| Honeyclients are creating a buzz in the security world, giving malicious Web sites the sharp end.
Detecting these sites and collecting and countering exploits has been somewhat like playing Whack-A-Mole, but security researchers are finding effective ways to fight back. Microsoft and open source advocates are pursuing two of the more promising initiatives, aggressively hunting for exploits using honeyclients, an active variation of honeynet techniques.
While honeynets have been around for some time, they are passive collectors, sitting on some random network on the Internet, waiting for a hacker to connect to and leave evidence. Typically, they consist of a Web server and a stripped-down operating system with tracking software that registers when a hacker tries to compromise the system. While they are great at documenting exploits, they have one big disadvantage: They can't go out and actively search for the bad guys who are running Web sites designed to infect unsuspecting visitors.
Honeyclients, however, are hunters, not decoy victims; they run Web browsers and actively seek dangerous sites.
"Browsers and other client-side applications have become more and more the weakest link in the security chain," says Thorsten Holz, one of the founders of the German Honeynet Project and coauthor of Virtual Honeypots: From Botnet Tracking to Intrusion Detection. "The vendors now take a closer look at hardening the OS, but client-side applications still have tons of vulnerabilities."
There are several reasons for this shift from server to browser attacks.
| "This has been driven both by advancements in secure coding practices for server-side software and, more importantly, by the explosion of phishing and identity theft attacks," says Michael Sutton, the security evangelist for SPI Dynamics, which was recently acquired by HP. "Attackers have realized that it is easier to find a weak point when targeting employees and end users versus a hardened server, which is actively protected."
The situation is fairly depressing. There are compromised Web sites in most any subject category, according to honeynet researchers.
"Anybody accessing the Web is at risk regardless of the type of content they browse for or the way the content is accessed," writes Holz and four other authors of the Honeynet Project paper Know Your Enemy: Malicious Web Servers. "Adjusting browsing behavior is not sufficient to entirely mitigate such risk. Even if a user makes it a policy to only type in URLs rather than following hyperlinks, they are still at risk from typo-squatter URLs."
Flying Across the Web
Honeyclients have three components:
| Redmond's Worker Bees
Microsoft began a honeyclient project, HoneyMonkey (www.research.microsoft.com/HoneyMonkey/), in 2005 as part of its overall program to improve Windows and Internet security. It consists of the Flight Data Recorder, which tracks OS configuration changes caused by malicious sites, a URL collection and a search page link scanning component.
The project started with a more general effort to better document Windows crashes and "blue screens of death" and track down their causes, building what became the Flight Data Recorder, which "tracks everything that updates the file system and Windows registry," says Yi-Min Wang, director of the Cyber-Intelligence Lab in Microsoft's Internet Services Research Center.
Wang wanted to expand the project focus beyond just finding bad Web sites and examine the entire ecosystem a hacker operates to drive traffic to these sites.
"We now have a much broader understanding of how malicious sites fit into the bigger picture," he says. "People use these Internet scams by getting placed in search places, getting lots of traffic to visit their sites, and exploiting the browsers of these visitors by placing malicious software and charging the authors of that software for these placements."
The project now runs 2,000 PCs and 1,000 production servers. Each PC runs Virtual PC along with some custom code to drive Internet Explorer to visit a series of Web sites and then record any changes to the operating system and browser configuration.
The PCs compile a list of malicious URLs, which is used to seed a second network of 10 fully patched PCs, which revisit the sites to see if a hacker can still get through to the PC. "If they can," Wang says, "that is a very serious exploit."
Finding malicious Web sites is just the first step. The bad sites have to be removed from search results pages so unsuspecting visitors won't visit them. And, the newly discovered malware needs to be sent to security specialists, who can write the antidotes or protection signatures.
"Every time we detect a new malicious site, our legal department sends a takedown notice to the site's ISP," says Wang.
Open HoneyClient (www.honeyclient.org/trac) began by extending the original work on the honeynet server-based project. This open source initiative, sponsored by Mitre and researchers from Germany and New Zealand, publishes the code and VMware images that can be used to construct honeyclient systems to seek exploits against IE and Firefox systems.
"We also have different configurations that we are testing, such as ranging from Windows XP with SP2 to XP without any patches," says Kathy Wang, a lead information security engineer at Mitre.
| Testing different XP versions is critical to mimic user experiences, she says. "This is because machines running pirated versions of XP aren't going to be able to obtain SP2 patches. We also are planning to look at more than browser exploits. This includes peer-to-peer applications and Domain Name System clients."
Like HoneyMonkey, the open-source honeyclients look for changes to the Windows operating system, such as modified registry keys, new or deleted files in system folders, as well as processes that have been changed or created. The main difference is the project has no legal firepower, and relies on publicity and cooperation from security vendors and ISPs to block malicious sites. The researchers say that all of the major antimalware vendors have implemented signature changes as a result of what they have found.
Mitre started the project in 2005 with seven machines; the New Zealand group at Victoria Uni-versity has another dozen. There certainly are more systems scattered all over the world, but the exact number is unknown because anyone can download and install their code.
So far, the group at Mitre has found at least 10 new malware variants. "All of these are ones that the major antivirus products weren't able to initially detect," says Kathy Wang.
Meanwhile, the Germany/New Zealand group of researchers found 306 malicious URLs earlier this year, from 194 hosts, trolling through an initial population of more than 300,000 URLs. That team has developed tests (www.nz-honeynet.org/cwebservice.php) that anyone can run on a suspected Web server: Enter a suspect URL and the service tells you whether it suspects the site of running malware.
Next, the project teams want to coordinate how all their downloaded tracking systems scan the overall Internet, similar to how [email protected] coordinates the scanning of radio signals from outer space. They are working on extensions to the honeyclient project that will enable wide-scale distribution of their software.
"It is time to start learning by winning this war. We need to find the attackers and stop them before they compromise our machines," Kathy Wang declares. "Most of us are far too reactive in defending our systems. Once we get a lot more players, we can share information on trends and attack vectors. Then you don't have to be defenseless from zero-day attacks."