Daniel Bachfeld
Storm chasers
On the prowl for infectious websites
Client-based honeypots help turn up malicious code on the Internet and provide clues to previously unknown holes in browsers. The Honeyclient project offers the first tools for conducting your own searches.
Virtual honeypots have earned the respect of security experts, providing interesting information about the methods and tools used by intruders. After all, the better you understand attackers, the better you can protect yourself against them. The classic server-based honeypot has two disadvantages: first, you have to wait until an attacker decides to break in; second, the focus of attacks is tending more and more in the direction of clients. Browser holes in particular represent a growing security problem, as colourfully and pointedly demonstrated by H.D. Moore and his "Month of Browser Bugs" . He is publishing a new vulnerability in web browsers, most of which are in Internet Explorer, every day during July. Traditional honeypots completely miss the type of threats he is highlighting.
Client-based honeypots fill that gap, providing a window onto the latest developments in attacks on the primary gateway for Windows PCs. Using a version of Internet Explorer with unplugged security holes, they automatically surf the web and attempt to become infected. This is not necessarily a time-saver, however. Pages prepared to infect computers by exploiting holes in Internet Explorer must first be located. To improve the odds, computers are provided with URLs that have previously drawn attention for their unsavoury behaviour.
Once the web server has been visited, a comparison is performed with the PCs prior state. One can determine whether the PC was manipulated or not based on the changes that occurred, such as new entries in the registry or new files in a directory. In addition, virulent pages can also be manually examined in order to determine exactly how they work and how the client became infected. Under certain circumstances, one might even encounter zero-day exploits, attacks based on holes that have not been announced and for which no patches are yet available.
Minesweepers
There are currently two projects centred around client-based honeypots: Microsoft's Strider HoneyMonkey and Honeyclient. The former works with virtual XP systems - some fully patched, others not at all - and the rest at some state in between. They then graze their way across the Internet [1], with software known as the Strider Flight Data Recorder monitoring whether a given system has been infected or not. Microsoft's in-house Strider Ghostbuster and Strider Gatekeeper tools additionally check the system for infections by rootkits or spyware. After each visit, the Strider HoneyMonkey Exploit Detection System is then restarted in a virtual, pest-free environment. Microsoft is unfortunately not making its tools available to the public.
Those who want to experiment on their own can try out Honeyclient, an open source solution from Kathy Wang [2]. Two Perl scripts for Windows XP steer Internet Explorer to specified pages and then inspect the registry and a checklist of specific directories for their integrity. When running under Honeyclient's control, Internet Explorer will also follow the links within a page and, if desired, links to external pages as well. The browser is controlled by a script called driver.pl, which provides it with the list of URLs to call up. In order to let driver.pl know which links a page contains, the browser surfs using the proxy.pl proxy, which picks apart server replies, sorting them into internal and external links (extlinks, intlinks) and saving them as files.
After scanning a page the script driver.pl informs if anything has changed on the computer.
Once the driver.pl script has guided Internet Explorer through all of a page's internal links, it then looks for changes in the system. The changes that occurred during the search process are then listed in a file called 'changes'. If new files or registry entries have accrued without the user's input, then some part of the page visited was infectious and exploited security holes in the browser.
Practical experience
Because the standard configuration of Windows does not support Perl, users must first retrofit the OS with a Perl interpreter. The tried-and-tested ActivePerl package is a good choice. The two Honeyclient scripts, proxy.pl and driver.pl, are unpacked from the downloadable archive into a directory of choice. The path of the browser cache must be adjusted in the driver.pl file. Specifics on this process are provided in the README file in the archive. A copy of iexplorer.exe must also be moved into the c:\ root directory.
Proxy.pl is started first, then driver.pl with an initial URL. The driver.pl script then works recursively through the subdirectories defined in checklist.txt and forms MD5 hashes for all files. It then secures the registry state; this results in a lot of time being spent before the script actually begins surfing.
In several tests the two Perl scripts ran in a stable fashion, but we also failed to turn up any pages that wanted to infect a fully unpatched Windows XP without user interaction. We were not infected from the warez and porn sites that we visited. Kathy Wang, the developer of Honeyclient, has also explained in speeches about her project that pornographic and "Penis enlargement" pages are surprisingly uninvolved in spreading malware. Yet surfing a thousand non-infected pages doesn't mean that one should presume that the web is safe. In order better to turn up malicious pages, Aidan Lynch and Daragh Murray from Dublin City University have released a script that combs through Outlook emails looking for URLs and forwards these to driver.pl [3]. Spam mails frequently contain links to virus smugglers.
Conclusion
Administrators can use the information that they've gathered on the fringes of the Net to implement intrusion prevention systems and other filtering measures to protect surfers in their network from these attacks. Security specialists can use the analysis to put together advisories, gaining attention and respect and potentially becoming the first to publish information on a previously unknown hole.
The Honeyclient project is being steadily enhanced by Kathy Wang at Mitre Corporation, which also administers the CVE numbers for vulnerabilities and CME numbers for viruses. Honeyclient could continue to enhance its role as a promising project for preventative protection. (dab)
[1] Strider HoneyMonkey Exploit Detection
[2] Honeyclient Development Project
![Kernel Log: Coming in 3.10 (Part 3) [--] Infrastructure](/imgs/43/1/0/4/2/6/7/2/comingin310_4_kicker-4977194bfb0de0d7.png)
![Kernel Log: Coming in 3.10 (Part 3) [--] Infrastructure](/imgs/43/1/0/4/2/3/2/3/comingin310_3_kicker-151cd7b9e9660f05.png)
