Client-Side Honeypots

          Bing Yuan
   Department of Computer Science
          RWTH Aachen


         April 26, 2007
Overview




     Motivation
     The Client-Side Honeypot
     The CHP System
     Attack Patterns
     Future Works
Overview




     Motivation
     The Client-Side Honeypot
     The CHP System
     Attack Patterns
     Future Works
Overview




     Motivation
     The Client-Side Honeypot
     The CHP System
     Attack Patterns
     Future Works
Overview




     Motivation
     The Client-Side Honeypot
     The CHP System
     Attack Patterns
     Future Works
Overview




     Motivation
     The Client-Side Honeypot
     The CHP System
     Attack Patterns
     Future Works
Motivation
                The Client-Side Honeypot
                                            Client-side exploits grow ...
Motivation
                The Client-Side Honeypot
                                            Client-side exploits grow ...
Motivation
                The Client-Side Honeypot
                                            Client-side exploits grow ...
Motivation
                  The Client-Side Honeypot
                                              Client-side exploits g...
Motivation
                  The Client-Side Honeypot
                                              Client-side exploits g...
Motivation
                  The Client-Side Honeypot
                                              Client-side exploits g...
Motivation
                  The Client-Side Honeypot
                                              Client-side exploits g...
Motivation
           The Client-Side Honeypot
                                       Client-side exploits grow very fast
...
Motivation
           The Client-Side Honeypot
                                       Client-side exploits grow very fast
...
Motivation
           The Client-Side Honeypot
                                       Client-side exploits grow very fast
...
Motivation
                  The Client-Side Honeypot    Overview
                          The CHP System      Classificat...
Motivation
                  The Client-Side Honeypot    Overview
                          The CHP System      Classificat...
Motivation
                  The Client-Side Honeypot    Overview
                          The CHP System      Classificat...
Motivation
                  The Client-Side Honeypot    Overview
                          The CHP System      Classificat...
Motivation
                  The Client-Side Honeypot    Overview
                          The CHP System      Classificat...
Motivation
                 The Client-Side Honeypot    Overview
                         The CHP System      Classificatio...
Motivation
                 The Client-Side Honeypot    Overview
                         The CHP System      Classificatio...
Motivation
                 The Client-Side Honeypot    Overview
                         The CHP System      Classificatio...
Motivation
                 The Client-Side Honeypot    Overview
                         The CHP System      Classificatio...
Motivation
                 The Client-Side Honeypot    Overview
                         The CHP System      Classificatio...
Motivation
                 The Client-Side Honeypot    Overview
                         The CHP System      Classificatio...
Motivation
                 The Client-Side Honeypot    Overview
                         The CHP System      Classificatio...
Motivation
                 The Client-Side Honeypot    Overview
                         The CHP System      Classificatio...
Motivation
                 The Client-Side Honeypot    Overview
                         The CHP System      Classificatio...
Motivation
                 The Client-Side Honeypot    Overview
                         The CHP System      Classificatio...
Motivation
                 The Client-Side Honeypot    Overview
                         The CHP System      Classificatio...
Motivation
                 The Client-Side Honeypot    Overview
                         The CHP System      Classificatio...
Motivation
                 The Client-Side Honeypot    Overview
                         The CHP System      Classificatio...
Motivation
                 The Client-Side Honeypot    Overview
                         The CHP System      Classificatio...
Motivation
                 The Client-Side Honeypot    Overview
                         The CHP System      Classificatio...
Motivation
                 The Client-Side Honeypot    Overview
                         The CHP System      Classificatio...
Motivation
                 The Client-Side Honeypot    Overview
                         The CHP System      Classificatio...
Motivation
                 The Client-Side Honeypot    Overview
                         The CHP System      Classificatio...
Motivation
                 The Client-Side Honeypot    Overview
                         The CHP System      Classificatio...
Motivation
                The Client-Side Honeypot    Overview
                        The CHP System      The CI
       ...
Motivation
                The Client-Side Honeypot    Overview
                        The CHP System      The CI
       ...
Motivation
                 The Client-Side Honeypot    Overview
                         The CHP System      The CI
     ...
Motivation
                 The Client-Side Honeypot    Overview
                         The CHP System      The CI
     ...
Motivation
                 The Client-Side Honeypot    Overview
                         The CHP System      The CI
     ...
Motivation
                 The Client-Side Honeypot    Overview
                         The CHP System      The CI
     ...
Motivation
                 The Client-Side Honeypot    Overview
                         The CHP System      The CI
     ...
Motivation
         The Client-Side Honeypot    Overview
                 The CHP System      The CI
                   At...
Motivation
                The Client-Side Honeypot    Overview
                        The CHP System      The CI
       ...
Motivation
                 The Client-Side Honeypot    Overview
                         The CHP System      The CI
     ...
Motivation
                 The Client-Side Honeypot    Overview
                         The CHP System      The CI
     ...
Motivation
                 The Client-Side Honeypot    Overview
                         The CHP System      The CI
     ...
Motivation
                 The Client-Side Honeypot    Overview
                         The CHP System      The CI
     ...
Motivation
                 The Client-Side Honeypot    Overview
                         The CHP System      The CI
     ...
Motivation
                The Client-Side Honeypot    Overview
                        The CHP System      The CI
       ...
Motivation
                The Client-Side Honeypot    Overview
                        The CHP System      The CI
       ...
Motivation
                The Client-Side Honeypot    Overview
                        The CHP System      The CI
       ...
Motivation
                The Client-Side Honeypot    Overview
                        The CHP System      The CI
       ...
Motivation
                The Client-Side Honeypot    Overview
                        The CHP System      The CI
       ...
Motivation
                 The Client-Side Honeypot    Overview
                         The CHP System      The CI
     ...
Motivation
                 The Client-Side Honeypot    Overview
                         The CHP System      The CI
     ...
Motivation
                 The Client-Side Honeypot    Overview
                         The CHP System      The CI
     ...
Motivation
                  The Client-Side Honeypot    Overview
                          The CHP System      The CI
   ...
Motivation
                    The Client-Side Honeypot    Overview
                            The CHP System      The CI...
Motivation
                 The Client-Side Honeypot    Overview
                         The CHP System      The CI
     ...
Motivation
                 The Client-Side Honeypot    Overview
                         The CHP System      The CI
     ...
Motivation
                 The Client-Side Honeypot    Overview
                         The CHP System      The CI
     ...
Motivation
                The Client-Side Honeypot    Overview
                        The CHP System      The CI
       ...
Motivation
                The Client-Side Honeypot    Overview
                        The CHP System      The CI
       ...
Motivation
                The Client-Side Honeypot    Overview
                        The CHP System      The CI
       ...
Motivation
                The Client-Side Honeypot    Overview
                        The CHP System      The CI
       ...
Motivation
                The Client-Side Honeypot    Overview
                        The CHP System      The CI
       ...
Motivation
                 The Client-Side Honeypot
                         The CHP System
                           At...
Motivation
                 The Client-Side Honeypot
                         The CHP System
                           At...
Motivation
                 The Client-Side Honeypot
                         The CHP System
                           At...
Motivation
                 The Client-Side Honeypot
                         The CHP System
                           At...
Motivation
                 The Client-Side Honeypot
                         The CHP System
                           At...
Motivation
                 The Client-Side Honeypot
                         The CHP System
                           At...
Motivation
                 The Client-Side Honeypot
                         The CHP System
                           At...
Motivation
                 The Client-Side Honeypot
                         The CHP System
                           At...
Motivation
                 The Client-Side Honeypot
                         The CHP System
                           At...
Motivation
                 The Client-Side Honeypot
                         The CHP System
                           At...
Motivation
                 The Client-Side Honeypot
                         The CHP System
                           At...
Motivation
                 The Client-Side Honeypot
                         The CHP System
                           At...
Motivation
                 The Client-Side Honeypot
                         The CHP System
                           At...
Motivation
                 The Client-Side Honeypot
                         The CHP System
                           At...
Motivation
                 The Client-Side Honeypot
                         The CHP System
                           At...
Motivation
                 The Client-Side Honeypot
                         The CHP System
                           At...
Vielen Dank f¨ r Ihre Aufmerksamkeit!
             u
Upcoming SlideShare
Loading in...5
×

Client Side Honeypots

1,339

Published on

Bing Yuan

Published in: Technology
0 Comments
2 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
1,339
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
0
Comments
0
Likes
2
Embeds 0
No embeds

No notes for slide

Client Side Honeypots

  1. 1. Client-Side Honeypots Bing Yuan Department of Computer Science RWTH Aachen April 26, 2007
  2. 2. Overview Motivation The Client-Side Honeypot The CHP System Attack Patterns Future Works
  3. 3. Overview Motivation The Client-Side Honeypot The CHP System Attack Patterns Future Works
  4. 4. Overview Motivation The Client-Side Honeypot The CHP System Attack Patterns Future Works
  5. 5. Overview Motivation The Client-Side Honeypot The CHP System Attack Patterns Future Works
  6. 6. Overview Motivation The Client-Side Honeypot The CHP System Attack Patterns Future Works
  7. 7. Motivation The Client-Side Honeypot Client-side exploits grow very fast The CHP System Traditional methodology is inadequate Attack Patterns Future works Problems client-side exploit means exploiting client-side software’s vulnerabilities computers can be infected by simply browsing web pages or opening emails about 90% of PCs connected to the internet are infected with spyware in 2006 (www.webroot.com) Bing Yuan Client-Side Honeypots
  8. 8. Motivation The Client-Side Honeypot Client-side exploits grow very fast The CHP System Traditional methodology is inadequate Attack Patterns Future works Problems client-side exploit means exploiting client-side software’s vulnerabilities computers can be infected by simply browsing web pages or opening emails about 90% of PCs connected to the internet are infected with spyware in 2006 (www.webroot.com) Bing Yuan Client-Side Honeypots
  9. 9. Motivation The Client-Side Honeypot Client-side exploits grow very fast The CHP System Traditional methodology is inadequate Attack Patterns Future works Problems client-side exploit means exploiting client-side software’s vulnerabilities computers can be infected by simply browsing web pages or opening emails about 90% of PCs connected to the internet are infected with spyware in 2006 (www.webroot.com) Bing Yuan Client-Side Honeypots
  10. 10. Motivation The Client-Side Honeypot Client-side exploits grow very fast The CHP System Traditional methodology is inadequate Attack Patterns Future works Analysis client-side softwares are wide-spread: web browsers, email clients, ... client-side softwares have many vulnerabilities: Microsoft Security Bulletin Search: IE, OE, ... Mozilla Foundation Security Advisory: Firefox, Thunderbird, ... Bing Yuan Client-Side Honeypots
  11. 11. Motivation The Client-Side Honeypot Client-side exploits grow very fast The CHP System Traditional methodology is inadequate Attack Patterns Future works Analysis client-side softwares are wide-spread: web browsers, email clients, ... client-side softwares have many vulnerabilities: Microsoft Security Bulletin Search: IE, OE, ... Mozilla Foundation Security Advisory: Firefox, Thunderbird, ... Bing Yuan Client-Side Honeypots
  12. 12. Motivation The Client-Side Honeypot Client-side exploits grow very fast The CHP System Traditional methodology is inadequate Attack Patterns Future works Analysis client-side softwares are wide-spread: web browsers, email clients, ... client-side softwares have many vulnerabilities: Microsoft Security Bulletin Search: IE, OE, ... Mozilla Foundation Security Advisory: Firefox, Thunderbird, ... Bing Yuan Client-Side Honeypots
  13. 13. Motivation The Client-Side Honeypot Client-side exploits grow very fast The CHP System Traditional methodology is inadequate Attack Patterns Future works Analysis client-side softwares are wide-spread: web browsers, email clients, ... client-side softwares have many vulnerabilities: Microsoft Security Bulletin Search: IE, OE, ... Mozilla Foundation Security Advisory: Firefox, Thunderbird, ... Bing Yuan Client-Side Honeypots
  14. 14. Motivation The Client-Side Honeypot Client-side exploits grow very fast The CHP System Traditional methodology is inadequate Attack Patterns Future works anti-malware softwares are all reactive traditional honeypots focus on server-side attacks we need proactively to handle the client-side attacks Bing Yuan Client-Side Honeypots
  15. 15. Motivation The Client-Side Honeypot Client-side exploits grow very fast The CHP System Traditional methodology is inadequate Attack Patterns Future works anti-malware softwares are all reactive traditional honeypots focus on server-side attacks we need proactively to handle the client-side attacks Bing Yuan Client-Side Honeypots
  16. 16. Motivation The Client-Side Honeypot Client-side exploits grow very fast The CHP System Traditional methodology is inadequate Attack Patterns Future works anti-malware softwares are all reactive traditional honeypots focus on server-side attacks we need proactively to handle the client-side attacks Bing Yuan Client-Side Honeypots
  17. 17. Motivation The Client-Side Honeypot Overview The CHP System Classification Attack Patterns Client-side honeypot projects Future works Definition The client-side honeypot is one trap computer which simulates or drives the client-side softwares to actively and automatically search for attacks, record system activities and judge which system activities are malicious for better knowing about client-side attack patterns. Bing Yuan Client-Side Honeypots
  18. 18. Motivation The Client-Side Honeypot Overview The CHP System Classification Attack Patterns Client-side honeypot projects Future works Characteristics client-side: it simulates/drives client-side software and does not provide services active: because it can not lure attacks, it must actively search for attacks automatic: because huge resource should be visited, client-side honeypot’s tasks must be automated identify: it must can judge which system activities are normal and which are malicious Bing Yuan Client-Side Honeypots
  19. 19. Motivation The Client-Side Honeypot Overview The CHP System Classification Attack Patterns Client-side honeypot projects Future works Characteristics client-side: it simulates/drives client-side software and does not provide services active: because it can not lure attacks, it must actively search for attacks automatic: because huge resource should be visited, client-side honeypot’s tasks must be automated identify: it must can judge which system activities are normal and which are malicious Bing Yuan Client-Side Honeypots
  20. 20. Motivation The Client-Side Honeypot Overview The CHP System Classification Attack Patterns Client-side honeypot projects Future works Characteristics client-side: it simulates/drives client-side software and does not provide services active: because it can not lure attacks, it must actively search for attacks automatic: because huge resource should be visited, client-side honeypot’s tasks must be automated identify: it must can judge which system activities are normal and which are malicious Bing Yuan Client-Side Honeypots
  21. 21. Motivation The Client-Side Honeypot Overview The CHP System Classification Attack Patterns Client-side honeypot projects Future works Characteristics client-side: it simulates/drives client-side software and does not provide services active: because it can not lure attacks, it must actively search for attacks automatic: because huge resource should be visited, client-side honeypot’s tasks must be automated identify: it must can judge which system activities are normal and which are malicious Bing Yuan Client-Side Honeypots
  22. 22. Motivation The Client-Side Honeypot Overview The CHP System Classification Attack Patterns Client-side honeypot projects Future works Classification high-interaction and low interaction according to the development technologies: integrity control: take two snapshots of the system before and after crawling, then compare these two snapshots to judge if the system integrity is changed real-time monitoring: during the crawling we intercept important system calls and record the system activities caused by these system calls using hook technologies more efficient: it does not need system snapshots more precise: every important system calls are intercepted Bing Yuan Client-Side Honeypots
  23. 23. Motivation The Client-Side Honeypot Overview The CHP System Classification Attack Patterns Client-side honeypot projects Future works Classification high-interaction and low interaction according to the development technologies: integrity control: take two snapshots of the system before and after crawling, then compare these two snapshots to judge if the system integrity is changed real-time monitoring: during the crawling we intercept important system calls and record the system activities caused by these system calls using hook technologies more efficient: it does not need system snapshots more precise: every important system calls are intercepted Bing Yuan Client-Side Honeypots
  24. 24. Motivation The Client-Side Honeypot Overview The CHP System Classification Attack Patterns Client-side honeypot projects Future works Classification high-interaction and low interaction according to the development technologies: integrity control: take two snapshots of the system before and after crawling, then compare these two snapshots to judge if the system integrity is changed real-time monitoring: during the crawling we intercept important system calls and record the system activities caused by these system calls using hook technologies more efficient: it does not need system snapshots more precise: every important system calls are intercepted Bing Yuan Client-Side Honeypots
  25. 25. Motivation The Client-Side Honeypot Overview The CHP System Classification Attack Patterns Client-side honeypot projects Future works Classification high-interaction and low interaction according to the development technologies: integrity control: take two snapshots of the system before and after crawling, then compare these two snapshots to judge if the system integrity is changed real-time monitoring: during the crawling we intercept important system calls and record the system activities caused by these system calls using hook technologies more efficient: it does not need system snapshots more precise: every important system calls are intercepted Bing Yuan Client-Side Honeypots
  26. 26. Motivation The Client-Side Honeypot Overview The CHP System Classification Attack Patterns Client-side honeypot projects Future works Classification high-interaction and low interaction according to the development technologies: integrity control: take two snapshots of the system before and after crawling, then compare these two snapshots to judge if the system integrity is changed real-time monitoring: during the crawling we intercept important system calls and record the system activities caused by these system calls using hook technologies more efficient: it does not need system snapshots more precise: every important system calls are intercepted Bing Yuan Client-Side Honeypots
  27. 27. Motivation The Client-Side Honeypot Overview The CHP System Classification Attack Patterns Client-side honeypot projects Future works Classification high-interaction and low interaction according to the development technologies: integrity control: take two snapshots of the system before and after crawling, then compare these two snapshots to judge if the system integrity is changed real-time monitoring: during the crawling we intercept important system calls and record the system activities caused by these system calls using hook technologies more efficient: it does not need system snapshots more precise: every important system calls are intercepted Bing Yuan Client-Side Honeypots
  28. 28. Motivation The Client-Side Honeypot Overview The CHP System Classification Attack Patterns Client-side honeypot projects Future works Client-side honeypot projects (1) HoneyC: low-interaction client-side honeypot developed by Christian Seifert in 2006, platform independent open source framework written in Ruby drive visitor component like web browser simulator to visit web servers use analysis engine to determine if the system’s security policies are violated Capture-HPC: high-interaction client-side honeypot developed by many researchers using Java and C at Victoria University of Wellington capture server is responsible for controlling capture clients capture client is responsible for recording the system activities in real-time Bing Yuan Client-Side Honeypots
  29. 29. Motivation The Client-Side Honeypot Overview The CHP System Classification Attack Patterns Client-side honeypot projects Future works Client-side honeypot projects (1) HoneyC: low-interaction client-side honeypot developed by Christian Seifert in 2006, platform independent open source framework written in Ruby drive visitor component like web browser simulator to visit web servers use analysis engine to determine if the system’s security policies are violated Capture-HPC: high-interaction client-side honeypot developed by many researchers using Java and C at Victoria University of Wellington capture server is responsible for controlling capture clients capture client is responsible for recording the system activities in real-time Bing Yuan Client-Side Honeypots
  30. 30. Motivation The Client-Side Honeypot Overview The CHP System Classification Attack Patterns Client-side honeypot projects Future works Client-side honeypot projects (1) HoneyC: low-interaction client-side honeypot developed by Christian Seifert in 2006, platform independent open source framework written in Ruby drive visitor component like web browser simulator to visit web servers use analysis engine to determine if the system’s security policies are violated Capture-HPC: high-interaction client-side honeypot developed by many researchers using Java and C at Victoria University of Wellington capture server is responsible for controlling capture clients capture client is responsible for recording the system activities in real-time Bing Yuan Client-Side Honeypots
  31. 31. Motivation The Client-Side Honeypot Overview The CHP System Classification Attack Patterns Client-side honeypot projects Future works Client-side honeypot projects (1) HoneyC: low-interaction client-side honeypot developed by Christian Seifert in 2006, platform independent open source framework written in Ruby drive visitor component like web browser simulator to visit web servers use analysis engine to determine if the system’s security policies are violated Capture-HPC: high-interaction client-side honeypot developed by many researchers using Java and C at Victoria University of Wellington capture server is responsible for controlling capture clients capture client is responsible for recording the system activities in real-time Bing Yuan Client-Side Honeypots
  32. 32. Motivation The Client-Side Honeypot Overview The CHP System Classification Attack Patterns Client-side honeypot projects Future works Client-side honeypot projects (1) HoneyC: low-interaction client-side honeypot developed by Christian Seifert in 2006, platform independent open source framework written in Ruby drive visitor component like web browser simulator to visit web servers use analysis engine to determine if the system’s security policies are violated Capture-HPC: high-interaction client-side honeypot developed by many researchers using Java and C at Victoria University of Wellington capture server is responsible for controlling capture clients capture client is responsible for recording the system activities in real-time Bing Yuan Client-Side Honeypots
  33. 33. Motivation The Client-Side Honeypot Overview The CHP System Classification Attack Patterns Client-side honeypot projects Future works Client-side honeypot projects (1) HoneyC: low-interaction client-side honeypot developed by Christian Seifert in 2006, platform independent open source framework written in Ruby drive visitor component like web browser simulator to visit web servers use analysis engine to determine if the system’s security policies are violated Capture-HPC: high-interaction client-side honeypot developed by many researchers using Java and C at Victoria University of Wellington capture server is responsible for controlling capture clients capture client is responsible for recording the system activities in real-time Bing Yuan Client-Side Honeypots
  34. 34. Motivation The Client-Side Honeypot Overview The CHP System Classification Attack Patterns Client-side honeypot projects Future works Client-side honeypot projects (2) Honeyclient: the first open source high-interaction client-side honeypot developed by Kathy Wang using Perl in early 2005 establish two baselines of system files and registry entries before and after visiting one whole domain compare these two baselines to find integrity changes HoneyMonkey System: short for Strider HoneyMonkey Exploit Detection System and was developed by Microsoft in 2005, first high-interaction client-side honeypot system which found 0-day exploit execute one web browser instance for each malicious URL and wait for some minutes in the meantime it will record and analyse the system activities pipeline of virtual machines with different patch levels Bing Yuan Client-Side Honeypots
  35. 35. Motivation The Client-Side Honeypot Overview The CHP System Classification Attack Patterns Client-side honeypot projects Future works Client-side honeypot projects (2) Honeyclient: the first open source high-interaction client-side honeypot developed by Kathy Wang using Perl in early 2005 establish two baselines of system files and registry entries before and after visiting one whole domain compare these two baselines to find integrity changes HoneyMonkey System: short for Strider HoneyMonkey Exploit Detection System and was developed by Microsoft in 2005, first high-interaction client-side honeypot system which found 0-day exploit execute one web browser instance for each malicious URL and wait for some minutes in the meantime it will record and analyse the system activities pipeline of virtual machines with different patch levels Bing Yuan Client-Side Honeypots
  36. 36. Motivation The Client-Side Honeypot Overview The CHP System Classification Attack Patterns Client-side honeypot projects Future works Client-side honeypot projects (2) Honeyclient: the first open source high-interaction client-side honeypot developed by Kathy Wang using Perl in early 2005 establish two baselines of system files and registry entries before and after visiting one whole domain compare these two baselines to find integrity changes HoneyMonkey System: short for Strider HoneyMonkey Exploit Detection System and was developed by Microsoft in 2005, first high-interaction client-side honeypot system which found 0-day exploit execute one web browser instance for each malicious URL and wait for some minutes in the meantime it will record and analyse the system activities pipeline of virtual machines with different patch levels Bing Yuan Client-Side Honeypots
  37. 37. Motivation The Client-Side Honeypot Overview The CHP System Classification Attack Patterns Client-side honeypot projects Future works Client-side honeypot projects (2) Honeyclient: the first open source high-interaction client-side honeypot developed by Kathy Wang using Perl in early 2005 establish two baselines of system files and registry entries before and after visiting one whole domain compare these two baselines to find integrity changes HoneyMonkey System: short for Strider HoneyMonkey Exploit Detection System and was developed by Microsoft in 2005, first high-interaction client-side honeypot system which found 0-day exploit execute one web browser instance for each malicious URL and wait for some minutes in the meantime it will record and analyse the system activities pipeline of virtual machines with different patch levels Bing Yuan Client-Side Honeypots
  38. 38. Motivation The Client-Side Honeypot Overview The CHP System Classification Attack Patterns Client-side honeypot projects Future works Client-side honeypot projects (2) Honeyclient: the first open source high-interaction client-side honeypot developed by Kathy Wang using Perl in early 2005 establish two baselines of system files and registry entries before and after visiting one whole domain compare these two baselines to find integrity changes HoneyMonkey System: short for Strider HoneyMonkey Exploit Detection System and was developed by Microsoft in 2005, first high-interaction client-side honeypot system which found 0-day exploit execute one web browser instance for each malicious URL and wait for some minutes in the meantime it will record and analyse the system activities pipeline of virtual machines with different patch levels Bing Yuan Client-Side Honeypots
  39. 39. Motivation The Client-Side Honeypot Overview The CHP System Classification Attack Patterns Client-side honeypot projects Future works Client-side honeypot projects (2) Honeyclient: the first open source high-interaction client-side honeypot developed by Kathy Wang using Perl in early 2005 establish two baselines of system files and registry entries before and after visiting one whole domain compare these two baselines to find integrity changes HoneyMonkey System: short for Strider HoneyMonkey Exploit Detection System and was developed by Microsoft in 2005, first high-interaction client-side honeypot system which found 0-day exploit execute one web browser instance for each malicious URL and wait for some minutes in the meantime it will record and analyse the system activities pipeline of virtual machines with different patch levels Bing Yuan Client-Side Honeypots
  40. 40. Motivation The Client-Side Honeypot Overview The CHP System Classification Attack Patterns Client-side honeypot projects Future works Client-side honeypot projects (2) Honeyclient: the first open source high-interaction client-side honeypot developed by Kathy Wang using Perl in early 2005 establish two baselines of system files and registry entries before and after visiting one whole domain compare these two baselines to find integrity changes HoneyMonkey System: short for Strider HoneyMonkey Exploit Detection System and was developed by Microsoft in 2005, first high-interaction client-side honeypot system which found 0-day exploit execute one web browser instance for each malicious URL and wait for some minutes in the meantime it will record and analyse the system activities pipeline of virtual machines with different patch levels Bing Yuan Client-Side Honeypots
  41. 41. Motivation The Client-Side Honeypot Overview The CHP System The CI Attack Patterns The CWSandbox Future works Overview the goal: implement one system which can determine if clicking on one weblink will cause system’s activities, if yes, judge if these activities are normal or malicious, when malicious, further research the URLs which cause the malicious activities to gain knowledge about client-side attack patterns the CHP system is one high-interaction client-side honeypot and contains CI(Crawl and Identify) developed by me using C++ and CWSandbox developed by Carsten Willems using Delphi, it runs on Windows XP/2000 Bing Yuan Client-Side Honeypots
  42. 42. Motivation The Client-Side Honeypot Overview The CHP System The CI Attack Patterns The CWSandbox Future works Overview the goal: implement one system which can determine if clicking on one weblink will cause system’s activities, if yes, judge if these activities are normal or malicious, when malicious, further research the URLs which cause the malicious activities to gain knowledge about client-side attack patterns the CHP system is one high-interaction client-side honeypot and contains CI(Crawl and Identify) developed by me using C++ and CWSandbox developed by Carsten Willems using Delphi, it runs on Windows XP/2000 Bing Yuan Client-Side Honeypots
  43. 43. Motivation The Client-Side Honeypot Overview The CHP System The CI Attack Patterns The CWSandbox Future works Which system activities should be controlled files: created, deleted, modified files registry entries: created, deleted, modified keys/data/values processes: opened, created, terminated processes network connections: malicious network connections memory: ultimate goal of system control, because most malwares leave traces in the memory, but it is not easy to be implemented Bing Yuan Client-Side Honeypots
  44. 44. Motivation The Client-Side Honeypot Overview The CHP System The CI Attack Patterns The CWSandbox Future works Which system activities should be controlled files: created, deleted, modified files registry entries: created, deleted, modified keys/data/values processes: opened, created, terminated processes network connections: malicious network connections memory: ultimate goal of system control, because most malwares leave traces in the memory, but it is not easy to be implemented Bing Yuan Client-Side Honeypots
  45. 45. Motivation The Client-Side Honeypot Overview The CHP System The CI Attack Patterns The CWSandbox Future works Which system activities should be controlled files: created, deleted, modified files registry entries: created, deleted, modified keys/data/values processes: opened, created, terminated processes network connections: malicious network connections memory: ultimate goal of system control, because most malwares leave traces in the memory, but it is not easy to be implemented Bing Yuan Client-Side Honeypots
  46. 46. Motivation The Client-Side Honeypot Overview The CHP System The CI Attack Patterns The CWSandbox Future works Which system activities should be controlled files: created, deleted, modified files registry entries: created, deleted, modified keys/data/values processes: opened, created, terminated processes network connections: malicious network connections memory: ultimate goal of system control, because most malwares leave traces in the memory, but it is not easy to be implemented Bing Yuan Client-Side Honeypots
  47. 47. Motivation The Client-Side Honeypot Overview The CHP System The CI Attack Patterns The CWSandbox Future works Which system activities should be controlled files: created, deleted, modified files registry entries: created, deleted, modified keys/data/values processes: opened, created, terminated processes network connections: malicious network connections memory: ultimate goal of system control, because most malwares leave traces in the memory, but it is not easy to be implemented Bing Yuan Client-Side Honeypots
  48. 48. Motivation The Client-Side Honeypot Overview The CHP System The CI Attack Patterns The CWSandbox Future works Schema Bing Yuan Client-Side Honeypots
  49. 49. Motivation The Client-Side Honeypot Overview The CHP System The CI Attack Patterns The CWSandbox Future works The GUI of CI Bing Yuan Client-Side Honeypots
  50. 50. Motivation The Client-Side Honeypot Overview The CHP System The CI Attack Patterns The CWSandbox Future works The crawling part How to build URL-list? the first 100 search results (URLs) blacklist which contains known malicious URLs extract URLs from the email body extract URLs from the crawled webpages the malicious URLs we indentified after one execution Bing Yuan Client-Side Honeypots
  51. 51. Motivation The Client-Side Honeypot Overview The CHP System The CI Attack Patterns The CWSandbox Future works The crawling part How to build URL-list? the first 100 search results (URLs) blacklist which contains known malicious URLs extract URLs from the email body extract URLs from the crawled webpages the malicious URLs we indentified after one execution Bing Yuan Client-Side Honeypots
  52. 52. Motivation The Client-Side Honeypot Overview The CHP System The CI Attack Patterns The CWSandbox Future works The crawling part How to build URL-list? the first 100 search results (URLs) blacklist which contains known malicious URLs extract URLs from the email body extract URLs from the crawled webpages the malicious URLs we indentified after one execution Bing Yuan Client-Side Honeypots
  53. 53. Motivation The Client-Side Honeypot Overview The CHP System The CI Attack Patterns The CWSandbox Future works The crawling part How to build URL-list? the first 100 search results (URLs) blacklist which contains known malicious URLs extract URLs from the email body extract URLs from the crawled webpages the malicious URLs we indentified after one execution Bing Yuan Client-Side Honeypots
  54. 54. Motivation The Client-Side Honeypot Overview The CHP System The CI Attack Patterns The CWSandbox Future works The crawling part How to build URL-list? the first 100 search results (URLs) blacklist which contains known malicious URLs extract URLs from the email body extract URLs from the crawled webpages the malicious URLs we indentified after one execution Bing Yuan Client-Side Honeypots
  55. 55. Motivation The Client-Side Honeypot Overview The CHP System The CI Attack Patterns The CWSandbox Future works Crawling parameters breadth: how many weblinks in one webpage we want to click on depth: how many layers we want to visit, for example if the depth equals two, then the current webpage is the zero layer, we click on the weblinks at the zero layer to go to the first layer, then go to the second layer by clicking on the weblinks at the first layer length: time length between visiting two URLs Bing Yuan Client-Side Honeypots
  56. 56. Motivation The Client-Side Honeypot Overview The CHP System The CI Attack Patterns The CWSandbox Future works Crawling parameters breadth: how many weblinks in one webpage we want to click on depth: how many layers we want to visit, for example if the depth equals two, then the current webpage is the zero layer, we click on the weblinks at the zero layer to go to the first layer, then go to the second layer by clicking on the weblinks at the first layer length: time length between visiting two URLs Bing Yuan Client-Side Honeypots
  57. 57. Motivation The Client-Side Honeypot Overview The CHP System The CI Attack Patterns The CWSandbox Future works Crawling parameters breadth: how many weblinks in one webpage we want to click on depth: how many layers we want to visit, for example if the depth equals two, then the current webpage is the zero layer, we click on the weblinks at the zero layer to go to the first layer, then go to the second layer by clicking on the weblinks at the first layer length: time length between visiting two URLs Bing Yuan Client-Side Honeypots
  58. 58. Motivation The Client-Side Honeypot Overview The CHP System The CI Attack Patterns The CWSandbox Future works Layers Breadth = 3, Depth = 2 Bing Yuan Client-Side Honeypots
  59. 59. Motivation The Client-Side Honeypot Overview The CHP System The CI Attack Patterns The CWSandbox Future works Computing The numbers of the URLs to visit = breadth0 + breadth1 + breadth2 + ... + breadthdepth The time we need for one crawling (in secondes) = ((The numbers of the URLs to visit) − 1) × length Bing Yuan Client-Side Honeypots
  60. 60. Motivation The Client-Side Honeypot Overview The CHP System The CI Attack Patterns The CWSandbox Future works The identify part after crawling and hooking, namely real-time monitoring, we get ”analysis.xml” which contains all important activities caused by visiting URLs activity = action + filepath + filename parse this XML file and identify malicious activities using filter patterns Bing Yuan Client-Side Honeypots
  61. 61. Motivation The Client-Side Honeypot Overview The CHP System The CI Attack Patterns The CWSandbox Future works The identify part after crawling and hooking, namely real-time monitoring, we get ”analysis.xml” which contains all important activities caused by visiting URLs activity = action + filepath + filename parse this XML file and identify malicious activities using filter patterns Bing Yuan Client-Side Honeypots
  62. 62. Motivation The Client-Side Honeypot Overview The CHP System The CI Attack Patterns The CWSandbox Future works The identify part after crawling and hooking, namely real-time monitoring, we get ”analysis.xml” which contains all important activities caused by visiting URLs activity = action + filepath + filename parse this XML file and identify malicious activities using filter patterns Bing Yuan Client-Side Honeypots
  63. 63. Motivation The Client-Side Honeypot Overview The CHP System The CI Attack Patterns The CWSandbox Future works Filter patterns (1) Activity Filter Patterns File’s activity not contains ”Temporary Internet Files” Registry’s activity contains ”Browser Helper Objects” contains ”CurrentVersionRun” contains ”CurrentVersionRunOnce” contains ”CurrentVersionRunServices” contains ”CurrentVersionRunServicesOnce” contains ”Internet ExplorerToolbar” contains ”Search Assistent” contains ”Search Bar” contains ”Search Page” contains ”Start Page” Bing Yuan Client-Side Honeypots
  64. 64. Motivation The Client-Side Honeypot Overview The CHP System The CI Attack Patterns The CWSandbox Future works Filter patterns (2) Activity Filter Patterns contains ”Startup Folder” contains ”Hosts” contains ”CurrentVersionWinLogon” contains ”CurrentControlSetServices” contains ”CurrentControlSetControl” contains ”ShellOpenCommand” contains ”ShellExecuteHooks” Process create or terminate activities Ini-file’s activity contains ”win.ini” and ”run” and ”load” contains ”system.ini” and ”load” and ”shell” Winsock every crawled URL Bing Yuan Client-Side Honeypots
  65. 65. Motivation The Client-Side Honeypot Overview The CHP System The CI Attack Patterns The CWSandbox Future works Introduction the CWSandbox can automatically analyse the malware’s behaviours by running the malwares and intercepting all important calls to the Windows API which will cause correspondent system activities the CWSandbox uses hook technologies, hooking one function means the interception of calls to this function by some other function called hook finally it will generate one summarized report Bing Yuan Client-Side Honeypots
  66. 66. Motivation The Client-Side Honeypot Overview The CHP System The CI Attack Patterns The CWSandbox Future works Introduction the CWSandbox can automatically analyse the malware’s behaviours by running the malwares and intercepting all important calls to the Windows API which will cause correspondent system activities the CWSandbox uses hook technologies, hooking one function means the interception of calls to this function by some other function called hook finally it will generate one summarized report Bing Yuan Client-Side Honeypots
  67. 67. Motivation The Client-Side Honeypot Overview The CHP System The CI Attack Patterns The CWSandbox Future works Introduction the CWSandbox can automatically analyse the malware’s behaviours by running the malwares and intercepting all important calls to the Windows API which will cause correspondent system activities the CWSandbox uses hook technologies, hooking one function means the interception of calls to this function by some other function called hook finally it will generate one summarized report Bing Yuan Client-Side Honeypots
  68. 68. Motivation The Client-Side Honeypot Overview The CHP System The CI Attack Patterns The CWSandbox Future works The Integration of CI and CWSandbox the CWSandbox drives one IE instance as malware which can be captured by the CI the CI continuously crawls the URLs from the URL list using this IE instance in the meantime the system activities caused by visiting these URLs are recorded by CWSandbox the CWSandbox generates one summarized report of the system activities the identify part of the CI parses and analyse this report to judge which activities are malicious Bing Yuan Client-Side Honeypots
  69. 69. Motivation The Client-Side Honeypot Overview The CHP System The CI Attack Patterns The CWSandbox Future works The Integration of CI and CWSandbox the CWSandbox drives one IE instance as malware which can be captured by the CI the CI continuously crawls the URLs from the URL list using this IE instance in the meantime the system activities caused by visiting these URLs are recorded by CWSandbox the CWSandbox generates one summarized report of the system activities the identify part of the CI parses and analyse this report to judge which activities are malicious Bing Yuan Client-Side Honeypots
  70. 70. Motivation The Client-Side Honeypot Overview The CHP System The CI Attack Patterns The CWSandbox Future works The Integration of CI and CWSandbox the CWSandbox drives one IE instance as malware which can be captured by the CI the CI continuously crawls the URLs from the URL list using this IE instance in the meantime the system activities caused by visiting these URLs are recorded by CWSandbox the CWSandbox generates one summarized report of the system activities the identify part of the CI parses and analyse this report to judge which activities are malicious Bing Yuan Client-Side Honeypots
  71. 71. Motivation The Client-Side Honeypot Overview The CHP System The CI Attack Patterns The CWSandbox Future works The Integration of CI and CWSandbox the CWSandbox drives one IE instance as malware which can be captured by the CI the CI continuously crawls the URLs from the URL list using this IE instance in the meantime the system activities caused by visiting these URLs are recorded by CWSandbox the CWSandbox generates one summarized report of the system activities the identify part of the CI parses and analyse this report to judge which activities are malicious Bing Yuan Client-Side Honeypots
  72. 72. Motivation The Client-Side Honeypot Overview The CHP System The CI Attack Patterns The CWSandbox Future works The Integration of CI and CWSandbox the CWSandbox drives one IE instance as malware which can be captured by the CI the CI continuously crawls the URLs from the URL list using this IE instance in the meantime the system activities caused by visiting these URLs are recorded by CWSandbox the CWSandbox generates one summarized report of the system activities the identify part of the CI parses and analyse this report to judge which activities are malicious Bing Yuan Client-Side Honeypots
  73. 73. Motivation The Client-Side Honeypot The CHP System Attack Patterns Future works Attack Patterns (1) malwares use social engineering to disguise themselves, such as ”svchost.exe” redirect user’s network connections using e.g. invisible ”iframe” malicious websites put their weblinks on the webpages of other websites conceal the source code using obfuscation method, even many times Bing Yuan Client-Side Honeypots
  74. 74. Motivation The Client-Side Honeypot The CHP System Attack Patterns Future works Attack Patterns (1) malwares use social engineering to disguise themselves, such as ”svchost.exe” redirect user’s network connections using e.g. invisible ”iframe” malicious websites put their weblinks on the webpages of other websites conceal the source code using obfuscation method, even many times Bing Yuan Client-Side Honeypots
  75. 75. Motivation The Client-Side Honeypot The CHP System Attack Patterns Future works Attack Patterns (1) malwares use social engineering to disguise themselves, such as ”svchost.exe” redirect user’s network connections using e.g. invisible ”iframe” malicious websites put their weblinks on the webpages of other websites conceal the source code using obfuscation method, even many times Bing Yuan Client-Side Honeypots
  76. 76. Motivation The Client-Side Honeypot The CHP System Attack Patterns Future works Attack Patterns (1) malwares use social engineering to disguise themselves, such as ”svchost.exe” redirect user’s network connections using e.g. invisible ”iframe” malicious websites put their weblinks on the webpages of other websites conceal the source code using obfuscation method, even many times Bing Yuan Client-Side Honeypots
  77. 77. Motivation The Client-Side Honeypot The CHP System Attack Patterns Future works Attack Patterns (2) use different scripting languages, such as mixture of VBScript and Java Script use script code to directly operate on the local system, such as using ”Scripting.FileSystemObject” object malwares use various methods to create/execute/delete themselves in the same time malwares use rootkit technologies to hide themselves Bing Yuan Client-Side Honeypots
  78. 78. Motivation The Client-Side Honeypot The CHP System Attack Patterns Future works Attack Patterns (2) use different scripting languages, such as mixture of VBScript and Java Script use script code to directly operate on the local system, such as using ”Scripting.FileSystemObject” object malwares use various methods to create/execute/delete themselves in the same time malwares use rootkit technologies to hide themselves Bing Yuan Client-Side Honeypots
  79. 79. Motivation The Client-Side Honeypot The CHP System Attack Patterns Future works Attack Patterns (2) use different scripting languages, such as mixture of VBScript and Java Script use script code to directly operate on the local system, such as using ”Scripting.FileSystemObject” object malwares use various methods to create/execute/delete themselves in the same time malwares use rootkit technologies to hide themselves Bing Yuan Client-Side Honeypots
  80. 80. Motivation The Client-Side Honeypot The CHP System Attack Patterns Future works Attack Patterns (2) use different scripting languages, such as mixture of VBScript and Java Script use script code to directly operate on the local system, such as using ”Scripting.FileSystemObject” object malwares use various methods to create/execute/delete themselves in the same time malwares use rootkit technologies to hide themselves Bing Yuan Client-Side Honeypots
  81. 81. Motivation The Client-Side Honeypot The CHP System Attack Patterns Future works Future works (1) further improve the CHP system and expand filter patterns test the CHP system in the Laboratory for Dependable Distributed Systems at the University of Mannheim and the Honeynet Organization improve the email part, let it research the vulnerabilities of the email client, this must be coordinated with CWSandbox which can monitor activities such as opening emails or email attachments add the network control part Bing Yuan Client-Side Honeypots
  82. 82. Motivation The Client-Side Honeypot The CHP System Attack Patterns Future works Future works (1) further improve the CHP system and expand filter patterns test the CHP system in the Laboratory for Dependable Distributed Systems at the University of Mannheim and the Honeynet Organization improve the email part, let it research the vulnerabilities of the email client, this must be coordinated with CWSandbox which can monitor activities such as opening emails or email attachments add the network control part Bing Yuan Client-Side Honeypots
  83. 83. Motivation The Client-Side Honeypot The CHP System Attack Patterns Future works Future works (1) further improve the CHP system and expand filter patterns test the CHP system in the Laboratory for Dependable Distributed Systems at the University of Mannheim and the Honeynet Organization improve the email part, let it research the vulnerabilities of the email client, this must be coordinated with CWSandbox which can monitor activities such as opening emails or email attachments add the network control part Bing Yuan Client-Side Honeypots
  84. 84. Motivation The Client-Side Honeypot The CHP System Attack Patterns Future works Future works (1) further improve the CHP system and expand filter patterns test the CHP system in the Laboratory for Dependable Distributed Systems at the University of Mannheim and the Honeynet Organization improve the email part, let it research the vulnerabilities of the email client, this must be coordinated with CWSandbox which can monitor activities such as opening emails or email attachments add the network control part Bing Yuan Client-Side Honeypots
  85. 85. Motivation The Client-Side Honeypot The CHP System Attack Patterns Future works Future works (2) improve the integrity control part, through better configuration and implementation, the integrity control approach may also work very efficiently the CWSandbox is not one open source project, so maybe we can build one own real-time monitoring kernel deepen the theoretical research of the client-side honeypot which can help us better improve the CHP system build one central repository which can be accessed through project website or CI, this repository will store the malicious URLs and their activities, all distributed users all over the world can run the CHP system and submit malicious URLs they found to this central repository Bing Yuan Client-Side Honeypots
  86. 86. Motivation The Client-Side Honeypot The CHP System Attack Patterns Future works Future works (2) improve the integrity control part, through better configuration and implementation, the integrity control approach may also work very efficiently the CWSandbox is not one open source project, so maybe we can build one own real-time monitoring kernel deepen the theoretical research of the client-side honeypot which can help us better improve the CHP system build one central repository which can be accessed through project website or CI, this repository will store the malicious URLs and their activities, all distributed users all over the world can run the CHP system and submit malicious URLs they found to this central repository Bing Yuan Client-Side Honeypots
  87. 87. Motivation The Client-Side Honeypot The CHP System Attack Patterns Future works Future works (2) improve the integrity control part, through better configuration and implementation, the integrity control approach may also work very efficiently the CWSandbox is not one open source project, so maybe we can build one own real-time monitoring kernel deepen the theoretical research of the client-side honeypot which can help us better improve the CHP system build one central repository which can be accessed through project website or CI, this repository will store the malicious URLs and their activities, all distributed users all over the world can run the CHP system and submit malicious URLs they found to this central repository Bing Yuan Client-Side Honeypots
  88. 88. Motivation The Client-Side Honeypot The CHP System Attack Patterns Future works Future works (2) improve the integrity control part, through better configuration and implementation, the integrity control approach may also work very efficiently the CWSandbox is not one open source project, so maybe we can build one own real-time monitoring kernel deepen the theoretical research of the client-side honeypot which can help us better improve the CHP system build one central repository which can be accessed through project website or CI, this repository will store the malicious URLs and their activities, all distributed users all over the world can run the CHP system and submit malicious URLs they found to this central repository Bing Yuan Client-Side Honeypots
  89. 89. Vielen Dank f¨ r Ihre Aufmerksamkeit! u

×