Upload
preston-harper
View
217
Download
0
Tags:
Embed Size (px)
Citation preview
Detecting Client-side Detecting Client-side Exploits with Exploits with HoneyclientsHoneyclients
Kathy WangThe Honeyclient [email protected]
9/17/2008 RAID 2008
9/17/2008 RAID 2008
Problem
Client-side exploits are a growing threat– Lots of client-side vulnerabilities
Microsoft Internet Explorer has more than 50 serious vulnerabilities in last 6 months (SecurityFocus database)
– Lots of client-side exploits 90% of all PCs harbor spyware (Webroot, 2006)
We need to be able to proactively detect and characterize client-side attacks before we get hit
We lack a proactive detection technology for client-side attacks
9/17/2008 RAID 2008
A ‘Business’ ModelA ‘Business’ Model
9/17/2008 RAID 2008
Another Business ModelAnother Business Model
9/17/2008 RAID 2008
Honeyclient Case ExamplesHoneyclient Case Examples
Please DO NOT go to any of the sites on the following slides unless you REALLY know what you’re doing!!!)
<Disclaimer>
</Disclaimer>
9/17/2008 RAID 2008
www.world0fwarcraft.netwww.world0fwarcraft.net (Changes)(Changes)
Suspicious file
9/17/2008 RAID 2008
www.world0fwarcraft.net (Changes)www.world0fwarcraft.net (Changes)
Where’s /etc/hosts file???Definitely suspicious
9/17/2008 RAID 2008
www.world0fwarcraft.net (Changes)www.world0fwarcraft.net (Changes)
9/17/2008 RAID 2008
www.world0fwarcraft.net (Scanswww.world0fwarcraft.net (Scans))
9/17/2008 RAID 2008
www.sharky.in (Changes)www.sharky.in (Changes)
This definitely doesn’tlook good…
9/17/2008 RAID 2008
www.sharky.in (Scan)www.sharky.in (Scan)
Poor resultson scans…
9/17/2008 RAID 2008
Background - Honeyclients
Honeyclients provide capability to proactively detect client-side exploits– A honeyclient is a system that drives a client application
to potentially malicious servers– Any changes made on honeyclient system are
unauthorized – no false positives!– We detect exploits even without prior signatures
9/17/2008 RAID 2008
Basic Honeyclient Package
Client-side
Exploit Database
MaliciousServer
Request Response
Linux Host
Traffic logs
Windows VM
Honeyclient
Prototype Capabilities • Integrity checks• Drive IE• Extract URLs• Recurse (Internal)• Recurse (External)• Virtual host• Protective firewall• Exploit DB• Image rotation• Modular clients• Traffic history• Secure logging• Memory checks
Honeyclient Network
Internet
9/17/2008 RAID 2008
Additional Project Information
Project websitehttp://honeyclient.mitre.org
Mailing [email protected]
We need beta testers!http://www.honeyclient.org/trac/wiki/download
Developers are welcome too!SVN repository is available