Honeyclient technologies are being developed to focus on the different ways to detect and analyze Web sites hosting malicious code. Honeyclients are used for detecting and characterizing malicious sites by driving a system in a way that mimics human users (Robert Danford 2006). Among the major reasons and purpose of using honeyclients is to stop attacks that use web servers to exploit unpatched browser vulnerabilities thereby installing unsolicited malware and adware of the computer of unsuspecting web surfers.
According to the author, the first generation of honeyclient development in the open source community was followed by the launched of the Microsoft’s honeyclients called honeymonkeys.
The Open source honeyclient has been developed to proactively detect the client-side exploits.
Most client softwares e.g. web browser and mail client are not protected by firewalls and also most client software applications are not properly developed. They often lack up to date anti-virus software. As part of ongoing efforts to make the web safer, the honeyclient technology also tend to address the problem of using unsuspecting computer or machine as a bot networks and become a part of DOS attack.
The business of software and application vulnerabilities exploits has grown over the years because of financial gains and inducement by organized crime. There is need to develop both server side- Honeypot and client side Honeyclient technologies to curtail the menace of both malware and spyware.
The client-side exploit are important because
1. Security threats are triggered by end-user behavior
2. Web criminal mostly focus on soft targets.
3. Ordinary Web surfers tend to ignore security warnings.
Honeypot: They provide a wide variety of benefits:
· Traditional honeypots are passive and server-side.
· Worm detection
· Insider-abuse detection (also honeytokens)
· Malware capture (medium-interaction honeypots such as nepenthes are particularly good at this)
· Security research
· New exploit detection
Honeyclients: The following are notable characteristics of honeyclients
· Use advanced and preexisting knowledge to develop tool that proactively protect against vulnerabilities because the way the client was infected or exploited is known.
· Specialized systems that are used as intended target for attacks so that we can learn detail information about the attack.
· Monitor the Honeyclients behavior to see if it deviates from the norm e.g. writing an executable file.
· Abnormal behavior of the Honeyclients is an indication of an infection.
· Honeyclients are capable of seeking out malicious remote systems
· Two types of Honeyclients are known – server-side and client-side exploits
Analysis of exploits:
The author discovered that most malware attacks are financially motivated and the following are common:
- Gaming Trojans
- Banking Trojans: Able to access victims online banking/account credentials.
- Politically motivated malware: for propagating political ideologies by using HTML files.
- From Honeyclients analysis, malware attacks the VMware (virtual platform infrastructures) and proceeds to shutdown the guest operating system.
- Full packet capture analysis between honeyclient and the remote web server at the time of compromise.
Variants of honeyclients:
· Capture – A high interactive form of honeyclient that has real-time integrity checking capability.
· Spybye is a low-interaction honeyclient.
· Google safe Browsing API is an operational honeyclient that seeks out bad sites and thus create blacklists based on the bad URLs.
· PhoneyC focuses on the automatic browser script deobfuscation and analysis.
· MS Strider HoneyMonkey (Microsoft Research)
· Mitre Honeyclient Project (Mitre)
· Client-side Honeypots (Univ. of Mannheim)
· Collapsar/Reverse Honeyfarm (Purdue Univ.)
· Phileas (Webroot)
· Websense (Hubbard)
· SiteAdvisor (McAfee)
Limitations of the Honeyclients Implementation.
· The insertion of delays by web browser client silent the way the honeyclient detect an attack
· Honeyclients have difficulties in detecting malware embedded in banner ads on different web sites.
· Honeyclient works only limited to drive-by malware attacks or downloads and not to interactive executions that need user permission such as clicking on a link or clicking on executables.
Conclusion:
· Malware mostly targets Microsoft’s IE 6 and other unpatched browsers.
· Anti-virus products are signature-based.
· Honeyclient uses traffic analysis to track malware attacks
· Snapshot comparisons of files and filesystems give an indication of malicious attacks.
· Integrity checks e.g. Registry key changes provide useful information of malware
attacks.
· Malware often triggered processes execution
Reference
Oram A. & Viega J. (Eds.). (2009) Beautiful security: Leading security experts explain how they think (pp 131-146). Beijing: O’Reilly Media
Robert Danford (2006). 2nd Generation Honeyclients. Retrieved February 10, 2011, from
http://handlers.dshield.org/rdanford/pub/Honeyclients_Danford_SANSfire06.pdf
Strider HoneyMonkey Exploit Detection. Retrieved February 10, 2011, from
http://research.microsoft.com/en-us/um/redmond/projects/strider/honeymonkey/
No comments:
Post a Comment