Identify Malicious URL using
Capture-HPC
David Guan
dcguan@gmail.com

Who Are You?
• You are interested in malicious webpage
• You are interested in Capture-HPC
• You are not interested in the other session or
there are no more seats…

About This Session
• NOT to protect your PC
– You need to pay $$ for *protection*
– Uninstall Windows might be a better idea
• Experience sharing for large scale web crawling
testing
• Use open source software for security research
– Even individual can build your security lab

Drive-by Download
Landing Site
Hopping Site
Download Site

The EVIL Browser Plug-in
Browser plug-in vulnerabilities
Source: Secunia 2008 report

Malicious URL in Different
Regions
Region Total URL Total landing Total download site
Scanned site
China 41000 253 28
Japan 21263 105 3

Google Safe Browsing Database
• Google gives you malicious URL
– Md5 hash form
– Quality data can be observed
– safebrowsing-python + Django = ?

URL Selection and Verification
• Google’s paper “All Your iFRAMEs Point to Us”
Machine Virtual
Malicious
WWW Learning Machine
URL
Repository Score Verification

What is Honeypot?
• A trap!
• Collect malicious behavior
• Server-side honeypot
– Wait to be probed, attacked, and
compromised
• Client-side honeypot
– Actively crawler the web
– Compromised by server
response

What is Capture-HPC ?
• A high-interactive client honeypot
• Part of the Honeynet Project
• Interact with malicious web site and observe
system activities
• Freely available under GPL v2
– https://projects.honeynet.org/capture-hpc

Capture-HPC Concept
VMWare Sever
Capture-HPC
Server
Capture-HPC Client

Capture-HPC Architecture
Config.
Control
xml VMWare Server
Log
Revert & Resume
Capture-HPC
Server Capture-HPC Internet
Firefox
Client Explorer
Report
Win32 Subsystem
User Mode
Process
1
File Process Registry
Registry Process
Change 2
Monitor Monitor Monitor
File
Create
Capture Kernel Driver
Process Registry
3 Create
Kernel Mode
VMWare Guest OS

Setup Server Environment
VMWare server 1.0 Unpack Capture-HPC
Linux is better instead of 2.0 server
Edit Capture-HPC
Set up multiple VM
Server setting

Setup Client Environment
Install Capture-HPC Install system monitor Adjust security level
client tools
NO Windows Update! Disable firewall

Make Yourself More Vulnerable!
• Get old version software at
http://oldapps.com

Editing Exception List
• Filter normal system events
– Windows prefetch
– Windows update
– Internet Explorer activities
– Capture-HPC client activities
• Events not filtered treat as malicious

Good URL? Bad URL?
• Collect normal web page
– Open Directory Project
– Yahoo!
– Other countries?
• How about malicious page?
– IT Information Security
– Malware domain list
– Blast's security lab

Execute Capture-HPC
• java
– Djava.net.preferIPv4Stack=true
– jar CaptureServer.jar
– s <IP listening address>:<IP listening port>
– f <URL input file>
• DEMO Time!

Time to Harvest
System Target URL Result
Configuration
•Intel E6420 (2.13GHz) •Malicious URL •Testing time: 2 hours
with 2G RAM from various sites (about 3000 URL per day)
•VMWare server 1.0 •Total URL: 235
with 3 VM •Malicious: 34
•Network error: 13
(IE can not connect)
•System error: 5
• Check log files
– Safe.log
– Malicious.log
– Error.log

Large Scale Testing Issues
• VMWare issue
– Revert VM hang
– Network broken after VM revert
• Malicious software make guest OS unstable
– Blue screen of death
– Guest OS high CPU loading

Build Your Security Lab
Using Open Source Software
• Many open source software available
– Capture-HPC
– Malzilla
– DecryptJS
• Easy to adapt to your application
• Your effort can make better tools!

Thank You!
Comment and Question?
dcguan@gmail.com