Copyright 2014 NTT corp. All Rights Reserved.

Size: px

Start display at page:

Norma O’Brien’
6 years ago
Views:

2 Credential Honeytoken for Tracking Web-based Attack Cycle Mitsuaki Akiyama NTT Secure Platform Laboratories / NTT-CERT

3 Who I am Mitsuaki Akiyama Security Researcher (Ph.D) Research interests: honeypots, malware analysis, exploit analysis Developer of various types of honeypots NTT Secure Platform Laboratories / NTT-CERT

4 Outline Background: web-based attack cycle Honeytoken Preliminary investigation: information leaking malware Proposed system Experimental results Summary and conclusion

5 Outline Background: web-based attack cycle Honeytoken Preliminary investigation: information leaking malware Proposed system Experimental results Summary and conclusion

6 Web-based attack cycle Malware infection Compromised websites Credential leakage

Web-based attack cycle detail 1. Access Web Web user / server administrator Web server / content management system 5. Access web 2. Infect with malware 3.

7 Web-based attack cycle detail 1. Access Web Web user / server administrator Web server / content management system 5. Access web 2. Infect with malware 3. Leak credentials Credential Credential 4. Compromise web content 6. Redirect to malicious website Malicious website Adversary 7. Infect with malware Malicious website Other web user Our proposal: honeytoken based observation

8 Outline Background: web-based attack cycle Honeytoken Preliminary investigation: information leaking malware Proposed system Experimental results Summary and conclusion

9 What is a Honeytoken? Honeypot: decoy system resource Honeytoken: not computer system; resource-centric honeypot Bait office document Bait database entry Bait credential Username Password honey 123abc Studies on credential honeytokens Phishing Phisher [ICIMP2007], Anti-phishing framework [ecrime2009], BotSwindler [RAID2010] Leakage Victim Honeytoken Service Usage Honeytoken Adversary

10 Our approach Chain each attack phase on web-based attack cycle leak honeytokens monitor usages of honeytokens analyze drive-by downloads on compromised websites integrate each method into our system for automatic observation Sources of malware infection Victim Leakage Honeytoken Usages for secondary attacks Drive by download Attack cycle Usage Service Honeytoken Adversary

11 Outline Background: web-based attack cycle Honeytoken Preliminary investigation: information leaking malware Proposed system Experimental results Summary and conclusion

12 Client applications targeted for stealing credentials Analyzing malware on sandbox Malware executables from the web Various kinds of malware read configuration files of applications without user s permission FTP client: 24 kinds IM client: 3 kinds Mail client: 4 kinds Web authoring tool : 2 kinds Web browser: 6 kinds Other: 14 kinds Malware sandbox Malware executable e.g., C: Program Files BPFTP Default.bps Credential is described

13 Outline Background: web-based attack cycle Honeytoken Preliminary investigation: information leaking malware Proposed system Experimental result Summary and conclusion

Observation system and procedure Client honeypot Web space

14 Observation system and procedure Client honeypot Web space Step 4. Inspect compromised web content Malware sandbox Web Content Management System (WCMS) honeypot Step 1. Collect malware Step 2. Leak bait credentials Honeytoken Step 3. Observe compromising Honeytoken Malicious websites Adversary s host Adversary s host Honeytoken Honeytoken Honeytoken Adversary

15 Step 1. Collect malware Client honeypot crawls seed URLs and collects malware public blacklists and general websites drive-by download and click-download executables Client honeypot 1. Crawl web space. Malicious website 2. Detect exploit and collect information. 3. Send collected malware. Web space Malware pool

16 Step 2. Leak bait credential Malware pool 2. Execute malware on sandbox. 1. Set bait credential (honeytoken) for each analysis. 3. Steal credential. User name Password Server Generate unique bait credential in each malware analysis. honey 123abc 4. Send stolen credential if malware has info leak functionality. honey.example.com i.e., FTP client s configuration file Malware sandbox on Windows OS Adversary s host Possible to identify malware with information-leaking functionality at moment of using honeytoken

files used as bait Expected that web content will be compromised by an adversary e.g.

17 Step 3. Observe compromising WCMS honeypot deploys bogus web content (HTML, JS, CGI) CMS packages and original files used as bait Expected that web content will be compromised by an adversary e.g., injecting redirect code leading to exploit sites WCMS Honeypot 3. Collect compromised files User A s home directory Bogus directory Bogus file Bogus file User B User C Manager 2. Collect access log FTPd Honeytoken Adversary s hosts

18 Step 4. Inspect compromised web content Client honeypot 1. Inspect WCMS honeypot Compromised web contents Redirect code 3. Output 2. Redirect Unknown malicious websites Unknown malware executables Web space Malicious website

19 Outline Background: web-based attack cycle Honeytoken Preliminary investigation: information leaking malware Proposed system Experimental results Summary and conclusion

20 Experimental setup and brief result Experimental period Mar to Feb (about one year) Seed URLs Blacklist URLs (malwaredomainlist.com) and general public websites Compromised web content on WCMS honeypot was also used for seed. Crawling repeatedly at regular intervals (2 or 3 days) Collected malware Total 5,474 Brief result Successful observation of web-based attack cycle for over a year 4.1% of malware had a part in the web-based attack cycle. 900 malicious FQDNs, 10,420 malicious IP addresses; very small overlap between them and well-known blacklists

Basic control structure on adversary side A s credential Login

Accessed FTP account Control Adversary B s credential C s

206 uie43076 2012-12-24 10:16:23 94.249.247.

20 klf43337 Bot PCs 2012-12-24 17:34:54 94.73.129.

21 Basic control structure on adversary side A s credential Login history of our WCMS honeypot Timestamp Login IP (remote host) Accessed FTP account Control Adversary B s credential C s credential :20: uie :16: uie :35: klf43337 Bot PCs :34: klf :30: jxk34214 Login IP addresses and accounts have many to many relationship. Login User A User B User C WCMS honeypot

22 Graph structure of adversary groups Group A Multiple infected hosts? IP address of remote host Compromised FTP account Group B Group C Group D Group E Group F Group G Group H Group I Group J Group K Group L Group M Group N Group O Group P

23 Lifespans and activities of adversary groups

24 Compromised web content Injected code WCMS honeypot Obfuscated JavaScript iframe redirect code deobfuscate by client honeypot <iframe src= width= 10 style= visibility:hidden; position:absolute; left0; top:0; ></iframe> Exploit site URL

25 Redirection to exploit sites Injected redirect codes in compromised web content point to malicious websites (exploit sites). Redirect destinations (malicious websites) are frequently changed. By inspecting them, our system can discover new, unknown malicious websites without large-scale crawling. Compromised web content acts as landing site Injected redirect code to exploit site Redirect Malicious websites hosting exploit code (Exploit site) Victim

26 Exploit kit on exploit sites Well-known exploit kits observed by our system identified by manual analysis Heuristics to identify URL characteristics (path, fine name, URL parameter), redirect graph, content types, etc. Exploit kit # of IPs # of FQDNs Blackhole Redkit Phoenix Incognito Neosploit 19 7 Malicious websites hosting exploit code (Exploit site)

) controls redirect destinations redirects a crawler to popular websites in order to conceal exploit sites

27 Multi-redirection via Traffic Direction System Traffic Direction System (TDS) used for cyber criminal activities (drive-by infection, drug trading, etc.) controls redirect destinations redirects a crawler to popular websites in order to conceal exploit sites Compromised web content performs as landing site TDS Exploit site Injected redirect code to TDS Redirect Redirect Victim Crawler Redirect Popular websites (e.g.,

28 TDSs deployed by adversary groups Group A IP address of remote host Compromised FTP account Group B TDS_A (Unknown) 9,476IPs, Group F 84 FQDNs Fast flux botnet? Group C Group G TDS_B 33 IPs, 525 Group FQDNs E

29 Evaluation: Blacklist overlap comparison Overlap between our obtained malicious entities and malicious IP addresses/fqdns on public blacklists Our obtained malicious entities Type of information Adversary IP (accessing FTP) # of IPs # of FQDNs 722 (n/a) TDS_A 9, TDS_B Blackhole Redkit Phoenix Incognito Neosploit 19 7 Public blacklists entities (registered in the same period of our experiment) Blacklists # of IPs # of FQDNs MalwareDomainList (MDL) 3,489 3,741 MalwarePatrol (MP) 5,457 6,425 UrlBlackList (UBL) 208, ,945 MalwareDomain- 3,009 13,212 BlackList (MDB) ZeusTracker (ZT) 1,672 1,971 CleanMX-viruses (CMX) 65,456 (n/a) Overlap comparison

30 IP address overlap Type of info. Collected MD L Adversary IP (accessing FTP) M P UB L MD B ZT CMX TDS_A 9, TDS_B Blackhole Redkit Phoenix Incognito Neosploit Total 10, / 10,420 = 4.5% overlap

31 FQDN overlap Type of info. Collected MD L Adversary IP (accessing FTP) M P UB L MD B ZT (n/a) (n/a) (n/a) (n/a) (n/a) (n/a ) CMX (n/a) TDS_A (n/a) TDS_B (n/a) Blackhole (n/a) Redkit (n/a) Phoenix (n/a) Incognito (n/a) Neosploit (n/a) Total (n/a) 155 / 900 = 17% overlap

32 Evaluation: Speed of malicious domain discovery In theory, our system can immediately discover malicious websites when they are used. Domain registration time Discovery latency Domain discovery time CDF Discovery latency (days) Almost all domains were discovered within 60 days (2 months) of their creation. Our discovery method is obviously faster than other blacklists.

33 Outline Background: web-based attack cycle Honeytoken Preliminary investigation: information leaking malware Proposed system Experimental results Summary and conclusion

34 Summary and conclusion Observation system based on credential honeytoken successfully tracks complicated web-based attack cycle Effectiveness Instantaneous discovery of malicious entities without requiring large-scale crawling Small overlap between obtained malicious entities and those registered in famous public blacklists Enhanced observation space Observation space is essentially different from conventional blacklisting approaches.

PhishEye: Live Monitoring of Sandboxed Phishing Kits. Xiao Han Nizar Kheir Davide Balzarotti

PhishEye: Live Monitoring of Sandboxed Phishing Kits Xiao Han Nizar Kheir Davide Balzarotti Summary Motivation Sandboxed phishing kits Implementation Results [APWG Phishing Activity Trends Report 2 nd