Presentation is loading. Please wait.

Presentation is loading. Please wait.

Automated Web Patrol with Strider HoneyMonkeys: Finding Web Sites That Exploit Browser Vulnerabilities Yi-Min Wang, Doug Beck, Xuxian Jiang, Roussi Roussev,

Published byClinton Miller Modified over 8 years ago

Similar presentations

Presentation on theme: "Automated Web Patrol with Strider HoneyMonkeys: Finding Web Sites That Exploit Browser Vulnerabilities Yi-Min Wang, Doug Beck, Xuxian Jiang, Roussi Roussev,"— Presentation transcript:

1 Automated Web Patrol with Strider HoneyMonkeys: Finding Web Sites That Exploit Browser Vulnerabilities Yi-Min Wang, Doug Beck, Xuxian Jiang, Roussi Roussev, Chad Verbowski, Shuo Chen, and Sam King Microsoft Research, Redmond Presented by Jianqing Zhang

2 Motivation Malicious or hacked web site exploiting client-side vulnerabilities of visiting clients Limitations of existing approaches –Not scalable –No comprehensive picture of the network of exploit web sites –Generally ineffective at finding new malicious sites 2

3 Approach Hunt using a shotgun, rather than a trap “ Web patrolling" sounds a lot similar to the scanning technique used by worms to locate other vulnerable machines. “ Strider HoneyMonkeys: an automated web patrol system –A pipeline of “monkey programs” –Vulnerable browsers in different patch levels –Virtual machines based 3

4 Exploit Detection Steps –Run browsers in a VM with “monkey program” –Black-box, non-signature-based Detect a group of persistent-state changes Any executable files or registry entries created outside the browser sandbox –Log exploit and restart VM if infected Features –No risk to the production system by isolation –Detect known-vulnerability and zero-day exploits in a uniform way –Cannot detect exploits making no persistent-state changes or only making changes inside browser sandbox 4

5 Basic mode Un-patched VM One-URL-per-VM Recursive redirection analysis Topology graph of exploit URLs 2 HoneyMonkey System 5 Scalable mode Un-patched VM N URLs inside one VM Basic mode Un-patched VM One-URL-per-VM Exploit URLs Traffic- Redirection Topology Graphs Interesting URLs Zero-Day Exploit- URLs and Topology Graphs Why does HoneyMonkey fetch N web sites simultaneously? Is it really scalable? Why not more VMs on a single physical computer? Why not just detect vulnerabilities? What if N-stage attack? – HoneyMonkey is stateless? 1 Stage 3: basic mode Full patched VM Zero-day exploits URLs 3

6 Topology Graph of Exploit URLs 6 URL-level Topology Graph for WinXP SP1 Un-patched: 688 URLs from 270 sites MSR-TR-2005-72 Individual exploit-URL Site nods Content provider Exploit provider

7 Contributions Capability –Detect Zero-Day exploits effectively Monitor easy-to-find exploit-URLs Monitor highly ranked and advanced exploit-URLs –Detect dynamic exploit provider effectively Monitor well-known content providers Implication Don’t visit high-risk web sites –1.28% vs. 0.071% Necessary to scan popular web pages constantly –710 popular exploit pages among top 10,000 popular URLs 7

8 HoneyMonkeys vs. Exploit- URLs Evasion of HoneyMonkeys –Avoid HoneyMonkey IP address Use unused links to detect HoneyMonkeys –Human or Machine? “most non-exploiting sites do not use CAPTCHA Turing Test ” ( Reverse Turing test) Why not? Input box, Flash ads? –Detection of virtual machines –Use cookies to track browser history –Insert busy-work code to waste HoneyMonkey’s time What if the exploit code tries to disable Strider Tracer first ? An attack that retrieves information from the browser? 8

9 Would you like use HoneyMonkey? Build the VM into the browser so everyone can effectively run a HoneyMonkey? –Overhead? –Interruption during web-surfing? –Run “monkey program” without VM? –Vista? Will you remove/block links that *Microsoft* deems to be "dangerous“? –Sam says “I am ok…” –But what if Microsoft block a victim which was compromised into an exploit provider? –McAfee SiteAdvisor? 9

10 Open Discussion “Why can't browsers be prevented from writing file and registry anyways?” –Temporary files? What can attackers learn? –“Not mix machines using zero-day exploits with discovered exploits” What can defenders learn? –“Good worm?” 10

11 Open Discussion (cont.) How can we share the exploit URLs with popular search engines, and/or friends? Any psychological heuristic scan? Besides connection counts, anything else?

12 Terms Zero-day exploit: a vulnerability exploit that exists before the patch for the vulnerability is released 12

13 Output of one HoneyMonkey Executable files modification outside the browsers sandbox Process created Windows registry entries modification Vulnerability exploited Redirect-URLs 13

14 Browser-based Vulnerability Exploits Code obfuscation URL redirection Vulnerability exploitation Malware installation 14

Download ppt "Automated Web Patrol with Strider HoneyMonkeys: Finding Web Sites That Exploit Browser Vulnerabilities Yi-Min Wang, Doug Beck, Xuxian Jiang, Roussi Roussev,"

Similar presentations

What is code injection? Code injection is the exploitation of a computer bug that is caused by processing invalid data. Code injection can be used by.

What is code injection? Code injection is the exploitation of a computer bug that is caused by processing invalid data. Code injection can be used by.
Thank you to IT Training at Indiana University Computer Malware.

Thank you to IT Training at Indiana University Computer Malware.
By Hiranmayi Pai Neeraj Jain

By Hiranmayi Pai Neeraj Jain
Automated Web Patrol with Strider Honey Monkeys: Finding Web Sites That Exploit Browser Vulnerabilities AUTHORS: Yi-Min Wang, Doug Beck, Xuxian Jiang,

Automated Web Patrol with Strider Honey Monkeys: Finding Web Sites That Exploit Browser Vulnerabilities AUTHORS: Yi-Min Wang, Doug Beck, Xuxian Jiang,
1 Topic 1 – Lesson 3 Network Attacks Summary. 2 Questions ► Compare passive attacks and active attacks ► How do packet sniffers work? How to mitigate?

1 Topic 1 – Lesson 3 Network Attacks Summary. 2 Questions ► Compare passive attacks and active attacks ► How do packet sniffers work? How to mitigate?
A Crawler-based Study of Spyware on the Web Author: Alexander Moshchuk, Tanya Bragin, Steven D.Gribble, Henry M.Levy Presented At: NDSS, 2006 Prepared.

A Crawler-based Study of Spyware on the Web Author: Alexander Moshchuk, Tanya Bragin, Steven D.Gribble, Henry M.Levy Presented At: NDSS, 2006 Prepared.
Automated Web Patrol with Strider HoneyMonkeys: Finding Web Sites That Exploit Browser Vulnerabilities Y.-M. Wang, D. Beck, X. Jiang in Proceedings of.

Automated Web Patrol with Strider HoneyMonkeys: Finding Web Sites That Exploit Browser Vulnerabilities Y.-M. Wang, D. Beck, X. Jiang in Proceedings of.
Web Defacement Anh Nguyen May 6 th, 2010. Organization Introduction How Hackers Deface Web Pages Solutions to Web Defacement Conclusions 2.

Web Defacement Anh Nguyen May 6 th, Organization Introduction How Hackers Deface Web Pages Solutions to Web Defacement Conclusions 2.
Presented by Justin Bode CS 450 – Computer Security February 17, 2010.

Presented by Justin Bode CS 450 – Computer Security February 17, 2010.
Server-Side vs. Client-Side Scripting Languages

Server-Side vs. Client-Side Scripting Languages
The Most Dangerous Places on The Web (according to PC World)

The Most Dangerous Places on The Web (according to PC World)
Automated Web Patrol with Strider Honey Monkeys Y.Wang, D.Beck, S.Chen, S.King, X.Jiang, R.Roussev, C.Verbowski Microsoft Research, Redmond Justin Miller.

Automated Web Patrol with Strider Honey Monkeys Y.Wang, D.Beck, S.Chen, S.King, X.Jiang, R.Roussev, C.Verbowski Microsoft Research, Redmond Justin Miller.
©2009 Justin C. Klein Keane PHP Code Auditing Session 6 Auditing Strategies & Demonstration Justin C. Klein Keane

©2009 Justin C. Klein Keane PHP Code Auditing Session 6 Auditing Strategies & Demonstration Justin C. Klein Keane
© 2012 IBM Corporation IBM Security Systems 1 © 2014 IBM Corporation IBM Security Network Protection (XGS) Advanced Threat Protection Integration Framework.

© 2012 IBM Corporation IBM Security Systems 1 © 2014 IBM Corporation IBM Security Network Protection (XGS) Advanced Threat Protection Integration Framework.
Automated Web Patrol with Strider HoneyMonkeys Present by Zhichun Li.

Automated Web Patrol with Strider HoneyMonkeys Present by Zhichun Li.
Process Coloring: an Information Flow-Preserving Approach to Malware Investigation Eugene Spafford, Dongyan Xu Department of Computer Science and Center.

Process Coloring: an Information Flow-Preserving Approach to Malware Investigation Eugene Spafford, Dongyan Xu Department of Computer Science and Center.
1 The Botherd is Coming! Part II The Technical Response Justin Azoff University at Albany EDUCAUSE Live! June 21 st, 2006.

1 The Botherd is Coming! Part II The Technical Response Justin Azoff University at Albany EDUCAUSE Live! June 21 st, 2006.
Norman SecureSurf Protect your users when surfing the Internet.

Norman SecureSurf Protect your users when surfing the Internet.
With Internet Explorer 9 Getting Started© 2013 Pearson Education, Inc. Publishing as Prentice Hall1 Exploring the World Wide Web with Internet Explorer.

With Internet Explorer 9 Getting Started© 2013 Pearson Education, Inc. Publishing as Prentice Hall1 Exploring the World Wide Web with Internet Explorer.
Presentation by Kathleen Stoeckle All Your iFRAMEs Point to Us 17th USENIX Security Symposium (Security'08), San Jose, CA, 2008 Google Technical Report.

Presentation by Kathleen Stoeckle All Your iFRAMEs Point to Us 17th USENIX Security Symposium (Security'08), San Jose, CA, 2008 Google Technical Report.

Similar presentations

Ads by Google