Presentation is loading. Please wait.

Presentation is loading. Please wait.

Detecting Client-side Exploits with Honeyclients Kathy Wang The Honeyclient Project 9/17/2008RAID 2008.

Published byPreston Harper Modified over 9 years ago

Similar presentations

Presentation on theme: "Detecting Client-side Exploits with Honeyclients Kathy Wang The Honeyclient Project 9/17/2008RAID 2008."— Presentation transcript:

1 Detecting Client-side Exploits with Honeyclients Kathy Wang The Honeyclient Project knwang1@yahoo.com 9/17/2008RAID 2008

2 9/17/2008RAID 2008 Problem n Client-side exploits are a growing threat –Lots of client-side vulnerabilities n Microsoft Internet Explorer has more than 50 serious vulnerabilities in last 6 months (SecurityFocus database) –Lots of client-side exploits n 90% of all PCs harbor spyware (Webroot, 2006) n We need to be able to proactively detect and characterize client-side attacks before we get hit We lack a proactive detection technology for client-side attacks

3 9/17/2008RAID 2008 A ‘Business’ Model

4 9/17/2008RAID 2008 Another Business Model

5 9/17/2008RAID 2008 Honeyclient Case Examples Please DO NOT go to any of the sites on the following slides unless you REALLY know what you’re doing!!!)

6 9/17/2008RAID 2008 www.world0fwarcraft.net (Changes) Suspicious file

7 9/17/2008RAID 2008 www.world0fwarcraft.net (Changes) Where’s /etc/hosts file??? Definitely suspicious

8 9/17/2008RAID 2008 www.world0fwarcraft.net (Changes)

9 9/17/2008RAID 2008 www.world0fwarcraft.net (Scans )

10 9/17/2008RAID 2008 www.sharky.in (Changes) This definitely doesn’t look good…

11 9/17/2008RAID 2008 www.sharky.in (Scan) Poor results on scans…

12 9/17/2008RAID 2008 Background - Honeyclients n Honeyclients provide capability to proactively detect client-side exploits –A honeyclient is a system that drives a client application to potentially malicious servers –Any changes made on honeyclient system are unauthorized – no false positives! –We detect exploits even without prior signatures

13 9/17/2008RAID 2008 Basic Honeyclient Package Client- side Exploit Database Malicious Server RequestResponse Linux Host Traffic logs Windows VM Honeyclient Prototype Capabilities Integrity checks Drive IE Extract URLs Recurse (Internal) Recurse (External) Virtual host Protective firewall Exploit DB Image rotation Modular clients Traffic history Secure logging Memory checks Honeyclient Network Internet

14 9/17/2008RAID 2008 Additional Project Information n Project website http://honeyclient.mitre.org n Mailing list honeyclient@mitre.org n We need beta testers! http://www.honeyclient.org/trac/wiki/download n Developers are welcome too! SVN repository is available

Download ppt "Detecting Client-side Exploits with Honeyclients Kathy Wang The Honeyclient Project 9/17/2008RAID 2008."

Similar presentations

A NASSCOM ® Initiative Comprehensive Computer Security Software An advanced computer security software usually have one or more of the following utilities.

A NASSCOM ® Initiative Comprehensive Computer Security Software An advanced computer security software usually have one or more of the following utilities.
Database Security Policies and Procedures and Implementation for the Disaster Management Communication System Presented By: Radostina Georgieva Master.

Database Security Policies and Procedures and Implementation for the Disaster Management Communication System Presented By: Radostina Georgieva Master.
ITIS 1210 Introduction to Web-Based Information Systems Chapter 44 How Firewalls Work How Firewalls Work.

ITIS 1210 Introduction to Web-Based Information Systems Chapter 44 How Firewalls Work How Firewalls Work.
The Case for Tripwire® Nick Chodorow Sarah Kronk Jim Moriarty Chris Tartaglia.

The Case for Tripwire® Nick Chodorow Sarah Kronk Jim Moriarty Chris Tartaglia.
Automated Web Patrol with Strider Honey Monkeys: Finding Web Sites That Exploit Browser Vulnerabilities AUTHORS: Yi-Min Wang, Doug Beck, Xuxian Jiang,

Automated Web Patrol with Strider Honey Monkeys: Finding Web Sites That Exploit Browser Vulnerabilities AUTHORS: Yi-Min Wang, Doug Beck, Xuxian Jiang,
1 Anti Virus System i-Specific Anti-Virus Product.

1 Anti Virus System i-Specific Anti-Virus Product.
System and Network Security Practices COEN 351 E-Commerce Security.

System and Network Security Practices COEN 351 E-Commerce Security.
Firewall Security Chapter 8. Perimeter Security Devices Network devices that form the core of perimeter security include –Routers –Proxy servers –Firewalls.

Firewall Security Chapter 8. Perimeter Security Devices Network devices that form the core of perimeter security include –Routers –Proxy servers –Firewalls.
© 2012 IBM Corporation IBM Security Systems 1 © 2014 IBM Corporation IBM Security Network Protection (XGS) Advanced Threat Protection Integration Framework.

© 2012 IBM Corporation IBM Security Systems 1 © 2014 IBM Corporation IBM Security Network Protection (XGS) Advanced Threat Protection Integration Framework.
University of Maryland I.T. Security Gerry Sneeringer IT Security Officer

University of Maryland I.T. Security Gerry Sneeringer IT Security Officer
Patching MIT SUS Services IS&T Network Infrastructure Services Team.

Patching MIT SUS Services IS&T Network Infrastructure Services Team.
Introducing Quick Heal Endpoint Security 5.3. “Quick Heal Endpoint Security 5.3 is designed to provide simple, intuitive centralized management and control.

Introducing Quick Heal Endpoint Security 5.3. “Quick Heal Endpoint Security 5.3 is designed to provide simple, intuitive centralized management and control.
 Proxy Servers are software that act as intermediaries between client and servers on the Internet.  They help users on private networks get information.

 Proxy Servers are software that act as intermediaries between client and servers on the Internet.  They help users on private networks get information.
Network Perimeter Security Yu Wang. Main Topics Border Router Firewall IPS/IDS VLAN SPAM AAA Q/A.

Network Perimeter Security Yu Wang. Main Topics Border Router Firewall IPS/IDS VLAN SPAM AAA Q/A.
Your technology solution partner.™ Security Enterprise Protection Gener C. Tongco Product Manager CT Link Systems Inc.

Your technology solution partner.™ Security Enterprise Protection Gener C. Tongco Product Manager CT Link Systems Inc.
Computerized Networking of HIV Providers Networking Fundamentals Presented by: Tom Lang – LCG Technologies Corp. May 8, 2003.

Computerized Networking of HIV Providers Networking Fundamentals Presented by: Tom Lang – LCG Technologies Corp. May 8, 2003.
Partnering For Profitability Growing your business with Microsoft Forefront Security Solutions Mark Hassall Director Security & Access BG Microsoft Corporation.

Partnering For Profitability Growing your business with Microsoft Forefront Security Solutions Mark Hassall Director Security & Access BG Microsoft Corporation.
Cyber Patriot Training

Cyber Patriot Training
Outline  Infections  1) r57 shell  2) rogue software  What Can We Do?  1) Seccheck  2) Virus total  3) Sandbox  Prevention  1) Personal Software.

Outline  Infections  1) r57 shell  2) rogue software  What Can We Do?  1) Seccheck  2) Virus total  3) Sandbox  Prevention  1) Personal Software.
Introducing Quick Heal Endpoint Security 5.2. “Quick Heal Endpoint Security 5.2 is designed to provide simple, intuitive centralized management and control.

Introducing Quick Heal Endpoint Security 5.2. “Quick Heal Endpoint Security 5.2 is designed to provide simple, intuitive centralized management and control.

Similar presentations

Ads by Google