Honeyclients bring new twist to honeypots

The desktop Web browser has long been a security sinkhole. It's grown deeper, despite emphasis on secure coding, greater user awareness, improvements to Internet Explorer and the use of alternatives like Firefox and Opera. Criminals lure users to thousands of malicious or compromised Web sites to scam their identity information or drop some nasty code on their computers.

Detecting these sites and collecting and countering exploits has been somewhat like playing Whack-A-Mole, but security researchers are finding effective ways to fight back. Microsoft and open source advocates are pursuing two of the more promising initiatives, aggressively hunting for exploits using honeyclients, an active variation of honeynet techniques.

While honeynets have been around for some time, they are passive collectors, sitting on some random network on the Internet, waiting for a hacker to connect to and leave evidence. Typically, they consist of a Web server and a stripped-down operating system with tracking software that registers when a hacker tries to compromise the system. While they are great at documenting exploits, they have one big disadvantage: They can't go out and actively search for the bad guys who are running Web sites designed to infect unsuspecting visitors.

Honeyclients, however, are hunters, not decoy victims; they run Web browsers and actively seek dangerous sites.

"Browsers and other client-side applications have become more and more the weakest link in the security chain," says Thorsten Holz, one of the founders of the German Honeynet Project and coauthor of Virtual Honeypots: From Botnet Tracking to Intrusion Detection. "The vendors now take a closer look at hardening the OS, but client-side applications still have tons of vulnerabilities."

There are several reasons for this shift from server to browser attacks.

The situation is fairly depressing. There are compromised Web sites in most any subject category, according to honeynet researchers.

"Anybody accessing the Web is at risk regardless of the type of content they browse for or the way the content is accessed," writes Holz and four other authors of the Honeynet Project paper Know Your Enemy: Malicious Web Servers. "Adjusting browsing behavior is not sufficient to entirely mitigate such risk. Even if a user makes it a policy to only type in URLs rather than following hyperlinks, they are still at risk from typo-squatter URLs."

Flying Across the Web
Because the honeynet server isn't a destination site for any ordinary user, security researchers say that any access recorded by the server is probably from someone up to no good. In contrast, researchers using honeyclients must discern which sites it visits are malicious and which are benign, since they are using a collection of URLs whose security status is undetermined.

Honeyclients have three components:

• An automated script-based system that drives the PC and Web browser to visit a series of URLs in the hope of finding a compromised Web server.



• A recording program that documents changes to the PC, just like the one used on the honeynet.



• A series of virtual machines running multiple PC and browser sessions on the same physical system. After each session is completed and any changes are recorded, the virtual machine is restarted with a clean image before trying the next URL in the sequence.

The project started with a more general effort to better document Windows crashes and "blue screens of death" and track down their causes, building what became the Flight Data Recorder, which "tracks everything that updates the file system and Windows registry," says Yi-Min Wang, director of the Cyber-Intelligence Lab in Microsoft's Internet Services Research Center.

Wang wanted to expand the project focus beyond just finding bad Web sites and examine the entire ecosystem a hacker operates to drive traffic to these sites.

"We now have a much broader understanding of how malicious sites fit into the bigger picture," he says. "People use these Internet scams by getting placed in search places, getting lots of traffic to visit their sites, and exploiting the browsers of these visitors by placing malicious software and charging the authors of that software for these placements."

The project now runs 2,000 PCs and 1,000 production servers. Each PC runs Virtual PC along with some custom code to drive Internet Explorer to visit a series of Web sites and then record any changes to the operating system and browser configuration.

The PCs compile a list of malicious URLs, which is used to seed a second network of 10 fully patched PCs, which revisit the sites to see if a hacker can still get through to the PC. "If they can," Wang says, "that is a very serious exploit."

Finding malicious Web sites is just the first step. The bad sites have to be removed from search results pages so unsuspecting visitors won't visit them. And, the newly discovered malware needs to be sent to security specialists, who can write the antidotes or protection signatures.

"Every time we detect a new malicious site, our legal department sends a takedown notice to the site's ISP," says Wang.

Like HoneyMonkey, the open-source honeyclients look for changes to the Windows operating system, such as modified registry keys, new or deleted files in system folders, as well as processes that have been changed or created. The main difference is the project has no legal firepower, and relies on publicity and cooperation from security vendors and ISPs to block malicious sites. The researchers say that all of the major antimalware vendors have implemented signature changes as a result of what they have found.

Mitre started the project in 2005 with seven machines; the New Zealand group at Victoria Uni-versity has another dozen. There certainly are more systems scattered all over the world, but the exact number is unknown because anyone can download and install their code.

So far, the group at Mitre has found at least 10 new malware variants. "All of these are ones that the major antivirus products weren't able to initially detect," says Kathy Wang.

Meanwhile, the Germany/New Zealand group of researchers found 306 malicious URLs earlier this year, from 194 hosts, trolling through an initial population of more than 300,000 URLs. That team has developed tests (www.nz-honeynet.org/cwebservice.php) that anyone can run on a suspected Web server: Enter a suspect URL and the service tells you whether it suspects the site of running malware.

Next, the project teams want to coordinate how all their downloaded tracking systems scan the overall Internet, similar to how SETI@home coordinates the scanning of radio signals from outer space. They are working on extensions to the honeyclient project that will enable wide-scale distribution of their software.

"It is time to start learning by winning this war. We need to find the attackers and stop them before they compromise our machines," Kathy Wang declares. "Most of us are far too reactive in defending our systems. Once we get a lot more players, we can share information on trends and attack vectors. Then you don't have to be defenseless from zero-day attacks."