NTT 3-9-11 {akiyama.mitsuaki,iwamura.makoto,kawakoya.yuhei, aoki.kazufumi,itoh.mitsutaka}@lab.ntt.co.jp Web drive-by-download web drive-by-download web web Implementation and Evaluation of Detection Methods on Client Honeypot Mitsuaki Akiyama Makoto Iwamura Yuhei Kawakoya Kazufumi Aoki Mitsutaka Itoh NTT Information Sharing Platform Laboratories Midori-Cho 3-9-11, Musashino, Tokyo 180-8585 Japan {akiyama.mitsuaki,iwamura.makoto,kawakoya.yuhei, aoki.kazufumi,itoh.mitsutaka}@lab.ntt.co.jp Abstract Countermeasures against malicious web sites are urgently needed because of increasing the number of incidents that vulnerable web browsers are infected malware by driveby-download attacks. We proposed detection methods of drive-by-download attack for client honeypot system. Proposed methods focused on the behavior of web browser in the view points of exploitation phases: 1) preparation of exploitation, 2) the moment of exploitation and 3) behavior of after exploitation. By combining proposed methods, our client honeypot improved detection coverage without increasing false-positives. 1 FW BB ISP OS E Web 2009 4 JSRedir-R[8] Web Web drive-by-download Web [9] Web Web [1][14][15][16] Web Web
2 web high interaction web low interaction Capture- HPC[11] HoneyClient[5] HoneyC[12] SpyBye[7] HoneyC SpyBye snort exploit 3 Drive-by-download Web ( 1) Web Web exploit web buffer-overflow shellcode Shellcode HeapSpray 2 HeapSpray JavaScript VBscript shellcode web NOP shellcode web MB MB <script> 標的ホスト mem = new Array();... for(i=0,i<n;i++){ mem[i] = SlideCode + Shellcode; }... </script> 1. 悪性 webサイトへアクセス 1 2. Web ブラウザに対する攻撃と乗っ取り 3. 自動的にマルウェアのダウンロードとインストール Exploit コードが含まれる web コンテンツ マルウェア 1: Drive-by-download HeapSpray script 1. The script injects vast amount of strings.. 悪性 web サイト 2. Buffer overflow is caused.. 3. Instruction pointer Browser s heap memory points somewhere on heap mem. 4. Shellcode is running. 2: HeapSpray exploit shellcode MDAC(Microsoft Data Access Componet) (MS06-014) HeapSrapy shellcode 4 JavaScript VBscript web HeapSpray web web 1. HeapSpray
2. 3. Windows Windows XP SP2 Internet Explorer 6.0 Internet Explorer MPack[10] WinZip 10.0 QuicTime 6.5.2 Acrobat Reader 8.1 Flash Player 9.45 4.1 HeapSpray HeapSpray JavaScript VBscript jscript.dll vbscript.dll oleaut32.dll SysAllocStringByteLen() API API API hook jscript.dll vbscript.dll API HeapSpray HeapSpray HeapSpray API API 4.2 HoneyPatch[17] HoneyPatch 1: HoneyPatch Web MS06-001 MS06-014 WMF MDAC MS06-055 VML (Internet MS06-057 WVFIcon Explorer) MS07-004 VML MS07-017 ANI CVE-2008-0015 Video Contorl CVE-2006-5198 WinZip CVE-2007-0015 QuickTime CVE-2007-3456 Flash Player CVE-2007-5659 Acrobat Reader CVE-2008-2992 Acrobat Reader CVE-2009-0658 Acrobat Reader CVE-2009-0927 Acrobat Reader shellcode Web MPack Internet Explorer exploit Acrobat Reader [8] Internet Explorer 6.0 15 HoneyPatch 1 3rd [3][6][13] 4.3 API Internet Explorer C:\\WINDOWS\SYSTEM32 API hook API
web PDF web Acrobat Reader AcroRd32.exe AcroRd32.exe Capture-HPC HoneyClient web 5 MPack web PoC [4] web Malware Domain List[2]MDL 32446URL 2009 8 21 2009 8 21 23 MDL URL drive-by-download MDAC 5.1 3 web exploit 500KB 4MB 90MB 230MB web 3 HeapSpray Heap alloction summary (Byte) 1e+10 1e+09 1e+08 1e+07 1e+06 100000 10000 1000 100 MPack, PoC Web contents (MDL) 50MB HeapSpray 10 1 10 100 1000 10000 100000 1e+06 1e+07 1e+08 Max heap block size (Byte) 3: Web Exploit 50MB HeapSpray HeapSpray Shellcode shellcode exploit 50MB HeapSpray 5.2 1 web MDL HoneyPatch 2
2: MDAC MDAC MS06-001 0 (0%) 0 (0%) MS06-014 0 (0%) 171 (63.8%) MS06-055 4 (3.6%) 2 (0.7%) MS06-057 16 (14.5%) 17 (6.3%) MS07-004 6 (5.4%) 1 (0.3%) MS07-017 5(4.5%) 0 (0%) CVE-2008-0015 66 (60.0%) 67 (25.0%) CVE-2006-5198 1 (0.9%) 1 (0.3%) CVE-2007-0015 0 (0%) 0 (0%) CVE-2007-3456 0 (0%) 0 (0%) CVE-2007-5659 3 (2.7%) 4 (1.4%) CVE-2008-2992 8 (7.2%) 4 (1.4%) CVE-2009-0658 0 (0%) 0 (0%) CVE-2009-0927 1 (0.9%) 1 (0.3%) ( ) 110 268 MDAC MS06-014 CVE-2008-0015 exploit MDAC HoneyPatch web HoneyPatch HeapSpray 5.3 HeapSpray shellcode MDAC MS06-014 5.4 web 3 HeapSpray 3: HeapSpray Yes A B No C D Yes E F No G H 4: HeapSpray HoneyPatch A B - C - D - - E - F - - G - - H - - - 5: MDAC MDAC HeapSpray 161 (77.7%) 159 (63.8%) HoneyPatch 104 (50.2%) 179 (71.8%) 61 (29.4%) 198 (79.5%) (URL ) 207 249 8 HoneyPatch 4 B HeapSpray 5 MDL 6 MDL MDAC ( B D F) 68.4% 22.4% ( E G) 20.2% 11.6% MDAC MDAC MS06-014
6: MDAC MDAC A 17 (8.2%) 110 (44.1%) B 79 (38.1%) 7 (2.8%) C 6 (2.8%) 54 (21.6%) D 2 (0.9%) 8 (3.2%) E 4 (1.9%) 1 (0.4%) F 61 (29.4%) 41 (16.4%) G H 38 (18.3%) - 28 (11.2%) - (URL ) 207 249 79.5% MDAC 29.4% HeapSpray HoneyPatch F exploit HeapSpray ActiveX Control 6 Web drive-bydownload [1] M. Akiyama, Y. Kawakoya, M. Iwamura, K. Aoki, and M. Itoh. MARIONETTE: Client honeypot for Investigating and Understanding Web-based Malware infection on Implicated Websites. In Joint Workshot on Information Security, 2009. [2] Malware domain List. http: //malwaredomainlist.com/. [3] Microsoft. Security research & defense. http: //blos.technet.com/srd/. [4] Milw0rm. Remote browser vuln exploitation. http://milworm0rm. [5] MITRE. Honeyclient project. http://www. honeyclient.org/. [6] National Institute of Standards and Technology. National vulnerability database. http: //nvd.nist.gov/. [7] N. Provos. Spybye. http://www.provos. org/index.php?/categories/1-spybye. [8] Sophos. Malicious jsredire-r script found to be biggest malware threat on the web. http: //www.sophos.com/blogs/gc/. [9] Symantec. Global internet threat report volume xiv. http://www.symantec. com/business/theme.jsp?themeid= threatreport. [10] Symantec. Mpack, packed full of badness. http://www.symantec.com/enterprise/ security response/weblog/2007/05/ mpack packed full of badness.html. [11] The Client Honeynet Project. Capure- HPC. https://projects.honeynet.org/ capture-hpc. [12] The Client Honeynet Project. HoneyC. https://projects.honeynet.org/honeyc. [13] Zeroday Emergency Response Team (ZERT). Released patches. http://www.isotf.org/ zert. [14],,, and. web. In (CSS), 2008. [15],,,,, and.., 50(9), 2009. [16],,,, and. web. In (ICSS), 5 2009. [17],,, and. Honeypatch: Honeypot. In 2006, 2006.