Presentation is loading. Please wait.

Presentation is loading. Please wait.

Automated Web Patrol with Strider HoneyMonkeys Present by Zhichun Li.

Published by Modified over 8 years ago

Similar presentations

Presentation on theme: "Automated Web Patrol with Strider HoneyMonkeys Present by Zhichun Li."— Presentation transcript:

1 Automated Web Patrol with Strider HoneyMonkeys Present by Zhichun Li

2 Overview… Problem @ hand. Proposed solution. Browser based vulnerabilities. The HoneyMonkey system. Evaluation. Questions & Discussion.

3 Problem @ hand… Several attacks exploit browser vulnerabilities and install malware software. E.g. –Download.Ject –Bofra –Xpire.info Current state –manual analysis –Unable to scale. –Do not provide a comprehensive picture.

4 Proposed solution… Active, client-side, VM – based honeypots called Strider HoneyMonkey. Performs large-scale, systematic & automated web patrol. Uses monkey programs of various OS level patches to mimic human browsing. Adopts a state-management methodology. Use of Strider Tracer.

5 Browser based vulnerability exploits… Code obfuscation URL redirection Vulnerability exploitation Malware installation

6 Code obfuscation… Dynamic code injection – document.write() function inside a script. Unreadable code – decoded using unescape() function. Custom decoding routine. Substring replacement using replace() function.

7 URL redirection… Primary URL Protocol redirection using HTTP 302 temporary redirect. HTML tags. Script functions including window.location.replace(). Secondary URL

8 Vulnerability exploitation… Exploiting of multiple browser vulnerabilities. Owing to its popularity IE is attacked a lot. Malware installation… Introduce some piece of arbitrary code on the victim machine in order to achieve a larger attack goal.

9 HoneyMonkey system… Automatically detect and analyze a network of websites that exploit browsers.

10 Exploit detection system… Stage 1 – scalable mode by visiting N- URLs. Stage 2 – perform recursive redirected analysis. Stage 3 – scan exploit URLs using fully patched VMs.

11 Exploit detection - XML report… Executable files created or modified outside the browser sandbox folders. Processes created. Windows registry entries created or modified. Vulnerability exploited. Redirect-URLs visited.

12 Redirection analysis… Stage 1 – act as front end content providers. Traffic redirection – tracked with a BHO – Browser Helper Objects. Recursive scanning. Construction of topology graphs based on traffic redirection. Identify web pages that actually perform the exploit and stop redirection.

13 Topology graphs…

14 Anti-Exploit Process… Generating Input URL Lists – source –Suspicious URLs for analysis. –Popular web sites – if attacked can potentially infect a large population. (measured search engines). –URLs of more localized scope – within organizations or based on history etc… Acting on output exploit-URL data –Stage 1 – output-exploit-URLs. –Stage 2 – output-traffic-redirection topology graph. –Stage 3 – output-zero-day exploit URLs & topology graphs.

15 Overview… Problem @ hand. Proposed solution. Browser based vulnerabilities. The HoneyMonkey system. Evaluation. Questions & Discussion.

16 Statistics of different patch level

17 Node ranking… Node ranking Connection counts no. of exploit URLs

18 Node ranking contd…

19 Zero day exploit detection… Two zero-day exploits discovered –Early July 2005, javaprxy.dll –Second in next hour. Important observations: –Monitoring easy-to-find exploit-URLs is effective. –Monitoring content providers with well known URLs is effective. –Monitoring highly ranked & advanced exploit URLs is effective.

20 Scanning Popular URLs Summary Statistics

21 Node ranking

22 Discussions… Identifying HoneyMonkeys –Targeting HoneyMonkey IP addresses. –Performing a test to determine if a human is present. –Detecting the presence of a VM or the HoneyMonkey code. Exploiting without triggering HoneyMonkey detection – code within browser sandbox. Randomizing the attacks. VSED – vulnerability specific exploit detector.

23 Pros… Automatic. Scalability. Non-signature based approach. Stage-wise. Zero-day exploits.

Download ppt "Automated Web Patrol with Strider HoneyMonkeys Present by Zhichun Li."

Similar presentations

Nicholas Weaver Vern Paxson Stuart Staniford UC Berkeley ICIR

Nicholas Weaver Vern Paxson Stuart Staniford UC Berkeley ICIR
Next Generation Endpoint Security Jason Brown Enterprise Solution Architect McAfee May 23, 2013.

Next Generation Endpoint Security Jason Brown Enterprise Solution Architect McAfee May 23, 2013.
By Hiranmayi Pai Neeraj Jain

By Hiranmayi Pai Neeraj Jain
Copyright © 2012 Certification Partners, LLC -- All Rights Reserved Lesson 4: Web Browsing.

Copyright © 2012 Certification Partners, LLC -- All Rights Reserved Lesson 4: Web Browsing.
Automated Web Patrol with Strider Honey Monkeys: Finding Web Sites That Exploit Browser Vulnerabilities AUTHORS: Yi-Min Wang, Doug Beck, Xuxian Jiang,

Automated Web Patrol with Strider Honey Monkeys: Finding Web Sites That Exploit Browser Vulnerabilities AUTHORS: Yi-Min Wang, Doug Beck, Xuxian Jiang,
Lesson 4: Web Browsing.

Lesson 4: Web Browsing.
A Crawler-based Study of Spyware on the Web Author: Alexander Moshchuk, Tanya Bragin, Steven D.Gribble, Henry M.Levy Presented At: NDSS, 2006 Prepared.

A Crawler-based Study of Spyware on the Web Author: Alexander Moshchuk, Tanya Bragin, Steven D.Gribble, Henry M.Levy Presented At: NDSS, 2006 Prepared.
Ben Livshits and Weidong Cui Microsoft Research Redmond, WA.

Ben Livshits and Weidong Cui Microsoft Research Redmond, WA.
Automated Web Patrol with Strider HoneyMonkeys: Finding Web Sites That Exploit Browser Vulnerabilities Y.-M. Wang, D. Beck, X. Jiang in Proceedings of.

Automated Web Patrol with Strider HoneyMonkeys: Finding Web Sites That Exploit Browser Vulnerabilities Y.-M. Wang, D. Beck, X. Jiang in Proceedings of.
Automated Web Patrol with Strider Honey Monkeys Y.Wang, D.Beck, S.Chen, S.King, X.Jiang, R.Roussev, C.Verbowski Microsoft Research, Redmond Justin Miller.

Automated Web Patrol with Strider Honey Monkeys Y.Wang, D.Beck, S.Chen, S.King, X.Jiang, R.Roussev, C.Verbowski Microsoft Research, Redmond Justin Miller.
Leveraging User Interactions for In-Depth Testing of Web Applications Sean McAllister, Engin Kirda, and Christopher Kruegel RAID ’08 1 Seoyeon Kang November.

Leveraging User Interactions for In-Depth Testing of Web Applications Sean McAllister, Engin Kirda, and Christopher Kruegel RAID ’08 1 Seoyeon Kang November.
Computer Security and Penetration Testing

Computer Security and Penetration Testing
© 2012 IBM Corporation IBM Security Systems 1 © 2014 IBM Corporation IBM Security Network Protection (XGS) Advanced Threat Protection Integration Framework.

© 2012 IBM Corporation IBM Security Systems 1 © 2014 IBM Corporation IBM Security Network Protection (XGS) Advanced Threat Protection Integration Framework.
What is adaptive web technology?  There is an increasingly large demand for software systems which are able to operate effectively in dynamic environments.

What is adaptive web technology?  There is an increasingly large demand for software systems which are able to operate effectively in dynamic environments.
Process Coloring: an Information Flow-Preserving Approach to Malware Investigation Eugene Spafford, Dongyan Xu Department of Computer Science and Center.

Process Coloring: an Information Flow-Preserving Approach to Malware Investigation Eugene Spafford, Dongyan Xu Department of Computer Science and Center.
1. Introduction The underground Internet economy Web-based malware The system analyzing the post-infection network behavior of web-based malware How do.

1. Introduction The underground Internet economy Web-based malware The system analyzing the post-infection network behavior of web-based malware How do.
Automated Malware Analysis

Automated Malware Analysis
Norman SecureSurf Protect your users when surfing the Internet.

Norman SecureSurf Protect your users when surfing the Internet.
W3af LUCA ALEXANDRA ADELA – MISS 1. w3af  Web Application Attack and Audit Framework  Secures web applications by finding and exploiting web application.

W3af LUCA ALEXANDRA ADELA – MISS 1. w3af  Web Application Attack and Audit Framework  Secures web applications by finding and exploiting web application.
Presentation by Kathleen Stoeckle All Your iFRAMEs Point to Us 17th USENIX Security Symposium (Security'08), San Jose, CA, 2008 Google Technical Report.

Presentation by Kathleen Stoeckle All Your iFRAMEs Point to Us 17th USENIX Security Symposium (Security'08), San Jose, CA, 2008 Google Technical Report.

Similar presentations

Ads by Google