An introduction to honeyclient technologies

advertisement
An introduction to honeyclient
technologies
Christian Seifert
Angelo Dell'Aera
Speakers
Christian Seifert
• Full Member of the Honeynet Project since 2007
• PhD from Victoria University of Wellington, NZ
• Research Software Engineer @ Microsoft Bing
Angelo Dell'Aera
• Full Member of the Honeynet Project since 2009
• Senior Threat Analyst @ Security Reply (7 years)
• Information Security Independent Researcher @ Antifork
Research (13 years)
Agenda






Introduction
Honeyclient technologies
Low-Interaction (PhoneyC)
High-Interaction (Capture-HPC)
Malware Distribution Networks
Challenges and Future Work
New trends, new tools



In the last years more and more attacks
against client systems
The end user as the weakest link of the
security chain
New tools are required to learn more
about such client-side attacks
New trends, new tools



The browser is the most popular client
system deployed on every user system
A lot of vulnerabilities are daily identified
and (almost always) reported in the most
used browsers
The browser is currently the preferred
way to own an host
Honeyclients



What we need is something which seems
like a real browser the same way as a
classical honeypot system seems like a
real vulnerable server
Queuer
A real system
(high-interaction)
Visitor
Or an emulated one
Analysis
(low-interaction)?
Engine
Low-interaction strengths and
weaknesses
+ Different browser versions (“personalities”)
+ Different ActiveX and plugins modules
(even different versions)
+ Much more safer
+ More scalable
- Easy to detect
PhoneyC - Brief History




A pure Python low-interaction honeyclient
First version developed by Jose Nazario
Great improvements during GSoC 2009
And the history continues...
PhoneyC – DOM Emulation
“The Document Object Model is a platform- and language-neutral
interface that will allow programs and scripts to dynamically
access and update the content, structure and style of documents.
The document can be further processed and the results of that
processing can be incorporated back into the presented page.”
(W3C definition)
• Huge

improvements during GSoC 2009
Python object __getattr__ and __setattr__ methods
PhoneyC - Browser
Personalities

Currently supported personalities:







Internet Explorer 6.0 (Windows XP)
Internet Explorer 6.1 (Windows XP)
Internet Explorer 7.0 (Windows XP)
Internet Explorer 8.0 (Windows XP)
Internet Explorer 6.0 (Windows 2000)
Internet Explorer 8.0 (Windows 2000)
Easy to add new personalities
PhoneyC - Javascript Engine
Based on SpiderMonkey, the Mozilla
implementation of the Javascript engine
 HoneyJS: a bridge between Python and
SpiderMonkey which wraps a subset of its
APIs
 HoneyJS based on python-spidermonkey

PhoneyC - Vulnerability
Modules

Python-based vulnerability modules
 Core browser functionalities
 Browser plugins
 (Mock) ActiveX controls
PhoneyC - Shellcode detection and
emulation

HoneyJS
“The shellcode manipulation and the spraying of the fillblock
involve assignments.The shellcode will be detected immediately
on its assignment if we are able to interrupt spidermonkey at the
interpretion of certain bytecodes related to an assignment and
check its arguments and values for shellcodes”
Libemu integration (shellcode detection,
execution and profiling)

PhoneyC - Future Improvements



A new and more reliable DOM (Document
Object Model) emulation
Replacing Spidermonkey with Google V8
Mixed static/dynamic analysis for detecting
potential attacks
High-interaction Client Honeypot
• Real system
• Observe effects of attack
Request
Newstate
No
file appeared
changes
detected
in
start up folder
Benign
Server
Response
Request
Client Honeypots
Attack
Malicious
Server
High-interaction strengths and
weaknesses
+ No emulation necessary
+ Accurate classification (extremely low false
positive rate)
+ Ability to detect zero-day attacks
+ More difficult to evade
- Miss attacks
- “Dangerous”
- More computationally expensive
Capture-HPC (v2.5) Functionality
• Platform Independence *
• Flexibility around client application
• Forensically ready
• Records information at kernel level
• Collects modified files (e.g. malware)
• Collects network traffic (pcap)
• Maintained by the New Zealand Honeynet
Project Chapter
Malware Distribution Networks
Malware Distribution Networks
Overview
• Set of web servers (network) controlled by
a group of cyber criminals to distribute
malware efficiently
• Specialized structures that support
specialized roles of the cyber criminal
• Malware distribution networks allow for
campaigns and temp renting out
components of the distribution network
Malware Distribution Networks
Source: Microsoft Security Intelligence Threat Report (http://www.microsoft.com/sir)
Malware Distribution Network
0.03%
2.36%
4.69%
7.01%
9.34%
11.67%
13.99%
16.32%
18.65%
20.98%
23.30%
25.63%
27.96%
30.28%
32.61%
34.94%
37.27%
39.59%
41.92%
44.25%
46.57%
48.90%
51.23%
53.56%
55.88%
58.21%
60.54%
62.86%
65.19%
67.52%
69.84%
72.17%
74.50%
76.83%
79.15%
81.48%
83.81%
86.13%
88.46%
90.79%
93.12%
95.44%
97.77%
Exploit Servers
12.8% of exploit servers responsible for 84.1% of drive-bydownload pages
800000
700000
600000
500000
400000
300000
200000
100000
0
Source: Microsoft Security Intelligence Threat Report (http://www.microsoft.com/sir)
Challenges and Future Work
Malware Distribution Network
25000
20000
15000
10000
5000
0
Malware Distribution Networks
Fast-Flux
•
LP1
LP2
•
•
•
R1
R2
•
ES1
ES2
LP infected with script that contacts twitter to
obtain popular topics (e.g. japan)
From popular query from last week, script
constructs host name (e.g. “j” + date)
Next day, the same LP will contact twitter to
obtain popular topics (e.g. tunesia)
Now, it will construct different host name (e.g.
“t” + date)
Attacker registers hostname a few days in
advance
twitter.com h1 h2 h3 h4 h5 h6 h7 h8 h9 h10
3/19/2011
3/20/2011
3/21/2011
3/22/2011
3/23/2011
3/24/2011
3/25/2011
3/26/2011
3/27/2011
3/28/2011
3/29/2011
1 1
1
1
1
1 1
1
1 1
1
1 1
1
1 1
1
1 1
1
1 1
1
1 1
1
1
1
1
1
Evasion Techniques
• Technology Differences (Browser vs
Honeyclient)
• Human vs Machine Interaction
• Decrease visibility
The Threats
Crashes
Drive-by-pharming
Network floods/ Puppetnets
Drive-by-Downloads
Availability
Integrity
Web spam/ junk pages
Social Engineering
Hosting of malware
Popup floods
Cross-X attacks
Cookie, history, file,
and clipboard stealing
Confidentiality
Network scanners
Phishing
References
•



Jose Nazario, “PhoneyC: A virtual client honeypot”,
LEET 2009
The Honeynet Project, KYE: Malicious Web Servers,
http://www.honeynet.org/papers
Junjie Zhang, Jack Stokes, Christian Seifert and
Wenke Lee, ARROW: Generating Signatures to
Detect Drive-By Downloads, in proceedings of www
conference, Hyderabad, India, 2011
Microsoft, Security Intelligence Threat Report,
http://www.microsoft.com/sir
Thanks for the attention
http://code.google.com/p/phoneyc/
https://projects.honeynet.org/capture-hpc
Questions?
Christian Seifert <christian.seifert@honeynet.org>
Angelo Dell'Aera <angelo.dellaera@honeynet.org>
Download