Jason Ortiz, Ankur Chakraborty, Pascal Meunier
1
Jason Ortiz, Ankur Chakraborty, Pascal Meunier ¾Client honeypots have detected and analyzed ¾Client makes a request to a malicious or ¾Client honeypots have detected and analyzed thousands of attacks ¾Easily detect drive-by downloads and browser or application exploits ¾Check of system changes (registry changes, process creation/termination) ¾Actively seek to be attacked opposed to traditional honeypots ¾Client makes a request to a malicious or compromised server ¾Server acts to infect the client, targeting some of many vulnerabilities in applications ¾Increasing number of exploits due to better server- side security ¾Large number of opportunities (apps, plug-ins…) are vulnerable to exploits or attacks Reply Request Request Attack Malicious Server Benign Server We hypothesize that malicious websites could employ several techniques designed to evade client honeypots. ¾The client honeypot is unaware of the existence of the content ¾Actively and passively detect a client honeypot Detect presence of VM (active) We observed that malicious websites employ social engineering to convince users of legitimate interaction. We surveyed approximately 5000 websites using Honeyclient and manual navigation Scan for Client Honeypots Detect presence of VM (active) Detect automated clicks (active) Detection using time restraints (active) Use forms and CAPTCHA (passive) ¾But how difficult is it? ¾Application appears as an antivirus software ¾It is actually malware (usually spyware) ¾A forged thread report informs the user their ¾Built a simple HTML Server ¾Created a page designed to detect automation (clicking) We found 43 attacks, many of them using a form of social engineering to gain user’s trust Rogue Applications ¾A forged thread report informs the user their computer is infected with malware ¾User is tricked into running a ‘scan’ of their system to find the infections ¾ ‘Scan’ finds hundreds of problems ¾Application informs the user they must register and purchase the full version of ¾Created a page designed to detect automation (clicking) ¾Created a script which launched only after 15 seconds ¾Logged information on server log page Client requests honeypot token Server determines client is not human and logs info Client requests timed page Iff time <15 s Simple S Simple S L ¾Bare-Metal Implementation of client honeypots Traditional honeypots use virtual environments to contain register and purchase the full version of the software to remove the threats ¾User effectively pays for malware and disclosure of personal info ¾Implementing a model of user interaction Vary amount of time spend on a single page (time No attack (or different attack) triggered and IP address of client flagged Server sends timed page Server sends honeypot token Server Server Token Timed Log Traditional honeypots use virtual environments to contain attacks experienced Malicious entities can detect presence of virtual environment (See proof of concept above) ¾Requires computer we can reimage ¾Requires remote logging of events Data might get corrupted from attack Attack might destroy its own trail Vary amount of time spend on a single page (time attacks not prevented but harder) Parse for hidden links and avoid clicking them Be able to fill out forms and defeat CAPTCHA MITRE Data Set, Kathy Wang Detecting the Presence of Virtual Machines Using the Local Data Table, Danny Quist, Val Smith Detecting the Presence of Virtual Machines Using the Local Data Table , Danny Quist, Val Smith Ask for others and more details!
Transcript of Jason Ortiz, Ankur Chakraborty, Pascal Meunier
Jason Ortiz, Ankur Chakraborty, Pascal Meunier
Client honeypots have detected and analyzedClient makes a request to a malicious or Client honeypots have detected and analyzed thousands of attacks
Easily detect drive-by downloads and browser or application exploits
Check of system changes (registry changes, process creation/termination)
Actively seek to be attacked opposed to traditional honeypots
Client makes a request to a malicious or compromised server
Server acts to infect the client, targeting some of many vulnerabilities in applications
Increasing number of exploits due to better server-side security
Large number of opportunities (apps, plug-ins…) are vulnerable to exploits or attacks
Reply
Request Request
Attack Malicious Server
Benign Server
yp
We hypothesize that malicious websites could employ several techniques designed to evade client honeypots.
The client honeypot is unaware of the existence of the contentActively and passively detect a client honeypot
Detect presence of VM (active)
We observed that malicious websites employ social engineering to convince users of legitimate interaction.
We surveyed approximately 5000 websites using Honeyclient and manual navigation Scan for Client Honeypots
Detect presence of VM (active)Detect automated clicks (active)Detection using time restraints (active)Use forms and CAPTCHA (passive)
But how difficult is it?
Application appears as an antivirus softwareIt is actually malware (usually spyware)A forged thread report informs the user their
Built a simple HTML ServerCreated a page designed to detect automation (clicking)
We found 43 attacks, many of them using a form of social engineering to gain user’s trustRogue Applications
A forged thread report informs the user their computer is infected with malware
User is tricked into running a ‘scan’ of their system to find the infections
‘Scan’ finds hundreds of problemsApplication informs the user they must
register and purchase the full version of
Created a page designed to detect automation (clicking)Created a script which launched only after 15 secondsLogged information on server log page
Client requests honeypot token
Server determines client is not human and logs info
Client requests timed page
Iff time <15 sSimple S
Simple SL
Bare-Metal Implementation of client honeypots Traditional honeypots use virtual environments to contain
register and purchase the full version of the software to remove the threats
User effectively pays for malware anddisclosure of personal info
Implementing a model of user interactionVary amount of time spend on a single page (time
No attack (or different attack) triggered and IP address of client flagged
Server sends timed pageServer sends honeypot token
Server Server
Token Timed
Log
Traditional honeypots use virtual environments to contain attacks experiencedMalicious entities can detect presence of virtual environment (See proof of concept above)
Requires computer we can reimageRequires remote logging of events
Data might get corrupted from attackAttack might destroy its own trail
Vary amount of time spend on a single page (time attacks not prevented but harder)Parse for hidden links and avoid clicking themBe able to fill out forms and defeat CAPTCHA
MITRE Data Set, Kathy Wang
Detecting the Presence of Virtual Machines Using the Local Data Table, Danny Quist, Val Smithg y Detecting the Presence of Virtual Machines Using the Local Data Table, Danny Quist, Val Smith
Ask for others and more details!
46F-EB9.pdf 1 3/10/2009 1:51:35 PM
