Advertisement

Escape from Monkey Island: Evading High-Interaction Honeyclients

  • Alexandros Kapravelos
  • Marco Cova
  • Christopher Kruegel
  • Giovanni Vigna
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 6739)

Abstract

High-interaction honeyclients are the tools of choice to detect malicious web pages that launch drive-by-download attacks. Unfortunately, the approach used by these tools, which, in most cases, is to identify the side-effects of a successful attack rather than the attack itself, leaves open the possibility for malicious pages to perform evasion techniques that allow one to execute an attack without detection or to behave in a benign way when being analyzed. In this paper, we examine the security model that high-interaction honeyclients use and evaluate their weaknesses in practice. We introduce and discuss a number of possible attacks, and we test them against several popular, well-known high-interaction honeyclients. Our attacks evade the detection of these tools, while successfully attacking regular visitors of malicious web pages.

Keywords

Virtual Machine Malicious Code USENIX Security Symposium Malicious Site Cache Poisoning Attack 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. 1.
    Anubis: Analyzing Unknown Binaries, http://anubis.seclab.tuwien.ac.at
  2. 2.
    Bayer, U., Kruegel, C., Kirda, E.: TTAnalyze: A Tool for Analyzing Malware. In: Proceedings of the European Institute for Computer Antivirus Research Annual Conference, EICAR (2006)Google Scholar
  3. 3.
    Boscovich, R. et al.: Microsoft Security Intelligence Report. Technical Report, vol. 7, Microsoft, Inc. (2009)Google Scholar
  4. 4.
    Broersma, M.: Web attacks slip under the radar (2007), http://news.techworld.com/security/10620/web-attacks-slip-under-the-radar/
  5. 5.
    Cova, M., Kruegel, C., Vigna, G.: Detection and Analysis of Drive-by-Download Attacks and Malicious JavaScript Code. In: Proceedings of the International World Wide Web Conference, WWW (2010)Google Scholar
  6. 6.
    CVE. Windows ANI LoadAniIcon() Chunk Size Stack Overflow (HTTP), http://cve.mitre.org/cgi-bin/cvename.cgi?name=2007-0038.
  7. 7.
    CWSandbox (2009), http://www.cwsandbox.org/
  8. 8.
    Dinaburg, A., Royal, P., Sharif, M., Lee, W.: Ether: Malware analysis via hardware virtualization extensions. In: Proceedings of the ACM Conference on Computer and Communications Security, CCS (2008)Google Scholar
  9. 9.
    Ferrie, P.: Attacks on Virtual Machines. In: Proceedings of the Association of Anti-Virus Asia Researchers Conference (2007)Google Scholar
  10. 10.
  11. 11.
    Fogla, P., Lee, W.: Evading Network Anomaly Detection Systems: Formal Reasoning and Practical Techniques. In: Proceedings of the ACM Conference on Computer and Communications Security CCS (2006)Google Scholar
  12. 12.
    Frei, S., Dübendorfer, T., Ollman, G., May, M.: Understanding the Web browser threat: Examination of vulnerable online Web browser populations and the insecurity iceberg. In: Proceedings of DefCon, vol. 16 (2008)Google Scholar
  13. 13.
    Garfinkel, T., Adams, K., Warfield, A., Franklin, J.: Compatibility is Not Transparency: VMM Detection Myths and Realities. In: Proceedings of the USENIX Workshop on Hot Topics in Operating Systems (2007)Google Scholar
  14. 14.
  15. 15.
  16. 16.
    Jaeger, T.: Reference Monitor Concept. Encyclopedia of Cryptography and Security (2010)Google Scholar
  17. 17.
    Jiang, X., Wang, X., Xu, D.: Stealthy Malware Detection and Monitoring through VMM-Based Out-of-the-Box Semantic View Reconstruction. ACM Transactions on Information and System Security (TISSEC) 13(2) (February 2010)Google Scholar
  18. 18.
    Joebox: A Secure Sandbox Application for Windows (2009), http://www.joebox.org/
  19. 19.
    Klein, T.: ScoopyNG - The VMware detection tool, http://www.trapkit.de/research/vmm/scoopyng/index.html
  20. 20.
    Krebs, B.: Former anti-virus researcher turns tables on industry (October 27, 2009), http://voices.washingtonpost.com/securityfix/2009/10/former_anti-virus_researcher_t.html
  21. 21.
    Liston, T., Skoudis, E.: On the Cutting Edge: Thwarting Virtual Machine Detection (2006), http://handlers.sans.org/tliston/ThwartingVMDetection_Liston_Skoudis.pdf
  22. 22.
    Martignoni, L., Paleari, R., Roglia, G.F., Bruschi, D.: Testing CPU Emulators. In: Proceedings of the International Symposium on Software Testing and Analysis, ISSTA (2009)Google Scholar
  23. 23.
    Microsoft. What is SmartScreen Filter?, http://www.microsoft.com/security/filters/smartscreen.aspx
  24. 24.
    MITRE. HoneyClient, http://www.honeyclient.org/
  25. 25.
    Moshchuk, A., Bragin, T., Deville, D., Gribble, S., Levy, H.: SpyProxy: Execution-based Detection of Malicious Web Content. In: Proceedings of the USENIX Security Symposium (2007)Google Scholar
  26. 26.
    Moshchuk, A., Bragin, T., Gribble, S., Levy, H.: A Crawler-based Study of Spyware in the Web. In: Proceedings of the Symposium on Network and Distributed System Security, NDSS (2006)Google Scholar
  27. 27.
    Müller, T., Mack, B., Arziman, M.: Web Exploit Finder, http://www.xnos.org/security/web-exploit-finder.html
  28. 28.
    Nguyen, A., Schear, N., Jung, H., Godiyal, A., King, S., Nguyen, H.: MAVMM: Lightweight and Purpose Built VMM for Malware Analysis. In: Proceedings of the Annual Computer Security Applications Conference, ACSAC (2009)Google Scholar
  29. 29.
  30. 30.
    Paleari, R., Martignoni, L., Roglia, G.F., Bruschi, D.: A Fistful of Red-Pills: How to Automatically Generate Procedures to Detect CPU Emulators. In: Proceedings of the USENIX Workshop on Offensive Technologies, WOOT (2009)Google Scholar
  31. 31.
    Polychronakis, M., Mavrommatis, P., Provos, N.: Ghost Turns Zombie: Exploring the Life Cycle of Web-based Malware. In: Proceedings of the USENIX Workshop on Large-Scale Exploits and Emergent Threats, LEET (2008)Google Scholar
  32. 32.
    Provos, N., Mavrommatis, P., Rajab, M., Monrose, F.: All Your iFRAMEs Point to Us. In: Proceedings of the USENIX Security Symposium (2008)Google Scholar
  33. 33.
    Provos, N., McNamee, D., Mavrommatis, P., Wang, K., Modadugu, N.: The Ghost in the Browser: Analysis of Web-based Malware. In: Proceedings of the USENIX Workshop on Hot Topics in Understanding Botnet (2007)Google Scholar
  34. 34.
    Ptacek, T., Newsham, T.: Insertion, Evasion, and Denial of Service: Eluding Network Intrusion Detection. Technical report, Secure Networks, Inc. (1998)Google Scholar
  35. 35.
    Quist, D., Smith, V., Computing, O.: Detecting the Presence of Virtual Machines Using the Local Data Table, http://www.offensivecomputing.net/files/active/0/vm.pdf
  36. 36.
    Raffetseder, T., Kruegel, C., Kirda, E.: Detecting System Emulators. In: Proceedings of the Information Security Conference (2007)Google Scholar
  37. 37.
    Rocaspana, J.: SHELIA: A Client HoneyPot For Client-Side Attack Detection (2009), http://www.cs.vu.nl/~herbertb/misc/shelia/
  38. 38.
    Rutkowska, J.: Red Pill. or how to detect VMM using (almost) one CPU instruction (2004), http://www.invisiblethings.org/papers/redpill.html
  39. 39.
    Sharif, M., Lee, W., Cui, W., Lanzi, A.: Secure In-VM Monitoring Using Hardware Virtualization. In: Proceedings of the ACM Conference on Computer and Communications Security, CCS (2009)Google Scholar
  40. 40.
    The Honeynet Project. Capture-HPC, https://projects.honeynet.org/capture-hpc
  41. 41.
    ThreatExpert (2009), http://www.threatexpert.com/
  42. 42.
    Tsaur, W., Chen, Y., Tsai, B.: A New Windows Driver-Hidden Rootkit Based on Direct Kernel Object Manipulation. In: Proceedings of the Algorithms and Architectures for Parallel Processing Conference (2009)Google Scholar
  43. 43.
    Van Gundy, M., Chen, H., Su, Z., Vigna, G.: Feature Omission Vulnerabilities: Thwarting Signature Generation for Polymorphic Worms. In: Proceedings of the Annual Computer Security Applications Conference, ACSAC (2007)Google Scholar
  44. 44.
    Vasudevan, A., Yerraballi, R.: Cobra: Fine-grained Malware Analysis using Stealth Localized Executions. In: Proceedings of the IEEE Symposium on Security and Privacy (2006)Google Scholar
  45. 45.
    Vigna, G., Robertson, W., Balzarotti, D.: Testing Network-based Intrusion Detection Signatures Using Mutant Exploits. In: Proceedings of the ACM Conference on Computer and Communications Security CCS (2004)Google Scholar
  46. 46.
    Wang, Y.-M., Beck, D., Jiang, X., Roussev, R., Verbowski, C., Chen, S., King, S.: Automated Web Patrol with Strider HoneyMonkeys: Finding Web Sites That Exploit Browser Vulnerabilities. In: Proceedings of the Symposium on Network and Distributed System Security, NDSS (2006)Google Scholar
  47. 47.
    Yin, H., Poosankam, P., Hanna, S., Song, D.: HookScout: Proactive Binary-Centric Hook Detection. In: Proceedings of the Conference on Detection of Intrusions and Malware & Vulnerability Assessment, DIMVA (2010)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2011

Authors and Affiliations

  • Alexandros Kapravelos
    • 1
  • Marco Cova
    • 2
  • Christopher Kruegel
    • 1
  • Giovanni Vigna
    • 1
  1. 1.UCSanta BarbaraUSA
  2. 2.University of BirminghamUK

Personalised recommendations