2 web high interaction web low interaction Capture- HPC[11] HoneyClient[5] HoneyC[12] SpyBye[7] HoneyC SpyBye snort exploit 3 Drive-by-download Web (

Size: px

Start display at page:

Download "2 web high interaction web low interaction Capture- HPC[11] HoneyClient[5] HoneyC[12] SpyBye[7] HoneyC SpyBye snort exploit 3 Drive-by-download Web ("

きみつぐすすむ
6 years ago
Views:

1 NTT {akiyama.mitsuaki,iwamura.makoto,kawakoya.yuhei, Web drive-by-download web drive-by-download web web Implementation and Evaluation of Detection Methods on Client Honeypot Mitsuaki Akiyama Makoto Iwamura Yuhei Kawakoya Kazufumi Aoki Mitsutaka Itoh NTT Information Sharing Platform Laboratories Midori-Cho , Musashino, Tokyo Japan {akiyama.mitsuaki,iwamura.makoto,kawakoya.yuhei, Abstract Countermeasures against malicious web sites are urgently needed because of increasing the number of incidents that vulnerable web browsers are infected malware by driveby-download attacks. We proposed detection methods of drive-by-download attack for client honeypot system. Proposed methods focused on the behavior of web browser in the view points of exploitation phases: 1) preparation of exploitation, 2) the moment of exploitation and 3) behavior of after exploitation. By combining proposed methods, our client honeypot improved detection coverage without increasing false-positives. 1 FW BB ISP OS E Web JSRedir-R[8] Web Web drive-by-download Web [9] Web Web [1][14][15][16] Web Web

2 web high interaction web low interaction Capture- HPC[11] HoneyClient[5] HoneyC[12] SpyBye[7] HoneyC SpyBye snort exploit 3 Drive-by-download Web ( 1) Web Web exploit web buffer-overflow shellcode

2 2 web high interaction web low interaction Capture- HPC[11] HoneyClient[5] HoneyC[12] SpyBye[7] HoneyC SpyBye snort exploit 3 Drive-by-download Web ( 1) Web Web exploit web buffer-overflow shellcode Shellcode HeapSpray 2 HeapSpray JavaScript VBscript shellcode web NOP shellcode web MB MB <script> 標的ホスト mem = new Array();... for(i=0,i<n;i++){ mem[i] = SlideCode + Shellcode; }... </script> 1. 悪性 webサイトへアクセス 1 2. Web ブラウザに対する攻撃と乗っ取り 3. 自動的にマルウェアのダウンロードとインストール Exploit コードが含まれる web コンテンツマルウェア 1: Drive-by-download HeapSpray script 1. The script injects vast amount of strings.. 悪性 web サイト 2. Buffer overflow is caused.. 3. Instruction pointer Browser s heap memory points somewhere on heap mem. 4. Shellcode is running. 2: HeapSpray exploit shellcode MDAC(Microsoft Data Access Componet) (MS06-014) HeapSrapy shellcode 4 JavaScript VBscript web HeapSpray web web 1. HeapSpray

3 2. 3. Windows Windows XP SP2 Internet Explorer 6.0 Internet Explorer MPack[10] WinZip 10.0 QuicTime Acrobat Reader 8.1 Flash Player HeapSpray HeapSpray JavaScript VBscript jscript.dll vbscript.dll oleaut32.dll SysAllocStringByteLen() API API API hook jscript.dll vbscript.dll API HeapSpray HeapSpray HeapSpray API API 4.2 HoneyPatch[17] HoneyPatch 1: HoneyPatch Web MS MS WMF MDAC MS VML (Internet MS WVFIcon Explorer) MS VML MS ANI CVE Video Contorl CVE WinZip CVE QuickTime CVE Flash Player CVE Acrobat Reader CVE Acrobat Reader CVE Acrobat Reader CVE Acrobat Reader shellcode Web MPack Internet Explorer exploit Acrobat Reader [8] Internet Explorer HoneyPatch 1 3rd [3][6][13] 4.3 API Internet Explorer C:\\WINDOWS\SYSTEM32 API hook API

4 web PDF web Acrobat Reader AcroRd32.exe AcroRd32.exe Capture-HPC HoneyClient web 5 MPack web PoC [4] web Malware Domain List[2]MDL 32446URL MDL URL drive-by-download MDAC web exploit 500KB 4MB 90MB 230MB web 3 HeapSpray Heap alloction summary (Byte) 1e+10 1e+09 1e+08 1e+07 1e MPack, PoC Web contents (MDL) 50MB HeapSpray e+06 1e+07 1e+08 Max heap block size (Byte) 3: Web Exploit 50MB HeapSpray HeapSpray Shellcode shellcode exploit 50MB HeapSpray web MDL HoneyPatch 2

5 2: MDAC MDAC MS (0%) 0 (0%) MS (0%) 171 (63.8%) MS (3.6%) 2 (0.7%) MS (14.5%) 17 (6.3%) MS (5.4%) 1 (0.3%) MS (4.5%) 0 (0%) CVE (60.0%) 67 (25.0%) CVE (0.9%) 1 (0.3%) CVE (0%) 0 (0%) CVE (0%) 0 (0%) CVE (2.7%) 4 (1.4%) CVE (7.2%) 4 (1.4%) CVE (0%) 0 (0%) CVE (0.9%) 1 (0.3%) ( ) MDAC MS CVE exploit MDAC HoneyPatch web HoneyPatch HeapSpray 5.3 HeapSpray shellcode MDAC MS web 3 HeapSpray 3: HeapSpray Yes A B No C D Yes E F No G H 4: HeapSpray HoneyPatch A B - C - D - - E - F - - G - - H : MDAC MDAC HeapSpray 161 (77.7%) 159 (63.8%) HoneyPatch 104 (50.2%) 179 (71.8%) 61 (29.4%) 198 (79.5%) (URL ) HoneyPatch 4 B HeapSpray 5 MDL 6 MDL MDAC ( B D F) 68.4% 22.4% ( E G) 20.2% 11.6% MDAC MDAC MS06-014

6 6: MDAC MDAC A 17 (8.2%) 110 (44.1%) B 79 (38.1%) 7 (2.8%) C 6 (2.8%) 54 (21.6%) D 2 (0.9%) 8 (3.2%) E 4 (1.9%) 1 (0.4%) F 61 (29.4%) 41 (16.4%) G H 38 (18.3%) - 28 (11.2%) - (URL ) % MDAC 29.4% HeapSpray HoneyPatch F exploit HeapSpray ActiveX Control 6 Web drive-bydownload [1] M. Akiyama, Y. Kawakoya, M. Iwamura, K. Aoki, and M. Itoh. MARIONETTE: Client honeypot for Investigating and Understanding Web-based Malware infection on Implicated Websites. In Joint Workshot on Information Security, [2] Malware domain List. http: //malwaredomainlist.com/. [3] Microsoft. Security research & defense. http: //blos.technet.com/srd/. [4] Milw0rm. Remote browser vuln exploitation. [5] MITRE. Honeyclient project. honeyclient.org/. [6] National Institute of Standards and Technology. National vulnerability database. http: //nvd.nist.gov/. [7] N. Provos. Spybye. org/index.php?/categories/1-spybye. [8] Sophos. Malicious jsredire-r script found to be biggest malware threat on the web. http: // [9] Symantec. Global internet threat report volume xiv. com/business/theme.jsp?themeid= threatreport. [10] Symantec. Mpack, packed full of badness. security response/weblog/2007/05/ mpack packed full of badness.html. [11] The Client Honeynet Project. Capure- HPC. capture-hpc. [12] The Client Honeynet Project. HoneyC. [13] Zeroday Emergency Response Team (ZERT). Released patches. zert. [14],,, and. web. In (CSS), [15],,,,, and.., 50(9), [16],,,, and. web. In (ICSS), [17],,, and. Honeypatch: Honeypot. In 2006, 2006.

2 [2] Flow Visualizer 1 DbD 2. DbD [4] Web (PV) Web Web Web 3 ( 1) ( 1 ) Web ( 2 ) Web Web ( 3 ) Web DbD DbD () DbD DbD DbD 2.1 DbD DbD URL URL Google

2 [2] Flow Visualizer 1 DbD 2. DbD [4] Web (PV) Web Web Web 3 ( 1) ( 1 ) Web ( 2 ) Web Web ( 3 ) Web DbD DbD () DbD DbD DbD 2.1 DbD DbD URL URL Google Drive-by Download 1,a) 1,b) Web Drive-by Download(DbD) DbD Web DbD HTTP DbD Web DbD, Drive-by Download The Network Visualization Tool for detecting the Drive-by Download attacks. Amako Katsuhiro 1,a) Takada