1. An introduction to honeyclient
technologies
Christian Seifert
Angelo Dell'Aera
2. Speakers
Christian Seifert
• Full Member of the Honeynet Project since 2007
• PhD from Victoria University of Wellington, NZ
• Research Software Engineer @ Microsoft Bing
Angelo Dell'Aera
• Full Member of the Honeynet Project since 2009
• Senior Threat Analyst @ Security Reply (7 years)
• Information Security Independent Researcher @ Antifork
Research (13 years)
3. Agenda
• Introduction
• Honeyclient technologies
• Low-Interaction (PhoneyC)
• High-Interaction (Capture-HPC)
• Malware Distribution Networks
• Challenges and Future Work
4. New trends, new tools
• In the last years more and more attacks
against client systems
• The end user as the weakest link of the
security chain
• New tools are required to learn more
about such client-side attacks
5. New trends, new tools
• The browser is the most popular client
system deployed on every user system
• A lot of vulnerabilities are daily identified
and (almost always) reported in the most
used browsers
• The browser is currently the preferred
way to own an host
6. Honeyclients
• What we need is something which seems
like a real browser the same way as a
classical honeypot system seems like a
real vulnerable server
• A real system Queuer
(high-interaction) Visitor
• Or an emulated one
Analysis
(low-interaction)? Engine
7. Low-interaction strengths
and weaknesses
+ Different browser versions (“personalities”)
+ Different ActiveX and plugins modules
(even different versions)
+ Much more safer
+ More scalable
- Easy to detect
8. PhoneyC - Brief History
• A pure Python low-interaction honeyclient
• First version developed by Jose Nazario
• Great improvements during GSoC 2009
• And the history continues...
9. PhoneyC – DOM Emulation
“The Document Object Model is a platform- and language-neutral
interface that will allow programs and scripts to dynamically
access and update the content, structure and style of documents.
The document can be further processed and the results of that
processing can be incorporated back into the presented page.”
(W3C definition)
• Huge improvements during GSoC 2009
• Python object __getattr__ and __setattr__ methods
10. PhoneyC - Browser
Personalities
• Currently supported personalities:
• Internet Explorer 6.0 (Windows XP)
• Internet Explorer 6.1 (Windows XP)
• Internet Explorer 7.0 (Windows XP)
• Internet Explorer 8.0 (Windows XP)
• Internet Explorer 6.0 (Windows 2000)
• Internet Explorer 8.0 (Windows 2000)
• Easy to add new personalities
11. PhoneyC - Javascript
Engine
• Based on SpiderMonkey, the Mozilla
implementation of the Javascript engine
• HoneyJS: a bridge between Python and
SpiderMonkey which wraps a subset of its
APIs
• HoneyJS based on python-spidermonkey
13. PhoneyC - Shellcode detection and
emulation
• HoneyJS
“The shellcode manipulation and the spraying of the fillblock
involve assignments.The shellcode will be detected immediately
on its assignment if we are able to interrupt spidermonkey at the
interpretion of certain bytecodes related to an assignment and
check its arguments and values for shellcodes”
• Libemu integration (shellcode detection,
execution and profiling)
14. PhoneyC - Future
Improvements
•
A new and more reliable DOM (Document
Object Model) emulation
•
Replacing Spidermonkey with Google V8
•
Mixed static/dynamic analysis for detecting
potential attacks
15. High-interaction Client
Honeypot
• Real system
• Observe effects of attack
Request
No state appeared
New file changes
Benign
detected folder
in start up
Server
Response
Request
Client Honeypots
Attack
Malicious
Server
16. High-interaction strengths
and weaknesses
+ No emulation necessary
+ Accurate classification (extremely low false
positive rate)
+ Ability to detect zero-day attacks
+ More difficult to evade
- Miss attacks
- “Dangerous”
- More computationally expensive
17. Capture-HPC (v2.5) -
Functionality
• Platform Independence *
• Flexibility around client application
• Forensically ready
• Records information at kernel level
• Collects modified files (e.g. malware)
• Collects network traffic (pcap)
• Maintained by the New Zealand Honeynet
Project Chapter
19. Malware Distribution Networks
Overview
• Set of web servers (network) controlled by
a group of cyber criminals to distribute
malware efficiently
• Specialized structures that support
specialized roles of the cyber criminal
• Malware distribution networks allow for
campaigns and temp renting out
components of the distribution network
27. The Threats
Crashes
Drive-by-pharming Network floods/ Puppetnets
Drive-by-Downloads Availability
Integrity Web spam/ junk pages
Social Engineering
Hosting of malware
Popup floods
Cross-X attacks
Cookie, history, file,
and clipboard stealing
Confidentiality
Network scanners
Phishing
28. References
•
Jose Nazario, “PhoneyC: A virtual client honeypot”,
LEET 2009
•
The Honeynet Project, KYE: Malicious Web Servers,
http://www.honeynet.org/papers
•
Junjie Zhang, Jack Stokes, Christian Seifert and
Wenke Lee, ARROW: Generating Signatures to
Detect Drive-By Downloads, in proceedings of www
conference, Hyderabad, India, 2011
•
Microsoft, Security Intelligence Threat Report,
http://www.microsoft.com/sir
29. Thanks for the attention
http://code.google.com/p/phoneyc/
https://projects.honeynet.org/capture-hpc
Questions?
Christian Seifert <christian.seifert@honeynet.org>
Angelo Dell'Aera <angelo.dellaera@honeynet.org>