Honeyclients bring new twist to honeypots
This article can also be found in the Premium Editorial Download "Information Security magazine: Comparing seven top integrated endpoint security suites."
Download it now to read this article plus other related content.
How the bad guys bring pain to Internet browsing.
"We are fighting a very hard battle. Our adversaries are very motivated," says Mitre security engineer Kathy Wang. "They have a super easy way of making money without a lot of consequences with law enforcement. They are very clever and can get around things."
So how can a hacker make money at browser exploits? It is a rich and varied ecosystem, supported by many different players and income streams.
First, someone develops the exploit code, typically a rootkit, keylogger, browser toolbar, etc. This code is then sold to a third party, who places it on a variety of Web sites around the Internet. These may be legitimate sites that have been compromised, or infected banner ads that are inserted on an ad-serving network or adware distributors. When a visitor connects to these sites, the code is silently downloaded without their knowledge. These machines form the basis of a botnet that can be controlled by the hacker.
But that is just the beginning of the process. The sites need traffic, and the best way they can get it is to be found by search engines that will direct visitors to them.
"A lot of sites are doing redirection. The URL goes to a server, and that is what serves up the exploit," says Yi-Min Wang of Microsoft's Cyber-Intelligence Lab. "So we have to trace each redirect to see who is doing the exploit." There are also so-called typo-squatter domains that try to capture legitimate traffic by changing a letter or two in popular destination URLs.
The botnets are used to visit sites owned by other parties and collect page views that will elevate them in the search engine rankings, so even more traffic will come their way.
"Some sites don't have any malicious software and just serve up banner advertisements and profit from the traffic," says Yi-Min Wang.
The bad guys are getting better at spotting the honeyclients, says Kathy Wang. "Because we use VMware server, the hackers are looking for obvious signs that the incoming request is coming from a VM environment, such as querying for an I/O port, instruction set, and device driver information."
This was first published in November 2007