Identify Malicious URL using Capture-HPC

David Guandcguan@gmail.com

Who Are You?

• You are interested in malicious webpage• You are interested in Capture-HPC• You are not interested in the other session or

there are no more seats…there are no more seats…

About This Session

• NOT to protect your PC– You need to pay $$ for *protection*– Uninstall Windows might be a better idea

• Experience sharing for large scale web crawling • Experience sharing for large scale web crawling testing

• Use open source software for security research– Even individual can build your security lab

Drive-by Download Landing Site

Hopping Site

Download Site

The EVIL Browser Plug-in

Browser plug-in vulnerabilitiesSource: Secunia 2008 report

Malicious URL in Different Regions

Region Total URL Scanned

Total landingsite

Total download site

China 41000 253 28

Japan 21263 105 3

Google Safe Browsing Database

• Google gives you malicious URL – Md5 hash form– Quality data can be observed– safebrowsing-python + Django = ?– safebrowsing-python + Django = ?

URL Selection and Verification

• Google’s paper “All Your iFRAMEs Point to Us”

WWWRepository

MachineLearning

Score

Virtual Machine

Verification

Malicious URL

What is Honeypot?• A trap!• Collect malicious behavior• Server-side honeypot

– Wait to be probed, attacked, and compromisedcompromised

• Client-side honeypot– Actively crawler the web – Compromised by server

response

What is Capture-HPC ?

• A high-interactive client honeypot• Part of the Honeynet Project• Interact with malicious web site and observe

system activitiessystem activities• Freely available under GPL v2

– https://projects.honeynet.org/capture-hpc

Capture-HPC Concept

Capture-HPC Client

Capture-HPC Server

VMWare Sever

Capture-HPC Client

Capture-HPC Architecture

InternetExplorer

FirefoxCapture-HPC

Client

Capture-HPCServer

VMWare ServerControl

Report

Revert & Resume

Log

Config.xml

Win32 Subsystem

ExplorerClient

File Monitor

Process Monitor

RegistryMonitor

VMWare Guest OS

Capture Kernel Driver

Report

User Mode

Kernel Mode

Process 1

File Create

RegistryChange

Process 2

RegistryCreate

Process 3

Setup Server Environment

Unpack Capture-HPC server

VMWare server 1.0instead of 2.0Linux is better

Edit Capture-HPC Server setting Set up multiple VM

Setup Client Environment

Adjust security levelInstall Capture-HPC client

Install system monitortools

NO Windows Update! Disable firewall

Adjust security levelclient tools

Make Yourself More Vulnerable!

• Get old version software at http://oldapps.com

Editing Exception List

• Filter normal system events– Windows prefetch– Windows update– Internet Explorer activities– Internet Explorer activities– Capture-HPC client activities

• Events not filtered treat as malicious

Good URL? Bad URL?

• Collect normal web page– Open Directory Project– Yahoo!– Other countries?– Other countries?

• How about malicious page?– IT Information Security– Malware domain list– Blast's security lab

Execute Capture-HPC

• java – Djava.net.preferIPv4Stack=true – jar CaptureServer.jar – s <IP listening address>:<IP listening port> – s <IP listening address>:<IP listening port> – f <URL input file>

• DEMO Time!

Time to HarvestSystem Configuration

Target URL Result

•Intel E6420 (2.13GHz) with 2G RAM•VMWare server 1.0 with 3 VM

•Malicious URL from various sites•Total URL: 235

•Testing time: 2 hours(about 3000 URL per day)

•Malicious: 34•Network error: 13

• Check log files– Safe.log– Malicious.log– Error.log

(IE can not connect)•System error: 5

Large Scale Testing Issues

• VMWare issue– Revert VM hang– Network broken after VM revert

• Malicious software make guest OS unstable• Malicious software make guest OS unstable– Blue screen of death– Guest OS high CPU loading

Build Your Security Lab Using Open Source Software

• Many open source software available– Capture-HPC– Malzilla– DecryptJS– DecryptJS

• Easy to adapt to your application• Your effort can make better tools!

Thank You!

Comment and Question?dcguan@gmail.com