Friday, March 17, 2006
11 AM - 12 PM
7331 CS
|
Y.-M. Yang
X. Jiang
C. Verbowski
S. Chen
Y.-M. Wang, D. Beck, X. Jiang, R. Roussev, C. Verbowski, S. Chen, S. King
MSR / Purdue / Florida Tech
Automated Web Patrol with Strider HoneyMonkeys: Finding Web Sites That Exploit Browser Vulnerabilities
NDSS'06
URL: http://www.isoc.org/.../papers/honeymonkeys.pdf
Internet attacks that use malicious web sites to
install malware programs by exploiting browser
vulnerabilities are a serious emerging threat. In
response, we have developed an automated web patrol
system to automatically identify and monitor these
malicious sites. We describe the design and
implementation of the Strider HoneyMonkey Exploit
Detection System, which consists of a pipeline of
"monkey programs" running possibly vulnerable
browsers on virtual machines with different patch
levels and patrolling the Web to seek out and
classify web sites that exploit browser
vulnerabilities.
Within the first month of utilizing this system, we
identified 752 unique URLs hosted on 288 web sites
that could successfully exploit unpatched Windows XP
machines. The system automatically constructed
topology graphs based on traffic redirection to
capture the relationship between the exploit
sites. This allowed us to identify several major
players who are responsible for a large number of
exploit pages. By monitoring these 752 exploit-URLs
on a daily basis, we discovered a malicious web site
that was performing zero-day exploits of the
unpatched javaprxy.dll vulnerability and was
operating behind 25 exploit-URLs. It was confirmed
as the first "in-the-wild", zero-day exploit of this
vulnerability that was reported to the Microsoft
Security Response Center. Additionally, by scanning
the most popular one million URLs as classified by a
search engine, we found over seven hundred
exploit-URLs, many of which serve popular content
related to celebrities, song lyrics, wallpapers,
video game cheats, and wrestling.
|