HoneyCirculator: distributing credential honeytoken for introspection of web-based attack cycle

Springer Science and Business Media LLC - Tập 17 - Trang 135-151 - 2017
Mitsuaki Akiyama1, Takeshi Yagi1, Takeo Hariu1, Youki Kadobayashi2
1NTT Secure Platform Laboratories, NTT Corporation, Musashino-shi, Japan
2Nara Institute of Science and Technology, Ikoma, Japan

Tóm tắt

A web user who falsely accesses a compromised website is usually redirected to an adversary’s website and is forced to download malware after being exploited. Additionally, the adversary steals the user’s credentials by using information-leaking malware. The adversary may also try to compromise public websites owned by individual users by impersonating the website administrator using the stolen credentials. These compromised websites then become landing sites for drive-by download malware infection. Identifying malicious websites using crawling techniques requires a large amount of resources and time. To monitor the web-based attack cycle for effective detection and prevention, we propose a monitoring system called HoneyCirculator based on a honeytoken, which actively leaks bait credentials and lures adversaries to our decoy server that behaves like a compromised web content management system. To recursively analyze attack phases on the web-based attack cycle, our proposed system involves collecting malware, distributing bait credentials, monitoring fraudulent access, and inspecting compromised web content. It can instantly discover unknown malicious entities without conducting large-scale web crawling because of the direct monitoring behind the compromised web content management system. Our proposed system enables continuous and stable monitoring for about one year. In addition, almost all the malicious websites we discovered had not been previously registered in public blacklists.

Tài liệu tham khảo

Websense Security Labs. Mass injection—nine-ball compromises more than 40,000 legitimate web sites. http://securitylabs.websense.com/content/Alerts/3421.aspx (2009) Akiyama, M., Yagi, T., Aoki, K., Hariu, T., Kadobayashi, Y.: Active credential leakage for observing web-based attack cycle. In: Proceedings of the 16th International Symposium on Research in Attacks, Intrusions and Defenses (RAID2013), Springer Moshchuk, A., Bragin, T., Gribble, S.D., Levy, H.M.: A crawler-based study of spyware on the web. In: 13th Annual Network and Distributed System Security Symposium (NDSS). ISOC (2006) Provos, N., Mavrommatis, P., Rajab, M.A., Monrose, F.: All your iFRAMEs point to US. In: Proceedings of the 17th Conference on Security Symposium. USENIX (2008) Stokes, J.W., Andersen, R., Seifert, C., Chellapilla, K.: WebCop: locating neighborhoods of malware on the web. In: Proceedings of the 3rd Usenix Workshop on Large-Scale Exploits and Emergent Threats (LEET’10). USENIX (2010) The Honeynet Project: Know your enemy: malicious web servers. http://www.honeynet.org/papers/mws/ (2008) Akiyama, M., Yagi, T., Itoh, M.: Searching structural neighborhood of malicious URLs to improve blacklisting. In: Proceedings of the 11th IEEE/IPSJ International Symposium on Application and the Internet (SAINT) Invernizzi, L., Benvenuti, S., Cova, M., Comparetti, P.M., Kruegel, C., Vigna, G.: EvilSeed: a guided approach to finding malicious web pages. In: 2012 IEEE Symposium on Security and Privacy. IEEE (2012) Zhang, J., Yang, C., Xu, Z., Gu, G.: Poison amplifier: a guided approach of discovering compromised websites through reversing search poisoning attacks. In: Proceedings of the 15th International Conference On Research In Attacks, Intrusions, And Defenses (RAID 2012). Springer (2012) Spitzner, L.: Honeytokens: the other honeypot. http://www.symantec.com/connect/articles/honeytokens-other-honeypot (2003) Bercovitch, M., Renford, M., Hasson, L., Shabtai, A., Rokach, L., Elovici, Y.: HoneyGen: an automated honeytokens generator. In: Proceedings of 2011 IEEE International Conference on Intelligence and Security Informatics (ISI). IEEE Birk, D., Gajek, S., Gröbert, F., Sadeghi, A.-R.: Phishing phishers - observing and tracing organized cybercrime. In: Proceedings of the Second International Conference on Internet Monitoring and Protection (ICIMP). IARIA (2007) Li, S., Schmitz, R.: A novel anti-phishing framework based on honeypots. Proceedings of the 2009 eCrime Researchers Summit (eCrime), IEEE, Tacoma, Washington, 20–21 Oct 2009 Yue, C., Wang, H.: BogusBiter: a transparent protection against phishing attacks. ACM Trans. Internet Technol. (TOIT) 10(2), 31 (2010). [Article 6] Bowen, B.M., Hershkop, S., Keromytis, A.D., Stolfo, S.J.: Baiting inside attackers using decoy documents. In: 5th International ICST Conference on Security and Privacy in Communication Networks (SecureComm2009). ICST (2009) Bowen, B.M., Prabhu, P., Kemerlis, V.P., Sidiroglou, S., Keromytis, A.D., Stolfo, S.J.: BotSwindler: tamper resistant injection of believable decoys in VM-based hosts for crimeware detection. In: Proceedings of the 13th international conference on Research in Attacks, Intrusions, and Defenses (RAID 2010). Springer (2010) Rist, L.: Know your tools: Glastopf. https://honeynet.org/files/KYT-Glastopf-Final_v1 (2010) Canali, D., Balzarotti, D.: Behind the scenes of online attacks: an analysis of exploitation behaviors on the web. In: 20th Annual Network and Distributed System Security Symposium (NDSS). ISOC (2013) Anubis (2014). http://analysis.seclab.tuwien.ac.at/ Malwr: https://malwr.com/ Shadow server : http://www.shadowserver.org/ (2014) Kreibich, C., Weaver, N., Kanich, C., Cui, W., Paxon, V.: GQ: practical containment for measuring modern malware systems. In: Proceedings of the 2011 ACM SIGCOMM Conference on Internet Measurement Conference (IMC). ACM (2011) Malware Domain List: http://malwaredomainlist.com/ Chenette, S.: Fireshark—A Tool to Link the Malicious Web. Blackhat Europe. Blackhat Europe, London (2010) Akiyama, M., Aoki, K., Kawakoya, Y., Iwamura, M., Itoh, M.: Design and implementation of high interaction client honeypot for drive-by-download attacks. IEICE Trans. Commun. E93–B, 1131–1139 (2010) Akiyama, M., Yagi, T., Kadobayashi, Y., Hariu, T., Yamaguchi, S.: Client honeypot multiplication with high performance and precise detection. IEICE Trans. Inform. Syst. E98–D, 775–787 (2015) Seifert, C., Ramon, S.: Capture—honeypot client (Capture-HPC). https://projects.honeynet.org/capture-hpc (2008) Wang, Y.-M., Beck, D., Jiang, X., Roussev, R., Verbowski, C., Chen, S., King, S.: Automated web patrol with strider honeymonkeys: finding web sites that exploit browser vulnerabilities. In: 13th Annual Network and Distributed System Security Symposium (NDSS). ISOC (2006) Dell’Aera, A.: Thug: a new low-interaction honeyclient. (2012) http://www.honeynet.org/sites/default/files/files/HPAW2012-Thug Nazario, J.: PhoneyC: a virtual client honeypot. In: Proceedings of the 3rd Usenix Workshop on Large-Scale Exploits and Emergent Threats (LEET’09). USENIX (2009) Aoki, K., Yagi, T., Iwamura, M., Itoh, M.: Controlling malware HTTP communication in dynamic analysis system using search engine. In: Proceedings of the 3rd International Workshop on Cyberspace Safety and Security (CSS), (2011) Chung, F.R.K.: Spectral graph theory. CBMS Regional Conference Series in Mathematics No. 92 (1997) Chen, P.-Y., Hero, A.O.: Deep community detection. IEEE Trans. Sign. Process. 63(21), 5706–5719 (2015) Newman, M.: Spectral methods for network community detection and graph partitioning. Phys. Rev. E 88, 042822 (2013) Newman, M.: Networks: An Introduction. Oxford University Press Inc, New York (2010) Spielman, D.A., Teng, S.-H.: Spectral partitioning works: planar graphs and finite element meshes. In: IEEE Symposium on Foundations of Computer Science. IEEE (1996) Bureau, P.-M.: Same botnet, same guys, new code: Win32/Kelihos. (2011) Grier, C., Ballard, L., Caballero, J., Chachra, N., Dietrich, C.J., Levchenko, K., Mavrommatis, P., McCoy, D., Nappa, A., Pitsillidis, A., Provos, N., Rafique, M.Z., Rajab, M.A., Rossow, C., Thomas, K., Paxson, V., Savage, S., Voelker, G.M.: Manufacturing compromise: the emergence of exploit-as-a-service. In: Proceedings of the 19th ACM Conference on Computer and Communication Security. ACM (2012) Symantec. Web-based malware distribution channels: a look at traffic redistribution systems. http://www.symantec.com/connect/blogs/web-based-malware-distribution-channels-look-traffic-redistribution-systems (2011) Traffic direction systems as malware distribution tools: http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/reports/rpt_malware-distribution-tools (2011) Clean, M.X.: http://support.clean-mx.de/clean-mx/viruses (2014) DNS-BH 2014. Malware domain blocklist. http://www.malwaredomains.com/ Malware Patrol : http://www.malware.com.br/ URLBlackList. http://urlblacklist.com/ (2014) ZeuS Tracker. https://zeustracker.abuse.ch/ (2014) Caballero, J., Grier, C., Kreibich, C., Paxson, V.: Measuring pay-per-install: the commoditization of malware distribution. In: Proceedings of the 20th USENIX Security Symposium. USENIX (2011) Nappa, A., Rafique, M.Z., Caballero, J.: FIRMA: malware clustering and network signature generation with mixed network behaviors. In: Proceedings of the 16th International Symposium on Research in Attacks, Intrusions and Defenses (RAID2013). Springer (2013) Nelms, T., Perdisci, R., Ahamad, M.: ExecScent: mining for new C&C domains in live networks with adaptive control protocol templates. In: Proceedings of the 22nd USENIX Conference on Security. USENIX (2013)
Thông tin
Thông tin xuất bản

Springer Science and Business Media LLC

Tập 17

135-151

Thông tin tác giả