SlideShare ist ein Scribd-Unternehmen logo

An introduction to honeyclient technology

Als PPT, PDF herunterladen
Angelo Dell'Aera
Angelo Dell'Aera

Honeynet Project Security Workshop - Paris, March 2011

1 von 29
An introduction to honeyclient technologies Christian Seifert Angelo Dell'Aera
Speakers Christian Seifert • Full Member of the Honeynet Project since 2007 • PhD from Victoria University of Wellington, NZ • Research Software Engineer @ Microsoft Bing Angelo Dell'Aera • Full Member of the Honeynet Project since 2009 • Senior Threat Analyst @ Security Reply (7 years) • Information Security Independent Researcher @ Antifork Research (13 years)
Agenda • Introduction • Honeyclient technologies • Low-Interaction (PhoneyC) • High-Interaction (Capture-HPC) • Malware Distribution Networks • Challenges and Future Work
New trends, new tools • In the last years more and more attacks against client systems • The end user as the weakest link of the security chain • New tools are required to learn more about such client-side attacks
New trends, new tools • The browser is the most popular client system deployed on every user system • A lot of vulnerabilities are daily identified and (almost always) reported in the most used browsers • The browser is currently the preferred way to own an host
Honeyclients • What we need is something which seems like a real browser the same way as a classical honeypot system seems like a real vulnerable server • A real system Queuer (high-interaction) Visitor • Or an emulated one Analysis (low-interaction)? Engine
Low-interaction strengths and weaknesses + Different browser versions (“personalities”) + Different ActiveX and plugins modules (even different versions) + Much more safer + More scalable - Easy to detect
PhoneyC - Brief History • A pure Python low-interaction honeyclient • First version developed by Jose Nazario • Great improvements during GSoC 2009 • And the history continues...
PhoneyC – DOM Emulation “The Document Object Model is a platform- and language-neutral interface that will allow programs and scripts to dynamically access and update the content, structure and style of documents. The document can be further processed and the results of that processing can be incorporated back into the presented page.” (W3C definition) • Huge improvements during GSoC 2009 • Python object __getattr__ and __setattr__ methods
PhoneyC - Browser Personalities • Currently supported personalities: • Internet Explorer 6.0 (Windows XP) • Internet Explorer 6.1 (Windows XP) • Internet Explorer 7.0 (Windows XP) • Internet Explorer 8.0 (Windows XP) • Internet Explorer 6.0 (Windows 2000) • Internet Explorer 8.0 (Windows 2000) • Easy to add new personalities
PhoneyC - Javascript Engine • Based on SpiderMonkey, the Mozilla implementation of the Javascript engine • HoneyJS: a bridge between Python and SpiderMonkey which wraps a subset of its APIs • HoneyJS based on python-spidermonkey
PhoneyC - Vulnerability Modules • Python-based vulnerability modules • Core browser functionalities • Browser plugins • (Mock) ActiveX controls
PhoneyC - Shellcode detection and emulation • HoneyJS “The shellcode manipulation and the spraying of the fillblock involve assignments.The shellcode will be detected immediately on its assignment if we are able to interrupt spidermonkey at the interpretion of certain bytecodes related to an assignment and check its arguments and values for shellcodes” • Libemu integration (shellcode detection, execution and profiling)
PhoneyC - Future Improvements • A new and more reliable DOM (Document Object Model) emulation • Replacing Spidermonkey with Google V8 • Mixed static/dynamic analysis for detecting potential attacks
High-interaction Client Honeypot • Real system • Observe effects of attack Request No state appeared New file changes Benign detected folder in start up Server Response Request Client Honeypots Attack Malicious Server
High-interaction strengths and weaknesses + No emulation necessary + Accurate classification (extremely low false positive rate) + Ability to detect zero-day attacks + More difficult to evade - Miss attacks - “Dangerous” - More computationally expensive
Capture-HPC (v2.5) - Functionality • Platform Independence * • Flexibility around client application • Forensically ready • Records information at kernel level • Collects modified files (e.g. malware) • Collects network traffic (pcap) • Maintained by the New Zealand Honeynet Project Chapter
Malware Distribution Networks
Malware Distribution Networks Overview • Set of web servers (network) controlled by a group of cyber criminals to distribute malware efficiently • Specialized structures that support specialized roles of the cyber criminal • Malware distribution networks allow for campaigns and temp renting out components of the distribution network
Malware Distribution Networks Source: Microsoft Security Intelligence Threat Report (http://www.microsoft.com/sir)
Malware Distribution Network
Exploit Servers 12.8% of exploit servers responsible for 84.1% of drive-by- download pages Source: Microsoft Security Intelligence Threat Report (http://www.microsoft.com/sir)
Challenges and Future Work
Malware Distribution Network
Malware Distribution Networks Fast-Flux • LP infected with script that contacts twitter to obtain popular topics (e.g. japan) LP1 LP2 • From popular query from last week, script constructs host name (e.g. “j” + date) • Next day, the same LP will contact twitter to obtain popular topics (e.g. tunesia) • Now, it will construct different host name (e.g. R2 R1 “t” + date) • Attacker registers hostname a few days in advance twitter.com h1 h2 h3 h4 h5 h6 h7 h8 h9 h10 3/19/2011 1 1 3/20/2011 1 1 ES1 3/21/2011 1 1 1 ES2 3/22/2011 1 1 1 3/23/2011 1 1 1 3/24/2011 1 1 1 3/25/2011 1 1 1 3/26/2011 1 1 1 3/27/2011 1 1 1 3/28/2011 1 1 1 3/29/2011 1 1
Evasion Techniques • Technology Differences (Browser vs Honeyclient) • Human vs Machine Interaction • Decrease visibility
The Threats Crashes Drive-by-pharming Network floods/ Puppetnets Drive-by-Downloads Availability Integrity Web spam/ junk pages Social Engineering Hosting of malware Popup floods Cross-X attacks Cookie, history, file, and clipboard stealing Confidentiality Network scanners Phishing
References • Jose Nazario, “PhoneyC: A virtual client honeypot”, LEET 2009 • The Honeynet Project, KYE: Malicious Web Servers, http://www.honeynet.org/papers • Junjie Zhang, Jack Stokes, Christian Seifert and Wenke Lee, ARROW: Generating Signatures to Detect Drive-By Downloads, in proceedings of www conference, Hyderabad, India, 2011 • Microsoft, Security Intelligence Threat Report, http://www.microsoft.com/sir
Thanks for the attention http://code.google.com/p/phoneyc/ https://projects.honeynet.org/capture-hpc Questions? Christian Seifert <christian.seifert@honeynet.org> Angelo Dell'Aera <angelo.dellaera@honeynet.org>

Empfohlen

Five years of Persistent Threats
Five years of Persistent ThreatsFive years of Persistent Threats
Five years of Persistent ThreatsMaarten Van Horenbeeck
 
Crouching powerpoint, Hidden Trojan
Crouching powerpoint, Hidden TrojanCrouching powerpoint, Hidden Trojan
Crouching powerpoint, Hidden TrojanMaarten Van Horenbeeck
 
Metasploitation part-1 (murtuja)
Metasploitation part-1 (murtuja)Metasploitation part-1 (murtuja)
Metasploitation part-1 (murtuja)ClubHack
 
SSL: Past, Present and Future
SSL: Past, Present and FutureSSL: Past, Present and Future
SSL: Past, Present and FutureLuis Grangeia
 
Introduction to Malware - Part 1
Introduction to Malware - Part 1 Introduction to Malware - Part 1
Introduction to Malware - Part 1 Lastline, Inc.
 
Malware in the Wild: Evolving to Evade Detection
Malware in the Wild: Evolving to Evade DetectionMalware in the Wild: Evolving to Evade Detection
Malware in the Wild: Evolving to Evade DetectionLastline, Inc.
 
Man vs Internet - Current challenges and future tendencies of establishing tr...
Man vs Internet - Current challenges and future tendencies of establishing tr...Man vs Internet - Current challenges and future tendencies of establishing tr...
Man vs Internet - Current challenges and future tendencies of establishing tr...Luis Grangeia
 
H@dfex 2015 malware analysis
H@dfex 2015 malware analysisH@dfex 2015 malware analysis
H@dfex 2015 malware analysisCharles Lim
 

Empfohlen

Five years of Persistent Threats
Five years of Persistent ThreatsFive years of Persistent Threats
Five years of Persistent ThreatsMaarten Van Horenbeeck
 
Crouching powerpoint, Hidden Trojan
Crouching powerpoint, Hidden TrojanCrouching powerpoint, Hidden Trojan
Crouching powerpoint, Hidden TrojanMaarten Van Horenbeeck
 
Metasploitation part-1 (murtuja)
Metasploitation part-1 (murtuja)Metasploitation part-1 (murtuja)
Metasploitation part-1 (murtuja)ClubHack
 
SSL: Past, Present and Future
SSL: Past, Present and FutureSSL: Past, Present and Future
SSL: Past, Present and FutureLuis Grangeia
 
Introduction to Malware - Part 1
Introduction to Malware - Part 1 Introduction to Malware - Part 1
Introduction to Malware - Part 1 Lastline, Inc.
 
Malware in the Wild: Evolving to Evade Detection
Malware in the Wild: Evolving to Evade DetectionMalware in the Wild: Evolving to Evade Detection
Malware in the Wild: Evolving to Evade DetectionLastline, Inc.
 
Man vs Internet - Current challenges and future tendencies of establishing tr...
Man vs Internet - Current challenges and future tendencies of establishing tr...Man vs Internet - Current challenges and future tendencies of establishing tr...
Man vs Internet - Current challenges and future tendencies of establishing tr...Luis Grangeia
 
H@dfex 2015 malware analysis
H@dfex 2015 malware analysisH@dfex 2015 malware analysis
H@dfex 2015 malware analysisCharles Lim
 
Network Security-Honeypot
Network Security-HoneypotNetwork Security-Honeypot
Network Security-Honeypotnirate
 
Honeypot
HoneypotHoneypot
HoneypotShashwat Shriparv
 
Honeypot
HoneypotHoneypot
HoneypotAkhil Sahajan
 
Introduction to Honeypots
Introduction to HoneypotsIntroduction to Honeypots
Introduction to HoneypotsEmil Tan
 
Honeypot ss
Honeypot ssHoneypot ss
Honeypot ssKajal Mittal
 
Honeypot-A Brief Overview
Honeypot-A Brief OverviewHoneypot-A Brief Overview
Honeypot-A Brief OverviewSILPI ROSAN
 
Honeypot Basics
Honeypot BasicsHoneypot Basics
Honeypot BasicsManoj kumawat
 
Honeypot seminar report
Honeypot seminar reportHoneypot seminar report
Honeypot seminar reportInder NeGi
 
Honeypot ppt1
Honeypot ppt1Honeypot ppt1
Honeypot ppt1samrat saurabh
 
Honeypot honeynet
Honeypot honeynetHoneypot honeynet
Honeypot honeynetSina Manavi
 
Honeypot
Honeypot Honeypot
Honeypot Sushan Sharma
 
Honey Pot
Honey PotHoney Pot
Honey Potiradarji
 
All about Honeypots & Honeynets
All about Honeypots & HoneynetsAll about Honeypots & Honeynets
All about Honeypots & HoneynetsMehdi Poustchi Amin
 
Mengenal ZEUS Botnet Lebih Dekat
Mengenal ZEUS Botnet Lebih DekatMengenal ZEUS Botnet Lebih Dekat
Mengenal ZEUS Botnet Lebih DekatCharles Lim
 
HTML for beginners
HTML for beginnersHTML for beginners
HTML for beginnersSalahaddin University-Erbil
 
Defending the Endpoint with Next-Gen Security
Defending the Endpoint with Next-Gen SecurityDefending the Endpoint with Next-Gen Security
Defending the Endpoint with Next-Gen SecuritySophos Benelux
 
AtlSecCon 2016
AtlSecCon 2016AtlSecCon 2016
AtlSecCon 2016Earl Carter
 
How to Stop Man in the Browser Attacks
How to Stop Man in the Browser AttacksHow to Stop Man in the Browser Attacks
How to Stop Man in the Browser AttacksImperva
 
Html5 Application Security
Html5 Application SecurityHtml5 Application Security
Html5 Application Securitychuckbt
 
Open web platform talk by daniel hladky at rif 2012 (19 april 2012 moscow)
Open web platform talk by daniel hladky at rif 2012 (19 april 2012 moscow)Open web platform talk by daniel hladky at rif 2012 (19 april 2012 moscow)
Open web platform talk by daniel hladky at rif 2012 (19 april 2012 moscow)AI4BD GmbH
 
JAXLondon 2015 "DevOps and the Cloud: All Hail the (Developer) King"
JAXLondon 2015 "DevOps and the Cloud: All Hail the (Developer) King"JAXLondon 2015 "DevOps and the Cloud: All Hail the (Developer) King"
JAXLondon 2015 "DevOps and the Cloud: All Hail the (Developer) King"Daniel Bryant
 
DevOps and the cloud: all hail the (developer) king - Daniel Bryant, Steve Poole
DevOps and the cloud: all hail the (developer) king - Daniel Bryant, Steve PooleDevOps and the cloud: all hail the (developer) king - Daniel Bryant, Steve Poole
DevOps and the cloud: all hail the (developer) king - Daniel Bryant, Steve PooleJAXLondon_Conference
 

Weitere ähnliche Inhalte

Andere mochten auch

Network Security-Honeypot
Network Security-HoneypotNetwork Security-Honeypot
Network Security-Honeypotnirate
 
Introduction to Honeypots
Introduction to HoneypotsIntroduction to Honeypots
Introduction to HoneypotsEmil Tan
 
Honeypot-A Brief Overview
Honeypot-A Brief OverviewHoneypot-A Brief Overview
Honeypot-A Brief OverviewSILPI ROSAN
 
Honeypot seminar report
Honeypot seminar reportHoneypot seminar report
Honeypot seminar reportInder NeGi
 
Honeypot honeynet
Honeypot honeynetHoneypot honeynet
Honeypot honeynetSina Manavi
 

Andere mochten auch (13)

Network Security-Honeypot
Network Security-HoneypotNetwork Security-Honeypot
Network Security-Honeypot
 
Honeypot
HoneypotHoneypot
Honeypot
 
Honeypot
HoneypotHoneypot
Honeypot
 
Introduction to Honeypots
Introduction to HoneypotsIntroduction to Honeypots
Introduction to Honeypots
 
Honeypot ss
Honeypot ssHoneypot ss
Honeypot ss
 
Honeypot-A Brief Overview
Honeypot-A Brief OverviewHoneypot-A Brief Overview
Honeypot-A Brief Overview
 
Honeypot Basics
Honeypot BasicsHoneypot Basics
Honeypot Basics
 
Honeypot seminar report
Honeypot seminar reportHoneypot seminar report
Honeypot seminar report
 
Honeypot ppt1
Honeypot ppt1Honeypot ppt1
Honeypot ppt1
 
Honeypot honeynet
Honeypot honeynetHoneypot honeynet
Honeypot honeynet
 
Honeypot
Honeypot Honeypot
Honeypot
 
Honey Pot
Honey PotHoney Pot
Honey Pot
 
All about Honeypots & Honeynets
All about Honeypots & HoneynetsAll about Honeypots & Honeynets
All about Honeypots & Honeynets
 

Ähnlich wie An introduction to honeyclient technology

Mengenal ZEUS Botnet Lebih Dekat
Mengenal ZEUS Botnet Lebih DekatMengenal ZEUS Botnet Lebih Dekat
Mengenal ZEUS Botnet Lebih DekatCharles Lim
 
Defending the Endpoint with Next-Gen Security
Defending the Endpoint with Next-Gen SecurityDefending the Endpoint with Next-Gen Security
Defending the Endpoint with Next-Gen SecuritySophos Benelux
 
How to Stop Man in the Browser Attacks
How to Stop Man in the Browser AttacksHow to Stop Man in the Browser Attacks
How to Stop Man in the Browser AttacksImperva
 
Html5 Application Security
Html5 Application SecurityHtml5 Application Security
Html5 Application Securitychuckbt
 
Open web platform talk by daniel hladky at rif 2012 (19 april 2012 moscow)
Open web platform talk by daniel hladky at rif 2012 (19 april 2012 moscow)Open web platform talk by daniel hladky at rif 2012 (19 april 2012 moscow)
Open web platform talk by daniel hladky at rif 2012 (19 april 2012 moscow)AI4BD GmbH
 
JAXLondon 2015 "DevOps and the Cloud: All Hail the (Developer) King"
JAXLondon 2015 "DevOps and the Cloud: All Hail the (Developer) King"JAXLondon 2015 "DevOps and the Cloud: All Hail the (Developer) King"
JAXLondon 2015 "DevOps and the Cloud: All Hail the (Developer) King"Daniel Bryant
 
DevOps and the cloud: all hail the (developer) king - Daniel Bryant, Steve Poole
DevOps and the cloud: all hail the (developer) king - Daniel Bryant, Steve PooleDevOps and the cloud: all hail the (developer) king - Daniel Bryant, Steve Poole
DevOps and the cloud: all hail the (developer) king - Daniel Bryant, Steve PooleJAXLondon_Conference
 
Watchtowers of the Internet - Source Boston 2012
Watchtowers of the Internet - Source Boston 2012Watchtowers of the Internet - Source Boston 2012
Watchtowers of the Internet - Source Boston 2012Stephan Chenette
 
Алексей Старов - Как проводить киберраследования?
Алексей Старов - Как проводить киберраследования?Алексей Старов - Как проводить киберраследования?
Алексей Старов - Как проводить киберраследования?HackIT Ukraine
 
How to stay protected against ransomware
How to stay protected against ransomwareHow to stay protected against ransomware
How to stay protected against ransomwareSophos Benelux
 
Threat_Modelling.pdf
Threat_Modelling.pdfThreat_Modelling.pdf
Threat_Modelling.pdfMarlboroAbyad
 
Next Generation Memory Forensics
Next Generation Memory ForensicsNext Generation Memory Forensics
Next Generation Memory ForensicsAndrew Case
 
Nomura UCCSC 2009
Nomura UCCSC 2009Nomura UCCSC 2009
Nomura UCCSC 2009dnomura
 
The Year the Internet Fell Apart
The Year the Internet Fell ApartThe Year the Internet Fell Apart
The Year the Internet Fell ApartIBM Security
 
CarolinaCon 2005 Web Application Hacking 101
CarolinaCon 2005 Web Application Hacking 101CarolinaCon 2005 Web Application Hacking 101
CarolinaCon 2005 Web Application Hacking 101Tyler Shields
 

Ähnlich wie An introduction to honeyclient technology (20)

Mengenal ZEUS Botnet Lebih Dekat
Mengenal ZEUS Botnet Lebih DekatMengenal ZEUS Botnet Lebih Dekat
Mengenal ZEUS Botnet Lebih Dekat
 
HTML for beginners
HTML for beginnersHTML for beginners
HTML for beginners
 
Defending the Endpoint with Next-Gen Security
Defending the Endpoint with Next-Gen SecurityDefending the Endpoint with Next-Gen Security
Defending the Endpoint with Next-Gen Security
 
AtlSecCon 2016
AtlSecCon 2016AtlSecCon 2016
AtlSecCon 2016
 
How to Stop Man in the Browser Attacks
How to Stop Man in the Browser AttacksHow to Stop Man in the Browser Attacks
How to Stop Man in the Browser Attacks
 
Html5 Application Security
Html5 Application SecurityHtml5 Application Security
Html5 Application Security
 
Open web platform talk by daniel hladky at rif 2012 (19 april 2012 moscow)
Open web platform talk by daniel hladky at rif 2012 (19 april 2012 moscow)Open web platform talk by daniel hladky at rif 2012 (19 april 2012 moscow)
Open web platform talk by daniel hladky at rif 2012 (19 april 2012 moscow)
 
JAXLondon 2015 "DevOps and the Cloud: All Hail the (Developer) King"
JAXLondon 2015 "DevOps and the Cloud: All Hail the (Developer) King"JAXLondon 2015 "DevOps and the Cloud: All Hail the (Developer) King"
JAXLondon 2015 "DevOps and the Cloud: All Hail the (Developer) King"
 
DevOps and the cloud: all hail the (developer) king - Daniel Bryant, Steve Poole
DevOps and the cloud: all hail the (developer) king - Daniel Bryant, Steve PooleDevOps and the cloud: all hail the (developer) king - Daniel Bryant, Steve Poole
DevOps and the cloud: all hail the (developer) king - Daniel Bryant, Steve Poole
 
DEfcon15 XXE XXS
DEfcon15 XXE XXSDEfcon15 XXE XXS
DEfcon15 XXE XXS
 
Watchtowers of the Internet - Source Boston 2012
Watchtowers of the Internet - Source Boston 2012Watchtowers of the Internet - Source Boston 2012
Watchtowers of the Internet - Source Boston 2012
 
Алексей Старов - Как проводить киберраследования?
Алексей Старов - Как проводить киберраследования?Алексей Старов - Как проводить киберраследования?
Алексей Старов - Как проводить киберраследования?
 
How to stay protected against ransomware
How to stay protected against ransomwareHow to stay protected against ransomware
How to stay protected against ransomware
 
Brief Tour about Android Security
Brief Tour about Android SecurityBrief Tour about Android Security
Brief Tour about Android Security
 
Threat_Modelling.pdf
Threat_Modelling.pdfThreat_Modelling.pdf
Threat_Modelling.pdf
 
Next Generation Memory Forensics
Next Generation Memory ForensicsNext Generation Memory Forensics
Next Generation Memory Forensics
 
Nomura UCCSC 2009
Nomura UCCSC 2009Nomura UCCSC 2009
Nomura UCCSC 2009
 
P05-slides
P05-slidesP05-slides
P05-slides
 
The Year the Internet Fell Apart
The Year the Internet Fell ApartThe Year the Internet Fell Apart
The Year the Internet Fell Apart
 
CarolinaCon 2005 Web Application Hacking 101
CarolinaCon 2005 Web Application Hacking 101CarolinaCon 2005 Web Application Hacking 101
CarolinaCon 2005 Web Application Hacking 101
 

An introduction to honeyclient technology

  • 1. An introduction to honeyclient technologies Christian Seifert Angelo Dell'Aera
  • 2. Speakers Christian Seifert • Full Member of the Honeynet Project since 2007 • PhD from Victoria University of Wellington, NZ • Research Software Engineer @ Microsoft Bing Angelo Dell'Aera • Full Member of the Honeynet Project since 2009 • Senior Threat Analyst @ Security Reply (7 years) • Information Security Independent Researcher @ Antifork Research (13 years)
  • 3. Agenda • Introduction • Honeyclient technologies • Low-Interaction (PhoneyC) • High-Interaction (Capture-HPC) • Malware Distribution Networks • Challenges and Future Work
  • 4. New trends, new tools • In the last years more and more attacks against client systems • The end user as the weakest link of the security chain • New tools are required to learn more about such client-side attacks
  • 5. New trends, new tools • The browser is the most popular client system deployed on every user system • A lot of vulnerabilities are daily identified and (almost always) reported in the most used browsers • The browser is currently the preferred way to own an host
  • 6. Honeyclients • What we need is something which seems like a real browser the same way as a classical honeypot system seems like a real vulnerable server • A real system Queuer (high-interaction) Visitor • Or an emulated one Analysis (low-interaction)? Engine
  • 7. Low-interaction strengths and weaknesses + Different browser versions (“personalities”) + Different ActiveX and plugins modules (even different versions) + Much more safer + More scalable - Easy to detect
  • 8. PhoneyC - Brief History • A pure Python low-interaction honeyclient • First version developed by Jose Nazario • Great improvements during GSoC 2009 • And the history continues...
  • 9. PhoneyC – DOM Emulation “The Document Object Model is a platform- and language-neutral interface that will allow programs and scripts to dynamically access and update the content, structure and style of documents. The document can be further processed and the results of that processing can be incorporated back into the presented page.” (W3C definition) • Huge improvements during GSoC 2009 • Python object __getattr__ and __setattr__ methods
  • 10. PhoneyC - Browser Personalities • Currently supported personalities: • Internet Explorer 6.0 (Windows XP) • Internet Explorer 6.1 (Windows XP) • Internet Explorer 7.0 (Windows XP) • Internet Explorer 8.0 (Windows XP) • Internet Explorer 6.0 (Windows 2000) • Internet Explorer 8.0 (Windows 2000) • Easy to add new personalities
  • 11. PhoneyC - Javascript Engine • Based on SpiderMonkey, the Mozilla implementation of the Javascript engine • HoneyJS: a bridge between Python and SpiderMonkey which wraps a subset of its APIs • HoneyJS based on python-spidermonkey
  • 12. PhoneyC - Vulnerability Modules • Python-based vulnerability modules • Core browser functionalities • Browser plugins • (Mock) ActiveX controls
  • 13. PhoneyC - Shellcode detection and emulation • HoneyJS “The shellcode manipulation and the spraying of the fillblock involve assignments.The shellcode will be detected immediately on its assignment if we are able to interrupt spidermonkey at the interpretion of certain bytecodes related to an assignment and check its arguments and values for shellcodes” • Libemu integration (shellcode detection, execution and profiling)
  • 14. PhoneyC - Future Improvements • A new and more reliable DOM (Document Object Model) emulation • Replacing Spidermonkey with Google V8 • Mixed static/dynamic analysis for detecting potential attacks
  • 15. High-interaction Client Honeypot • Real system • Observe effects of attack Request No state appeared New file changes Benign detected folder in start up Server Response Request Client Honeypots Attack Malicious Server
  • 16. High-interaction strengths and weaknesses + No emulation necessary + Accurate classification (extremely low false positive rate) + Ability to detect zero-day attacks + More difficult to evade - Miss attacks - “Dangerous” - More computationally expensive
  • 17. Capture-HPC (v2.5) - Functionality • Platform Independence * • Flexibility around client application • Forensically ready • Records information at kernel level • Collects modified files (e.g. malware) • Collects network traffic (pcap) • Maintained by the New Zealand Honeynet Project Chapter
  • 19. Malware Distribution Networks Overview • Set of web servers (network) controlled by a group of cyber criminals to distribute malware efficiently • Specialized structures that support specialized roles of the cyber criminal • Malware distribution networks allow for campaigns and temp renting out components of the distribution network
  • 20. Malware Distribution Networks Source: Microsoft Security Intelligence Threat Report (http://www.microsoft.com/sir)
  • 22. Exploit Servers 12.8% of exploit servers responsible for 84.1% of drive-by- download pages Source: Microsoft Security Intelligence Threat Report (http://www.microsoft.com/sir)
  • 25. Malware Distribution Networks Fast-Flux • LP infected with script that contacts twitter to obtain popular topics (e.g. japan) LP1 LP2 • From popular query from last week, script constructs host name (e.g. “j” + date) • Next day, the same LP will contact twitter to obtain popular topics (e.g. tunesia) • Now, it will construct different host name (e.g. R2 R1 “t” + date) • Attacker registers hostname a few days in advance twitter.com h1 h2 h3 h4 h5 h6 h7 h8 h9 h10 3/19/2011 1 1 3/20/2011 1 1 ES1 3/21/2011 1 1 1 ES2 3/22/2011 1 1 1 3/23/2011 1 1 1 3/24/2011 1 1 1 3/25/2011 1 1 1 3/26/2011 1 1 1 3/27/2011 1 1 1 3/28/2011 1 1 1 3/29/2011 1 1
  • 26. Evasion Techniques • Technology Differences (Browser vs Honeyclient) • Human vs Machine Interaction • Decrease visibility
  • 27. The Threats Crashes Drive-by-pharming Network floods/ Puppetnets Drive-by-Downloads Availability Integrity Web spam/ junk pages Social Engineering Hosting of malware Popup floods Cross-X attacks Cookie, history, file, and clipboard stealing Confidentiality Network scanners Phishing
  • 28. References • Jose Nazario, “PhoneyC: A virtual client honeypot”, LEET 2009 • The Honeynet Project, KYE: Malicious Web Servers, http://www.honeynet.org/papers • Junjie Zhang, Jack Stokes, Christian Seifert and Wenke Lee, ARROW: Generating Signatures to Detect Drive-By Downloads, in proceedings of www conference, Hyderabad, India, 2011 • Microsoft, Security Intelligence Threat Report, http://www.microsoft.com/sir
  • 29. Thanks for the attention http://code.google.com/p/phoneyc/ https://projects.honeynet.org/capture-hpc Questions? Christian Seifert <christian.seifert@honeynet.org> Angelo Dell'Aera <angelo.dellaera@honeynet.org>