Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

An introduction to honeyclient technology


Published on

Honeynet Project Security Workshop - Paris, March 2011

  • You can ask here for a help. They helped me a lot an i`m highly satisfied with quality of work done. I can promise you 100% un-plagiarized text and good experts there. Use with pleasure! ⇒ ⇐
    Are you sure you want to  Yes  No
    Your message goes here
  • I like this service from Academic Writers. I don't have enough time write it by myself.
    Are you sure you want to  Yes  No
    Your message goes here
  • Be the first to like this

An introduction to honeyclient technology

  1. 1. An introduction to honeyclient technologies Christian Seifert Angelo DellAera
  2. 2. SpeakersChristian Seifert• Full Member of the Honeynet Project since 2007• PhD from Victoria University of Wellington, NZ• Research Software Engineer @ Microsoft BingAngelo DellAera• Full Member of the Honeynet Project since 2009• Senior Threat Analyst @ Security Reply (7 years)• Information Security Independent Researcher @ Antifork Research (13 years)
  3. 3. Agenda• Introduction• Honeyclient technologies• Low-Interaction (PhoneyC)• High-Interaction (Capture-HPC)• Malware Distribution Networks• Challenges and Future Work
  4. 4. New trends, new tools• In the last years more and more attacks against client systems• The end user as the weakest link of the security chain• New tools are required to learn more about such client-side attacks
  5. 5. New trends, new tools• The browser is the most popular client system deployed on every user system• A lot of vulnerabilities are daily identified and (almost always) reported in the most used browsers• The browser is currently the preferred way to own an host
  6. 6. Honeyclients• What we need is something which seems like a real browser the same way as a classical honeypot system seems like a real vulnerable server• A real system Queuer (high-interaction) Visitor• Or an emulated one Analysis (low-interaction)? Engine
  7. 7. Low-interaction strengths and weaknesses+ Different browser versions (“personalities”)+ Different ActiveX and plugins modules(even different versions)+ Much more safer+ More scalable- Easy to detect
  8. 8. PhoneyC - Brief History• A pure Python low-interaction honeyclient• First version developed by Jose Nazario• Great improvements during GSoC 2009• And the history continues...
  9. 9. PhoneyC – DOM Emulation“The Document Object Model is a platform- and language-neutralinterface that will allow programs and scripts to dynamicallyaccess and update the content, structure and style of documents.The document can be further processed and the results of thatprocessing can be incorporated back into the presented page.”(W3C definition)• Huge improvements during GSoC 2009 • Python object __getattr__ and __setattr__ methods
  10. 10. PhoneyC - Browser Personalities• Currently supported personalities: • Internet Explorer 6.0 (Windows XP) • Internet Explorer 6.1 (Windows XP) • Internet Explorer 7.0 (Windows XP) • Internet Explorer 8.0 (Windows XP) • Internet Explorer 6.0 (Windows 2000) • Internet Explorer 8.0 (Windows 2000)• Easy to add new personalities
  11. 11. PhoneyC - Javascript Engine• Based on SpiderMonkey, the Mozilla implementation of the Javascript engine• HoneyJS: a bridge between Python and SpiderMonkey which wraps a subset of its APIs• HoneyJS based on python-spidermonkey
  12. 12. PhoneyC - Vulnerability Modules• Python-based vulnerability modules • Core browser functionalities • Browser plugins • (Mock) ActiveX controls
  13. 13. PhoneyC - Shellcode detection and emulation• HoneyJS“The shellcode manipulation and the spraying of the fillblockinvolve assignments.The shellcode will be detected immediatelyon its assignment if we are able to interrupt spidermonkey at theinterpretion of certain bytecodes related to an assignment andcheck its arguments and values for shellcodes”• Libemu integration (shellcode detection,execution and profiling)
  14. 14. PhoneyC - Future Improvements• A new and more reliable DOM (Document Object Model) emulation• Replacing Spidermonkey with Google V8• Mixed static/dynamic analysis for detecting potential attacks
  15. 15. High-interaction Client Honeypot• Real system• Observe effects of attack Request No state appeared New file changes Benign detected folder in start up Server Response Request Client Honeypots Attack Malicious Server
  16. 16. High-interaction strengths and weaknesses+ No emulation necessary+ Accurate classification (extremely low falsepositive rate)+ Ability to detect zero-day attacks+ More difficult to evade- Miss attacks- “Dangerous”- More computationally expensive
  17. 17. Capture-HPC (v2.5) - Functionality• Platform Independence *• Flexibility around client application• Forensically ready • Records information at kernel level • Collects modified files (e.g. malware) • Collects network traffic (pcap)• Maintained by the New Zealand Honeynet Project Chapter
  18. 18. Malware Distribution Networks
  19. 19. Malware Distribution Networks Overview• Set of web servers (network) controlled by a group of cyber criminals to distribute malware efficiently• Specialized structures that support specialized roles of the cyber criminal• Malware distribution networks allow for campaigns and temp renting out components of the distribution network
  20. 20. Malware Distribution NetworksSource: Microsoft Security Intelligence Threat Report (
  21. 21. Malware Distribution Network
  22. 22. Exploit Servers12.8% of exploit servers responsible for 84.1% of drive-by-download pages Source: Microsoft Security Intelligence Threat Report (
  23. 23. Challenges and Future Work
  24. 24. Malware Distribution Network
  25. 25. Malware Distribution Networks Fast-Flux • LP infected with script that contacts twitter to obtain popular topics (e.g. japan) LP1 LP2 • From popular query from last week, script constructs host name (e.g. “j” + date) • Next day, the same LP will contact twitter to obtain popular topics (e.g. tunesia) • Now, it will construct different host name (e.g. R2 R1 “t” + date) • Attacker registers hostname a few days in advance h1 h2 h3 h4 h5 h6 h7 h8 h9 h10 3/19/2011 1 1 3/20/2011 1 1ES1 3/21/2011 1 1 1 ES2 3/22/2011 1 1 1 3/23/2011 1 1 1 3/24/2011 1 1 1 3/25/2011 1 1 1 3/26/2011 1 1 1 3/27/2011 1 1 1 3/28/2011 1 1 1 3/29/2011 1 1
  26. 26. Evasion Techniques• Technology Differences (Browser vs Honeyclient)• Human vs Machine Interaction• Decrease visibility
  27. 27. The Threats Crashes Drive-by-pharming Network floods/ Puppetnets Drive-by-Downloads Availability Integrity Web spam/ junk pages Social EngineeringHosting of malware Popup floods Cross-X attacks Cookie, history, file, and clipboard stealing Confidentiality Network scanners Phishing
  28. 28. References• Jose Nazario, “PhoneyC: A virtual client honeypot”, LEET 2009• The Honeynet Project, KYE: Malicious Web Servers,• Junjie Zhang, Jack Stokes, Christian Seifert and Wenke Lee, ARROW: Generating Signatures to Detect Drive-By Downloads, in proceedings of www conference, Hyderabad, India, 2011• Microsoft, Security Intelligence Threat Report,
  29. 29. Thanks for the attention Questions? Christian Seifert <> Angelo DellAera <>