• Home

  • Documents

  • Detecting Client-side Exploits with Honeyclients Kathy Wang The Honeyclient Project...
14
Detecting Client-side Detecting Client-side Exploits with Exploits with Honeyclients Honeyclients Kathy Wang The Honeyclient Project [email protected] 9/17/2008 RAID 2008

Detecting Client-side Exploits with Honeyclients Kathy Wang The Honeyclient Project [email protected] 9/17/2008RAID 2008

Tags:

Embed Size (px)

Citation preview

Page 1: Detecting Client-side Exploits with Honeyclients Kathy Wang The Honeyclient Project knwang1@yahoo.com 9/17/2008RAID 2008

Detecting Client-side Detecting Client-side Exploits with Exploits with HoneyclientsHoneyclients

Kathy WangThe Honeyclient [email protected]

9/17/2008 RAID 2008

Page 2: Detecting Client-side Exploits with Honeyclients Kathy Wang The Honeyclient Project knwang1@yahoo.com 9/17/2008RAID 2008

9/17/2008 RAID 2008

Problem

Client-side exploits are a growing threat– Lots of client-side vulnerabilities

Microsoft Internet Explorer has more than 50 serious vulnerabilities in last 6 months (SecurityFocus database)

– Lots of client-side exploits 90% of all PCs harbor spyware (Webroot, 2006)

We need to be able to proactively detect and characterize client-side attacks before we get hit

We lack a proactive detection technology for client-side attacks

Page 3: Detecting Client-side Exploits with Honeyclients Kathy Wang The Honeyclient Project knwang1@yahoo.com 9/17/2008RAID 2008

9/17/2008 RAID 2008

A ‘Business’ ModelA ‘Business’ Model

Page 4: Detecting Client-side Exploits with Honeyclients Kathy Wang The Honeyclient Project knwang1@yahoo.com 9/17/2008RAID 2008

9/17/2008 RAID 2008

Another Business ModelAnother Business Model

Page 5: Detecting Client-side Exploits with Honeyclients Kathy Wang The Honeyclient Project knwang1@yahoo.com 9/17/2008RAID 2008

9/17/2008 RAID 2008

Honeyclient Case ExamplesHoneyclient Case Examples

Please DO NOT go to any of the sites on the following slides unless you REALLY know what you’re doing!!!)

<Disclaimer>

</Disclaimer>

Page 6: Detecting Client-side Exploits with Honeyclients Kathy Wang The Honeyclient Project knwang1@yahoo.com 9/17/2008RAID 2008

9/17/2008 RAID 2008

www.world0fwarcraft.netwww.world0fwarcraft.net (Changes)(Changes)

Suspicious file

Page 7: Detecting Client-side Exploits with Honeyclients Kathy Wang The Honeyclient Project knwang1@yahoo.com 9/17/2008RAID 2008

9/17/2008 RAID 2008

www.world0fwarcraft.net (Changes)www.world0fwarcraft.net (Changes)

Where’s /etc/hosts file???Definitely suspicious

Page 8: Detecting Client-side Exploits with Honeyclients Kathy Wang The Honeyclient Project knwang1@yahoo.com 9/17/2008RAID 2008

9/17/2008 RAID 2008

www.world0fwarcraft.net (Changes)www.world0fwarcraft.net (Changes)

Page 9: Detecting Client-side Exploits with Honeyclients Kathy Wang The Honeyclient Project knwang1@yahoo.com 9/17/2008RAID 2008

9/17/2008 RAID 2008

www.world0fwarcraft.net (Scanswww.world0fwarcraft.net (Scans))

Page 10: Detecting Client-side Exploits with Honeyclients Kathy Wang The Honeyclient Project knwang1@yahoo.com 9/17/2008RAID 2008

9/17/2008 RAID 2008

www.sharky.in (Changes)www.sharky.in (Changes)

This definitely doesn’tlook good…

Page 11: Detecting Client-side Exploits with Honeyclients Kathy Wang The Honeyclient Project knwang1@yahoo.com 9/17/2008RAID 2008

9/17/2008 RAID 2008

www.sharky.in (Scan)www.sharky.in (Scan)

Poor resultson scans…

Page 12: Detecting Client-side Exploits with Honeyclients Kathy Wang The Honeyclient Project knwang1@yahoo.com 9/17/2008RAID 2008

9/17/2008 RAID 2008

Background - Honeyclients

Honeyclients provide capability to proactively detect client-side exploits– A honeyclient is a system that drives a client application

to potentially malicious servers– Any changes made on honeyclient system are

unauthorized – no false positives!– We detect exploits even without prior signatures

Page 13: Detecting Client-side Exploits with Honeyclients Kathy Wang The Honeyclient Project knwang1@yahoo.com 9/17/2008RAID 2008

9/17/2008 RAID 2008

Basic Honeyclient Package

Client-side

Exploit Database

MaliciousServer

Request Response

Linux Host

Traffic logs

Windows VM

Honeyclient

Prototype Capabilities • Integrity checks• Drive IE• Extract URLs• Recurse (Internal)• Recurse (External)• Virtual host• Protective firewall• Exploit DB• Image rotation• Modular clients• Traffic history• Secure logging• Memory checks

Honeyclient Network

Internet

Page 14: Detecting Client-side Exploits with Honeyclients Kathy Wang The Honeyclient Project knwang1@yahoo.com 9/17/2008RAID 2008

9/17/2008 RAID 2008

Additional Project Information

Project websitehttp://honeyclient.mitre.org

Mailing [email protected]

We need beta testers!http://www.honeyclient.org/trac/wiki/download

Developers are welcome too!SVN repository is available


Lessons learned writing exploits LESSONS LEARNED WRITING EXPLOITS Gerardo Richarte Iván Arce

Lessons learned writing exploits LESSONS LEARNED WRITING EXPLOITS Gerardo Richarte Iván Arce

Documents
Buffer Overflow Exploits

Buffer Overflow Exploits

Documents
Mullah Nasrudin Exploits

Mullah Nasrudin Exploits

Documents
Invasaocom exploits

Invasaocom exploits

Technology
Common Exploits

Common Exploits

Documents
Advanced Buffer Overflow Exploits

Advanced Buffer Overflow Exploits

Documents
m86 Web Exploits Report

m86 Web Exploits Report

Documents
Nethemba - Writing exploits

Nethemba - Writing exploits

Technology
March Intensive: XSS Exploits

March Intensive: XSS Exploits

Documents
EXPLOITS MAGAZINE April 2014

EXPLOITS MAGAZINE April 2014

Documents
Exploits Magazine March 2013

Exploits Magazine March 2013

Documents
EXPLOITS MAGAZINE August 2013

EXPLOITS MAGAZINE August 2013

Documents
An introduction to honeyclient technologies

An introduction to honeyclient technologies

Documents
Using Honeyclients for Detection and Response Against New ... · Client-side exploits are a growing threat – Lots of client-side vulnerabilities Microsoft Internet Explorer has

Using Honeyclients for Detection and Response Against New ... · Client-side exploits are a growing threat – Lots of client-side vulnerabilities Microsoft Internet Explorer has

Documents
An introduction to honeyclient technology

An introduction to honeyclient technology

Documents
Lec03: Writing Exploits

Lec03: Writing Exploits

Documents
Exploits of the Satyr

Exploits of the Satyr

Documents
TCP Exploits

TCP Exploits

Documents
Les exploits

Les exploits

Documents
Writing exploits

Writing exploits

Technology
Exploits in Management*

Exploits in Management*

Documents
Anointed to do exploits

Anointed to do exploits

Spiritual
Master Semminar Injection Exploits

Master Semminar Injection Exploits

Documents
Thug: a new low-interaction honeyclient

Thug: a new low-interaction honeyclient

Documents
Beyond Front-Line Exploits

Beyond Front-Line Exploits

Documents
How Hamas Exploits Children

How Hamas Exploits Children

News & Politics
Software Exploits

Software Exploits

Documents
Client Side Exploits

Client Side Exploits

Documents
2 nd Generation Honeyclients Robert Danford SANS Internet Storm Center

2 nd Generation Honeyclients Robert Danford SANS Internet Storm Center

Documents
Lec04: Writing Exploits

Lec04: Writing Exploits

Documents