2nd Generation Honey Clients
Transcript of 2nd Generation Honey Clients
-
8/8/2019 2nd Generation Honey Clients
1/42
2nd
Generation Honeyclients
Robert Danford
SANS Internet Storm Center
-
8/8/2019 2nd Generation Honey Clients
2/42
2nd Generation Honeyclients 2
What are Honeyclients?
High-interaction (active)
client-side
honeypots
used for detecting and characterizing
malicious sites by driving a systemin a way that mimics human users
-
8/8/2019 2nd Generation Honey Clients
3/42
2nd Generation Honeyclients 3
Low/Medium/High Interaction
LowTransport layer
virtualization
MediumApplication layervirtualization
HighReal, vulnerablesystems
-
8/8/2019 2nd Generation Honey Clients
4/42
2nd Generation Honeyclients 4
Trade-offs
Speed
Ease of
Implementation
Maintenance
Reuse
Detection (fingerprinting)
Depth of information gathered Reality vs. simulation
Resources required
-
8/8/2019 2nd Generation Honey Clients
5/42
2nd Generation Honeyclients 5
Server-side vs. Client-side
-
8/8/2019 2nd Generation Honey Clients
6/42
2nd Generation Honeyclients 6
Why client-side is so important
Threats triggered by end-user behavior
Security is fundamentally a human
problem Criminal focus on soft-targets
-
8/8/2019 2nd Generation Honey Clients
7/42
2nd Generation Honeyclients 7
Honeyclient Uses
Evaluating/characterizing web sites
Testing endpoint security Detecting zero-day browser exploits
Mapping malicious neighborhoods
Obtaining unique malware and exploitsamples
-
8/8/2019 2nd Generation Honey Clients
8/42
2nd Generation Honeyclients 8
Examples
Drive-by downloads
Adware/spyware
Exploitation websites Phishing?
Typo-squatting
Zero-day exploits against browsers
-
8/8/2019 2nd Generation Honey Clients
9/42
2nd Generation Honeyclients 9
Honeyclients vs. Crawlers
Honeyclients
Vulnerable to attack
Utilize a mechanized
browser when surfing Must be monitored to
detect compromise Blackbox (MS Strider)
Integrity checks Scans (AV, AS, etc)
Intrusion Detection
Sandbox (Sandboxie)
Crawlers
Not supposed to becompromised
Crawlersprogrammatically surfwebsites to retrievecontent
Simulation can be used todetermine if content ismalicious (sandbox)
-
8/8/2019 2nd Generation Honey Clients
10/42
2nd Generation Honeyclients 10
Issues with Crawlers
Simulation Exploit may not trigger
Active/dynamic content
Chain reactions Secondary vulnerabilities
Ease of detection Fingerprinting
Maliciousness detection Signatures
Interpretation
-
8/8/2019 2nd Generation Honey Clients
11/42
2nd Generation Honeyclients 11
Issues with Honeyclients
Speed
More complexity = slower
Stability Infected systems are slow
Maintenance
Reset after infection Maliciousness detection
Sandbox, IDS, scanners
-
8/8/2019 2nd Generation Honey Clients
12/42
2nd Generation Honeyclients 12
Projects Utilizing Honeyclient or
Crawler Technology MS Strider HoneyMonkey (Microsoft Research)
Honeyclient.org (Kathy Wang)
Mitre Honeyclient Project (Mitre) Client-side Honeypots (Univ. of Mannheim)
Collapsar/Reverse Honeyfarm (Purdue Univ.)
Phileas (Webroot) Websense (Hubbard)
SiteAdvisor (McAfee)
-
8/8/2019 2nd Generation Honey Clients
13/42
2nd Generation Honeyclients 13
Projects Utilizing Honeyclient or
Crawler Technology Contd StillSecure/Pezzonavante (Danford)
SPECTRE (Sunbelt)
Shadow Honeypots (Anagnostakis) Email quarantine systems (Columbia Univ.)
Spycrawler (Univ. of Washington)
XPLIntel (Exploit Prevention Labs) Irish Honeynet Project (Espion)
-
8/8/2019 2nd Generation Honey Clients
14/42
2nd Generation Honeyclients 14
-
8/8/2019 2nd Generation Honey Clients
15/42
2nd Generation Honeyclients 15
-
8/8/2019 2nd Generation Honey Clients
16/42
2nd Generation Honeyclients 16
MS Strider HoneyMonkey Project
-
8/8/2019 2nd Generation Honey Clients
17/42
2nd Generation Honeyclients 17
-
8/8/2019 2nd Generation Honey Clients
18/42
2nd Generation Honeyclients 18
Honeyclient.org Honeyclient
-
8/8/2019 2nd Generation Honey Clients
19/42
2nd Generation Honeyclients 19
Issues to Overcome
Constant supply of URLs
Preventing infected clients from infectingthe planet (honeywall)
Surf tracking (URL Server) Results from each visit
Coordinate across clients
Limited retries Correlating infections
Avoid being blacklisted
-
8/8/2019 2nd Generation Honey Clients
20/42
2nd Generation Honeyclients 20
Pezzonavante Honeyclient
-
8/8/2019 2nd Generation Honey Clients
21/42
2nd Generation Honeyclients 21
DeploymentExperience
October 2005 March 2006
200,000 URLs surfed 7 million links harvested 600+ virus infections 750+ spyware-relatedevents 1,500 malware samples 500+ malicious URLssubmitted for takedown
-
8/8/2019 2nd Generation Honey Clients
22/42
2nd Generation Honeyclients 22
Issues Found
Speed
Coordination
Correlation Information Overload
Candidate URLs
Anti-VMware techniquesInfected PCs are slowand unstable. Duh!
-
8/8/2019 2nd Generation Honey Clients
23/42
2nd Generation Honeyclients 23
Characterizing URLs
Potentially malicious websites need to beidentified in advance (guided search)
Avoid surfing .mil, .gov, and froogle all day
-
8/8/2019 2nd Generation Honey Clients
24/42
2nd Generation Honeyclients 24
Methods for Determining CandidateURLs
1.Compare IP/hostname against blacklists2.Filename ends in an executable suffix (*.scr,
*.exe, *.pif)
3.Known-bad strings (ie0502.htm, cartao, cmd.txt)4.Obfuscated URLs5.Known redirectors (from previous squid logs)6.McAfee SiteAdvisor ranking
7.Site logged in the Norman Sandbox8.Site or URL substring shows up in virusdescriptions
-
8/8/2019 2nd Generation Honey Clients
25/42
2nd Generation Honeyclients 25
URL Sources
URLs harvested from unsolicited email
Google API
Harvested links
SANS ISC URL list
Blacklists
-
8/8/2019 2nd Generation Honey Clients
26/42
2nd Generation Honeyclients 26
Detecting Malicious Activity
Pezzonavante used a hybrid,asynchronous approach to detection
Osiris integrity checking
Security tool scans
Snort network IDS alerts
Traffic analysis
Snapshot comparisons
-
8/8/2019 2nd Generation Honey Clients
27/42
2nd Generation Honeyclients 27
Sandboxes and Integrity Checking
CWSandbox
Sandboxie http://www.sandboxie.com/
-
8/8/2019 2nd Generation Honey Clients
28/42
2nd Generation Honeyclients 28
Integrity Checking
-
8/8/2019 2nd Generation Honey Clients
29/42
2nd Generation Honeyclients 29
Anti-Virus
Running an anti-virus product after thefact
will produce some results
But
-
8/8/2019 2nd Generation Honey Clients
30/42
2nd Generation Honeyclients 30
Intrusion Detection (Snort)
NIDS was most helpful in monitoring forpost-infection behavior.
However, occasional gems were found..
-
8/8/2019 2nd Generation Honey Clients
31/42
2nd Generation Honeyclients 31
Squid is Your Friend
Log entry for site access referenced in previousslide
-
8/8/2019 2nd Generation Honey Clients
32/42
2nd Generation Honeyclients 32
Network Traffic Analysis (IPTables)
Basic visualization needs similar to otherhoneynet projects
New visualization tools needed to observenear real-time activity on the client
-
8/8/2019 2nd Generation Honey Clients
33/42
2nd Generation Honeyclients 33
www.philippinehoneynet.org
-
8/8/2019 2nd Generation Honey Clients
34/42
2nd Generation Honeyclients 34
www.philippinehoneynet.org
-
8/8/2019 2nd Generation Honey Clients
35/42
2nd Generation Honeyclients 35
Anti-honeyclient Methods
1. Blacklisting Try to look normal and not get blacklisted
Distributed honeyclient farms
2. Dialog boxes
GUI automation needed (ex. Windpysend)
3. Anti-crawler techniques
4. Time-bombs
Wait 10 sec in case of delayed exploit
5. Page-close events
Load a blank page to trigger event (delayed exploit)
-
8/8/2019 2nd Generation Honey Clients
36/42
2nd Generation Honeyclients 36
Anti-honeyclient Methods Contd
6. Non-deterministic URL behavior Pool stats with other farms. Overlap surfing
7. Links no human would click
Background color hyperlinks IMG links with dont click on them
8. Timing analysis
9. Surf behavior
Timing analysis Paths through a site
- Depth-first vs. breadth-first
- Referer information (deep linking)
-
8/8/2019 2nd Generation Honey Clients
37/42
2nd Generation Honeyclients 37
Anti-honeyclient Methods Contd
10. Dynamic and relative URLs
JavaScript $**
11. Cookies
12. Session IDs
13. Encoded URLs, foreign character sets
14. URL redirection
-
8/8/2019 2nd Generation Honey Clients
38/42
2nd Generation Honeyclients 38
Malware Analysis Evasion
Current trend in certain malware code-bases for detecting debugger or virtualmachine environments
More study required to determine whatpercentage of infections virtualhoneyclients may miss
Physical machines plus a disk imager likeGhost may be needed
-
8/8/2019 2nd Generation Honey Clients
39/42
2nd Generation Honeyclients 39
Anti-VMware and VMwareDetection Methods
1. Nopill (Smith)
2. Vmdetect (Lallous)
3. Redpill (Rutkowska)4. Scoopy Doo (Klein)
5. Jerry (Klein)
6. Vmtools (Kato)
-
8/8/2019 2nd Generation Honey Clients
40/42
2nd Generation Honeyclients 40
Malware Analysis Frameworks
Analysis requires automation
Sandboxes and fully instrumented lab
networks Tools for building your own
-
8/8/2019 2nd Generation Honey Clients
41/42
2nd Generation Honeyclients 41
Resources
-
8/8/2019 2nd Generation Honey Clients
42/42
2nd Generation Honeyclients 42
The Future
Data aggregation
Data sharing
Distributed Honeyclient Farms Correlate honeyclient and honeynet data
Analysis (SANS ISC, CastleCops PIRT)
Coordinated take-downs