of Spyware on the Web Author: Alexander Moshchuk, Tanya Bragin, Steven D.Gribble, Henry M.Levy Presented At: NDSS, 2006 Prepared.
Automated Web Patrol with Strider HoneyMonkeys: Finding Web Sites That Exploit Browser Vulnerabilities Y.-M. Wang, D. Beck, X. Jiang in Proceedings of.

Automated Web Patrol with Strider HoneyMonkeys: Finding Web Sites That Exploit Browser Vulnerabilities Y.-M. Wang, D. Beck, X. Jiang in Proceedings of.
Threat Overview: The Italian Job / HTML_IFRAME.CU June 18, 2007.

Threat Overview: The Italian Job / HTML_IFRAME.CU June 18, 2007.
Introduction to Security Computer Networks Computer Networks Term B10.

Introduction to Security Computer Networks Computer Networks Term B10.
Network Security. Network security starts from authenticating any user. Once authenticated, firewall enforces access policies such as what services are.

Network Security. Network security starts from authenticating any user. Once authenticated, firewall enforces access policies such as what services are.
Malicious Attacks. Introduction Commonly referred to as: malicious software/ “malware”, computer viruses Designed to enter computers without the owner’s.

Malicious Attacks. Introduction Commonly referred to as: malicious software/ “malware”, computer viruses Designed to enter computers without the owner’s.
What’s New in WatchGuard XCS 10.0 Update 3 WatchGuard Training.

What’s New in WatchGuard XCS 10.0 Update 3 WatchGuard Training.
Automated Web Patrol with Strider HoneyMonkeys Present by Zhichun Li.

Automated Web Patrol with Strider HoneyMonkeys Present by Zhichun Li.
Viruses, Hacking, and AntiVirus. What is a Virus? A type of Malware – Malware is short for malicious software A virus – a computer program – Can replicate.

Viruses, Hacking, and AntiVirus. What is a Virus? A type of Malware – Malware is short for malicious software A virus – a computer program – Can replicate.
Norman SecureTide Powerful cloud solution to stop spam and threats before it reaches your network.

Norman SecureTide Powerful cloud solution to stop spam and threats before it reaches your network.
Securing Your Home Computer Presenter: Donnie Green Date: February 11, 2009 National Aeronautics and Space Administration www.nasa.gov.

Securing Your Home Computer Presenter: Donnie Green Date: February 11, 2009 National Aeronautics and Space Administration
Antivirus Software Detects malware (not just viruses) May eliminate malware as well Often sold with firewalls Two approaches: Dictionary-based - Compares.

Antivirus Software Detects malware (not just viruses) May eliminate malware as well Often sold with firewalls Two approaches: Dictionary-based - Compares.
W3af LUCA ALEXANDRA ADELA – MISS 1. w3af  Web Application Attack and Audit Framework  Secures web applications by finding and exploiting web application.

W3af LUCA ALEXANDRA ADELA – MISS 1. w3af  Web Application Attack and Audit Framework  Secures web applications by finding and exploiting web application.
Internet Safety Basics Being responsible -- and safer -- online Visit age-appropriate sites Minimize chatting with strangers. Think critically about.

Internet Safety Basics Being responsible -- and safer -- online Visit age-appropriate sites Minimize chatting with strangers. Think critically about.
Basic Computer Security Sankardas Roy Department of Computing and Information Sciences Kansas State University.

Basic Computer Security Sankardas Roy Department of Computing and Information Sciences Kansas State University.
Presentation by Kathleen Stoeckle All Your iFRAMEs Point to Us 17th USENIX Security Symposium (Security'08), San Jose, CA, 2008 Google Technical Report.

Presentation by Kathleen Stoeckle All Your iFRAMEs Point to Us 17th USENIX Security Symposium (Security'08), San Jose, CA, 2008 Google Technical Report.

Similar presentations

Ads by Google