Evaluate Weigh the pros and cons of technologies, products and projects you are considering.

Honeyclients bring new twist to honeypots

Honeyclients are unpatched web browsers that actively seek malicous websites.

Honeyclients are creating a buzz in the security world, giving malicious Web sites the sharp end.

The desktop Web browser has long been a security sinkhole. It's grown deeper, despite emphasis on secure coding, greater user awareness, improvements to Internet Explorer and the use of alternatives like Firefox and Opera. Criminals lure users to thousands of malicious or compromised Web sites to scam their identity information or drop some nasty code on their computers.

Detecting these sites and collecting and countering exploits has been somewhat like playing Whack-A-Mole, but security researchers are finding effective ways to fight back. Microsoft and open source advocates are pursuing two of the more promising initiatives, aggressively hunting for exploits using honeyclients, an active variation of honeynet techniques.

While honeynets have been around for some time, they are passive collectors, sitting on some random network on the Internet, waiting for a hacker to connect to and leave evidence. Typically, they consist of a Web server and a stripped-down operating system with tracking software that registers when a hacker tries to compromise the system. While they are great at documenting exploits, they have one big disadvantage: They can't go out and actively search for the bad guys who are running Web sites designed to infect unsuspecting visitors.

Honeyclients, however, are hunters, not decoy victims; they run Web browsers and actively seek dangerous sites.

"Browsers and other client-side applications have become more and more the weakest link in the security chain," says Thorsten Holz, one of the founders of the German Honeynet Project and coauthor of Virtual Honeypots: From Botnet Tracking to Intrusion Detection. "The vendors now take a closer look at hardening the OS, but client-side applications still have tons of vulnerabilities."

There are several reasons for this shift from server to browser attacks.

"This has been driven both by advancements in secure coding practices for server-side software and, more importantly, by the explosion of phishing and identity theft attacks," says Michael Sutton, the security evangelist for SPI Dynamics, which was recently acquired by HP. "Attackers have realized that it is easier to find a weak point when targeting employees and end users versus a hardened server, which is actively protected."

The situation is fairly depressing. There are compromised Web sites in most any subject category, according to honeynet researchers.

"Anybody accessing the Web is at risk regardless of the type of content they browse for or the way the content is accessed," writes Holz and four other authors of the Honeynet Project paper Know Your Enemy: Malicious Web Servers. "Adjusting browsing behavior is not sufficient to entirely mitigate such risk. Even if a user makes it a policy to only type in URLs rather than following hyperlinks, they are still at risk from typo-squatter URLs."

Flying Across the Web
Because the honeynet server isn't a destination site for any ordinary user, security researchers say that any access recorded by the server is probably from someone up to no good. In contrast, researchers using honeyclients must discern which sites it visits are malicious and which are benign, since they are using a collection of URLs whose security status is undetermined.

Honeyclients have three components:

  • An automated script-based system that drives the PC and Web browser to visit a series of URLs in the hope of finding a compromised Web server.

  • A recording program that documents changes to the PC, just like the one used on the honeynet.

  • A series of virtual machines running multiple PC and browser sessions on the same physical system. After each session is completed and any changes are recorded, the virtual machine is restarted with a clean image before trying the next URL in the sequence.
Honeyclients can uncover new forms of malware that may not be reported or publicized, giving security researchers a jump on the bad guys. This is because they look for changes to the underlying OS and browser configuration, rather than scan for attack signatures or behavioral patterns.

Redmond's Worker Bees
Microsoft began a honeyclient project, HoneyMonkey (www.research.microsoft.com/HoneyMonkey/), in 2005 as part of its overall program to improve Windows and Internet security. It consists of the Flight Data Recorder, which tracks OS configuration changes caused by malicious sites, a URL collection and a search page link scanning component.

The project started with a more general effort to better document Windows crashes and "blue screens of death" and track down their causes, building what became the Flight Data Recorder, which "tracks everything that updates the file system and Windows registry," says Yi-Min Wang, director of the Cyber-Intelligence Lab in Microsoft's Internet Services Research Center.

Wang wanted to expand the project focus beyond just finding bad Web sites and examine the entire ecosystem a hacker operates to drive traffic to these sites.

"We now have a much broader understanding of how malicious sites fit into the bigger picture," he says. "People use these Internet scams by getting placed in search places, getting lots of traffic to visit their sites, and exploiting the browsers of these visitors by placing malicious software and charging the authors of that software for these placements."

The project now runs 2,000 PCs and 1,000 production servers. Each PC runs Virtual PC along with some custom code to drive Internet Explorer to visit a series of Web sites and then record any changes to the operating system and browser configuration.

The PCs compile a list of malicious URLs, which is used to seed a second network of 10 fully patched PCs, which revisit the sites to see if a hacker can still get through to the PC. "If they can," Wang says, "that is a very serious exploit."

Finding malicious Web sites is just the first step. The bad sites have to be removed from search results pages so unsuspecting visitors won't visit them. And, the newly discovered malware needs to be sent to security specialists, who can write the antidotes or protection signatures.

"Every time we detect a new malicious site, our legal department sends a takedown notice to the site's ISP," says Wang.

Sweet Deal
Use honeyclient projects to help protect your organization.

Honeyclient research efforts have very practical application for IT and security managers, and can help improve browser and network security practices in everyday corporate use.

A good place to start to understand the scope of honeyclients is to download the German Honeynet Project paper Know Your Enemy: Malicious Web Servers (www.honeynet.org/papers/mws/), along with the data set of suspected URLs and description of mitigation actions you can take to try to avoid Web-based infections. The researchers offer suggestions for creating URL blacklists, what to patch and when, and choosing the right desktop browser software.

One of their recommendations is to use a browser with minimal market share. "The tests we conducted show that a simple but effective way to remove yourself as a targeted user is to use a non-mainstream application, such as Opera. Despite the existence of vulnerabilities, this browser didn't seem to be a target," say the paper's authors. Of course, one problem with picking a less-known browser is that many sites don't work well when viewed with it.

Next, IT managers need to ensure that their users' machines are running with best practices, including personal firewalls and/or host-based intrusion detection software. If you're an IE shop, upgrade to IE 7 and run users in non-administrative modes to prevent possible infections. Unlike earlier versions, IE 7 runs a separate "sandbox" by default to limit its exposure.

Finally, make sure to patch third-party applications and client software, particularly those that make up any supported browser plug-ins, viewers and other secondary pieces that are commonly used along with the main browser software.

"Everyone now should have a pretty good understanding of the Micro-soft patch cycle, but do you also patch all of your Shockwave or Flash clients too?" asks Thorsten Holz of the German Honeynet Project.

--David Strom
Honeycombing the Internet
Open HoneyClient (www.honeyclient.org/trac) began by extending the original work on the honeynet server-based project. This open source initiative, sponsored by Mitre and researchers from Germany and New Zealand, publishes the code and VMware images that can be used to construct honeyclient systems to seek exploits against IE and Firefox systems.

"We also have different configurations that we are testing, such as ranging from Windows XP with SP2 to XP without any patches," says Kathy Wang, a lead information security engineer at Mitre.

Testing different XP versions is critical to mimic user experiences, she says. "This is because machines running pirated versions of XP aren't going to be able to obtain SP2 patches. We also are planning to look at more than browser exploits. This includes peer-to-peer applications and Domain Name System clients."

Like HoneyMonkey, the open-source honeyclients look for changes to the Windows operating system, such as modified registry keys, new or deleted files in system folders, as well as processes that have been changed or created. The main difference is the project has no legal firepower, and relies on publicity and cooperation from security vendors and ISPs to block malicious sites. The researchers say that all of the major antimalware vendors have implemented signature changes as a result of what they have found.

Mitre started the project in 2005 with seven machines; the New Zealand group at Victoria Uni-versity has another dozen. There certainly are more systems scattered all over the world, but the exact number is unknown because anyone can download and install their code.

So far, the group at Mitre has found at least 10 new malware variants. "All of these are ones that the major antivirus products weren't able to initially detect," says Kathy Wang.

Meanwhile, the Germany/New Zealand group of researchers found 306 malicious URLs earlier this year, from 194 hosts, trolling through an initial population of more than 300,000 URLs. That team has developed tests (www.nz-honeynet.org/cwebservice.php) that anyone can run on a suspected Web server: Enter a suspect URL and the service tells you whether it suspects the site of running malware.

Next, the project teams want to coordinate how all their downloaded tracking systems scan the overall Internet, similar to how [email protected] coordinates the scanning of radio signals from outer space. They are working on extensions to the honeyclient project that will enable wide-scale distribution of their software.

"It is time to start learning by winning this war. We need to find the attackers and stop them before they compromise our machines," Kathy Wang declares. "Most of us are far too reactive in defending our systems. Once we get a lot more players, we can share information on trends and attack vectors. Then you don't have to be defenseless from zero-day attacks."

A Hornet's Nest
How the bad guys bring pain to Internet browsing.

"We are fighting a very hard battle. Our adversaries are very motivated," says Mitre security engineer Kathy Wang. "They have a super easy way of making money without a lot of consequences with law enforcement. They are very clever and can get around things."

So how can a hacker make money at browser exploits? It is a rich and varied ecosystem, supported by many different players and income streams.

First, someone develops the exploit code, typically a rootkit, keylogger, browser toolbar, etc. This code is then sold to a third party, who places it on a variety of Web sites around the Internet. These may be legitimate sites that have been compromised, or infected banner ads that are inserted on an ad-serving network or adware distributors. When a visitor connects to these sites, the code is silently downloaded without their knowledge. These machines form the basis of a botnet that can be controlled by the hacker.

But that is just the beginning of the process. The sites need traffic, and the best way they can get it is to be found by search engines that will direct visitors to them.

"A lot of sites are doing redirection. The URL goes to a server, and that is what serves up the exploit," says Yi-Min Wang of Microsoft's Cyber-Intelligence Lab. "So we have to trace each redirect to see who is doing the exploit." There are also so-called typo-squatter domains that try to capture legitimate traffic by changing a letter or two in popular destination URLs.

The botnets are used to visit sites owned by other parties and collect page views that will elevate them in the search engine rankings, so even more traffic will come their way.

"Some sites don't have any malicious software and just serve up banner advertisements and profit from the traffic," says Yi-Min Wang.

The bad guys are getting better at spotting the honeyclients, says Kathy Wang. "Because we use VMware server, the hackers are looking for obvious signs that the incoming request is coming from a VM environment, such as querying for an I/O port, instruction set, and device driver information."

--David Strom

Dig Deeper on Web application and API security best practices