thug a low interaction honeyclient angelo dell aera
play

Thug: a low-interaction honeyclient Angelo Dell'Aera Speaker Chief - PowerPoint PPT Presentation

Mar 04, 2024 •169 likes •465 views

Thug: a low-interaction honeyclient Angelo Dell'Aera Speaker Chief Executive Officer @ Honeynet Project Information Security Independent Researcher @ Antifork Research (10+ years) Agenda Introduction Honeyclient technologies

  1. Thug: a low-interaction honeyclient Angelo Dell'Aera

  2. Speaker Chief Executive Officer @ Honeynet Project  Information Security Independent Researcher @ Antifork  Research (10+ years)

  3. Agenda Introduction  Honeyclient technologies  Thug  Conclusions 

  4. Client-side attacks The number of client-side attacks has grown significantly in  the past few years shifting focus on poorly protected vulnerable clients In the last years more and more attacks against client  systems The browser is the most popular client system deployed on  every user system A lot of vulnerabilities are identified daily and reported in the  most used browsers and in third-party plugins

  5. Honeyclients Just as the most known honeypot technologies enable  research into server-side attacks, honeyclients allow the study of client-side attacks A complement to honeypots, a honeyclient is a tool  designed to mimic the behavior of a user-driven network client application, such as a web browser, and be exploited by an attacker’s content

  6. Honeyclients What we need is something which seems like a real  browser the same way as a classical honeypot system seems like a real vulnerable server A real system (high-interaction honeyclient) or an  emulated one (low-interaction honeyclient)?

  7. Document Object Model (DOM) “ The Document Object Model is a platform- and language-neutral interface that will allow programs and scripts to dynamically access and update the content, structure and style of documents. The document can be further processed and the results of that processing can be incorporated back into the presented page. ”  Thug DOM is (almost) compliant with W3C DOM Core, HTML, Events and Views specifications (Level 1, 2 and partially 3) and partially compliant with W3C DOM Style specifications  Designed with the requirement that adding the missing features has to be as simple as possible

  8. Document Object Model (DOM) Browser Personalities  Drive-by download attacks target specific versions of the browser so a properly designed low-interaction honeyclient should be able to emulate different browser personalities  Supporting different browser personalities is almost a matter of implementing different (and sometimes totally incompatible) DOM behaviors and interfaces

  9. Supported Browser Personalities – 1/2 ➢ Internet Explorer 6.0 (Windows XP) ➢ Internet Explorer 6.1 (Windows XP) ➢ Internet Explorer 7.0 (Windows XP) ➢ Internet Explorer 8.0 (Windows XP) ➢ Chrome 20.0.1132.47 (Windows XP) ➢ Firefox 12.0 (Windows XP) ➢ Safari 5.1.7 (Windows XP) ➢ Internet Explorer 6.0 (Windows 2000) ➢ Internet Explorer 8.0 (Windows 2000) ➢ Internet Explorer 8.0 (Windows 7) ➢ Internet Explorer 9.0 (Windows 7) ➢ Chrome 20.0.1132.47 (Windows 7) ➢ Firefox 3.6.13 (Windows 7) ➢ Safari 5.1.7 (Windows 7)

  10. Supported Browser Personalities – 2/2 ➢ Safari 5.1.1 (MacOS X 10.7.2) ➢ Chrome 19.0.1084.54 (MacOS X 10.7.4) ➢ Chrome 26.0.1410.19 (Linux) ➢ Chrome 30.0.1599.15 (Linux) ➢ Firefox 19.0 (Linux) ➢ Chrome 18.0.1025.166 (Samsung Galaxy S II, Android 4.0.3) ➢ Chrome 25.0.1364.123 (Samsung Galaxy S II, Android 4.0.3) ➢ Chrome 29.0.1547.59 (Samsung Galaxy S II, Android 4.1.2) ➢ Chrome 18.0.1025.133 (Google Nexus, Android 4.0.4) ➢ Safari 7.0 (iPad, iOS 7.0.4)

  11. Document Object Model (DOM) Event Handling • W3C DOM Events specification constitute the most difficult one to emulate because of the (sometimes huge) differences in how different browsers handle events • Thug emulates the different behaviors of the supported browsers emulating load and mousemove events by default and allowing to emulate all the other ones if needed

  12. Document Object Model (DOM) Hooks • Thug defines some DOM hooks which are useful for analyzing well-known exploits • The next example shows how Thug implements an hook for analyzing a Java exploit with security prompt/warning bypass (CVE-2013-2423)

  13. Document Object Model (DOM) Hooks def _handle_jnlp (self, data, headers): try : soup = BeautifulSoup . BeautifulSoup(data) except : return if soup . find("jnlp") is None: return log . ThugLogging . add_behavior_warn(description = '[JNLP Detected]', method = 'Dynamic Analysis') for param in soup . find_all('param'): log . ThugLogging . add_behavior_warn(description = '[JNLP] %s' % (param, ), method = 'Dynamic Analysis') self . _check_jnlp_param(param) jar = soup . find("jar") if jar is None: return try : url = jar . attrs['href'] headers['User-Agent'] = self . javaWebStartUserAgent response, content = self . window . _navigator . fetch(url, headers = headers, redirect_type = "JNLP") except : pass

  14. Javascript  Google V8 Javascript engine wrapped through PyV8  “V8 implements ECMAScript as specified in ECMA-262, 5th edition, and runs on Windows, Mac OS X , and Linux systems that use IA-32, x64, or ARM processors. The V8 API provides functions for compiling and executing scripts, accessing C++ methods and data structures, handling errors, and enabling security checks” • Abstract Syntax Tree generation and inspection (static analysis) • Context inspection (dynamic analysis) • Other potentially interesting features (GDB JIT interface, live objects inspection, code disassembler, etc.) exported through a clean and well designed API

  15. Analysis  Static analysis ➢ Abstract Syntax Tree (AST)  Dynamic analysis  V8 debugger protocol  Libemu integration (shellcode detection and emulation)

  16. Abstract Syntax Tree (AST) • Static analysis ➢ Static attack signatures ➢ Interesting breakpoints identification for later dynamic analysis ➢ Symbols identification for later dynamic analysis • Easily built through V8 API • Thug AST implementation is quite generic and extensible and allows easily building and inspecting the tree

  17. Vulnerability Modules  Python-based vulnerability modules  ActiveX controls  Core browser functionalities  Browser plugins

  18. ActiveX • Thug implements an ActiveX layer of its own for emulating ActiveX controls (just for Internet Explorer personalities) • It makes use of (Python) vulnerability modules in order to emulate such ActiveX controls or just some of their methods and attributes • The layer was designed in order to allow adding new ActiveX controls in a fast and easy way

  19. Browser Plugins • Drive-by download attacks target specific versions of the browser plugins so a properly designed low-interaction honeyclient should be able to emulate different browser plugins versions or to disable them -A, --adobepdf= Specify the Adobe Acrobat Reader version (default: 9.1.0) -P, --no-adobepdf Disable Adobe Acrobat Reader plugin -S, --shockwave= Specify the Shockwave Flash version (default: 10.0.64.0) -R, --no-shockwave Disable Shockwave Flash plugin -J, --javaplugin= Specify the JavaPlugin version (default: 1.6.0.32) Disable Java plugin -K, --no-javaplugin

  20. Logging MITRE MAEC logging format • JSON logging format (contributed by Avira) • Exploit graph (contributed by Avira) • “Flat” log files (not so exciting I know) • MongoDB • HPFeeds •  thug.events channel (URL analysis results published in MAEC format)  thug.files channel (downloaded samples)

  21. Logging Blackhole 2.0 Exploit Kit { “timestamp”: “2013-04-13 13:43:54.307237”, “cve”: “None”, "description": [window open redirection] about:blank-> hxxp://purrfectpetresort.com/news/wanting_book_switch.php“, "method": "Dynamic Analysis" }

  23. Logging { "mimetype": "PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows", "url": "hxxp://cadgrad.com/adobe/update_flash_player.exe", "flags": {}, "sha256": "d59d9af4e9ec25431acfd8938895b5c3b728d818db024d76f5aa265e0b171f4f", "content-type": "application/octet-stream", "md5": "a3266663f644dc0c0df42e8da1404878", "size": 130560 }

  24. Classifiers • Classifiers support was introduced in Thug 0.4.24 and is based on Yara signatures • Currently two classifiers exist: ➢ URL classifier ➢ Javascript classifier

  25. URL Classifier The URL classifier works on URL pattern matching trying to identify typical exploit kits URL i.e. rule Blackhole_V2_2 : Exploit_Kit { meta: author = "Thorsten Sick" strings: $url = /\/closest\/\w{15,35}.php/ nocase condition: $url }

  26. Javascript Classifier The Javascript classifier exploits the idea that even if the code is obfuscated Thug goes through all the deobfuscation stages. Working this way it can catch details which does not change so frequently in a typical exploit kit i.e. rule PluginDetect : Multiple_Exploit_Kits { meta: author = "Angelo Dell'Aera" strings: $jar = "getjavainfo.jar" nocase $pdpd = "pdpd" nocase $getver = "getversion" nocase condition: ($jar or $pdpd) and $getver }

  27. Source code Thug source code is publicly available at https://github.com/buffer/thug Contributions, comments and feedback welcome!

  28. Thanks for the attention! Questions? Angelo Dell'Aera <angelo.dellaera@honeynet.org>

Recommend

Catch me if you can! Angelo Dell'Aera Bologna 29/10/2016 A Little About Me Angelo Dell'Aera

Catch me if you can! Angelo Dell'Aera Bologna 29/10/2016 A Little About Me Angelo Dell'Aera

Catch me if you can! Angelo Dell'Aera Bologna 29/10/2016 A Little About Me Angelo Dell'Aera &lt;angelo.dellaera@honeynet.org&gt; Security Researcher @ Area 1 Security Full Member @ Honeynet Project Information Security Independent

680 views • 48 slides
Aera%on tank loading and dimensioning CTB3365x Introduc1on to

Aera%on tank loading and dimensioning CTB3365x Introduc1on to

Aera%on tank loading and dimensioning CTB3365x Introduc1on to water treatment Dr.ir. Merle de Kreuk Aera%on tank loading and dimensioning Aera%on tank

381 views • 18 slides
Mother Theresa This young thug known to police for shoplifting, is ... Nicolae Ceausescu

Mother Theresa This young thug known to police for shoplifting, is ... Nicolae Ceausescu

This beautiful heiress from a wealthy family named the Vlachs of Albania was Agnes Boiagiu but she became: Mother Theresa This young thug known to police for shoplifting, is ... Nicolae Ceausescu Romanian Dictator This youngster had a

724 views • 28 slides
Cache, Trigger, Impersonate: Enabling Context-Sensitive Honeyclient Analysis On-the- Wire By

Cache, Trigger, Impersonate: Enabling Context-Sensitive Honeyclient Analysis On-the- Wire By

Cache, Trigger, Impersonate: Enabling Context-Sensitive Honeyclient Analysis On-the- Wire By Teryl Taylor , Kevin Z. Snow, Nathan Otterness and Fabian Monrose University of North Carolina at Chapel Hill Motivation PU Internet Get

686 views • 34 slides
AERA - Why everybody should start listening to radio 1 Florian Briechle 25/09/19 Overview

AERA - Why everybody should start listening to radio 1 Florian Briechle 25/09/19 Overview

AERA - Why everybody should start listening to radio 1 Florian Briechle 25/09/19 Overview Why is Radio? Production of Radio Emission How is Radio? Detector Principles of AERA What can we do with Radio? Results from Radio

628 views • 15 slides
Sales Presentation Case Dell EMC Introduction: As a member of the Dell Technologies unique

Sales Presentation Case Dell EMC Introduction: As a member of the Dell Technologies unique

Sales Presentation Case Dell EMC Introduction: As a member of the Dell Technologies unique family of businesses, Dell EMC serves a key role in providing the essential infrastructure for organizations to build their digital future, transform

258 views • 4 slides
Dell to Acquire Wyse Technology Dave Johnson Jeff Clarke SVP, Corporate Strategy, Dell Inc. Vice

Dell to Acquire Wyse Technology Dave Johnson Jeff Clarke SVP, Corporate Strategy, Dell Inc. Vice

Dell to Acquire Wyse Technology Dave Johnson Jeff Clarke SVP, Corporate Strategy, Dell Inc. Vice Chairman, Global Operations and End User Computing Solutions, Dell Inc. Rob Williams Tarkan Maner Vice President, Investor Relations, Dell Inc.

137 views • 9 slides
Dell Security Overview Eddie Chan Security Solution Consultant Dell Security Solutions Dell |

Dell Security Overview Eddie Chan Security Solution Consultant Dell Security Solutions Dell |

Dell Security Overview Eddie Chan Security Solution Consultant Dell Security Solutions Dell | Hong Kong &amp; Taiwan Agenda Session One 2016 Threat Report Update Session Two SonicWALL C APT URE Advanced Threat Protection Service

746 views • 63 slides
To be or not to be..Becoming a stand-alone MPO San Angelo Planning Boundary Located west

To be or not to be..Becoming a stand-alone MPO San Angelo Planning Boundary Located west

To be or not to be..Becoming a stand-alone MPO San Angelo Planning Boundary Located west Texas Designated MPO 1988 (COSA); 2010 redesignated Planning area encompasses San Angelo and County Population 93,000+ SAN ANGELO MPO,

231 views • 10 slides
Computer disassembly Dell OptiPlex GX260 Overview Working with the Dell OptiPlex GX260

Computer disassembly Dell OptiPlex GX260 Overview Working with the Dell OptiPlex GX260

Computer disassembly Dell OptiPlex GX260 Overview Working with the Dell OptiPlex GX260 Disassemble Identify the parts Reassemble Precautionary measures NOTICE : To help avoid possible damage to the system board, wait 5 seconds

398 views • 26 slides
DELL EMC VDI Complete Solutions: Accelerate your IT Transformation The ultimate secure,

DELL EMC VDI Complete Solutions: Accelerate your IT Transformation The ultimate secure,

DELL EMC VDI Complete Solutions: Accelerate your IT Transformation The ultimate secure, manageable and reliable end to end virtual desktop solutions. Isel Horada isel.horada@dell.com 17.10.2017 Dell Emc Forum - Athens Your World Today

376 views • 19 slides
By Anthony N. Celso Associate Professor Department for Security Studies Angelo State University

By Anthony N. Celso Associate Professor Department for Security Studies Angelo State University

Jihadist Organizational Failure and Regeneration: the Transcendental Role of Takfiri Violence By Anthony N. Celso Associate Professor Department for Security Studies Angelo State University San Angelo, TX 76901 anthony.celso@angelo.edu Paper

607 views • 29 slides
How Dell is making marketing transformation real Laura Snyder, VP Marketing Technology, Dell

How Dell is making marketing transformation real Laura Snyder, VP Marketing Technology, Dell

How Dell is making marketing transformation real Laura Snyder, VP Marketing Technology, Dell Restricted - Confidential - Privileged Restricted - Confidential - Privileged 1 Dell Technologies Magic cant make digital transformation happen.

310 views • 17 slides
Deep Learning/AI Lifecycle with Dell EMC and bitfusion Bhavesh Patel Dell EMC Server Advanced

Deep Learning/AI Lifecycle with Dell EMC and bitfusion Bhavesh Patel Dell EMC Server Advanced

Deep Learning/AI Lifecycle with Dell EMC and bitfusion Bhavesh Patel Dell EMC Server Advanced Engineering Mazhar Memon CTO Bitfusion Abstract This talk gives an overview of the end to end application life cycle of deep learning in the

443 views • 30 slides
Matrix for Dell EMC PowerEdge Servers 12 September 2018 Dell EMC Linux Team Introduction

Matrix for Dell EMC PowerEdge Servers 12 September 2018 Dell EMC Linux Team Introduction

SUSE Linux Enterprise Server Certification Matrix for Dell EMC PowerEdge Servers 12 September 2018 Dell EMC Linux Team Introduction This set of matrices attempt to represent the certification status between different versions of the SUSE

435 views • 31 slides
the interaction physical characteristics of interaction interaction styles the

the interaction physical characteristics of interaction interaction styles the

The Interaction interaction models chapter 3 translations between user and system ergonomics the interaction physical characteristics of interaction interaction styles the nature of user/ system dialog context

506 views • 12 slides
ANGELO CAROLI After a decade of experience in the fjtness world especially in the United States,

ANGELO CAROLI After a decade of experience in the fjtness world especially in the United States,

LIFESTYLE MADE IN ITALY ANGELO CAROLI After a decade of experience in the fjtness world especially in the United States, Angelo Caroli has created a personal path of success that has led to the affjrmation of its business reality based on its

830 views • 81 slides
the interaction The Interaction interaction models translations between user and system

the interaction The Interaction interaction models translations between user and system

chapter 3 the interaction The Interaction interaction models translations between user and system ergonomics physical characteristics of interaction interaction styles the nature of user/ system dialog context

733 views • 24 slides
Extensions to Self-Taught Hashing: Kernelisation and Supervision Dell Zhang, Jun Wang, Deng Cai,

Extensions to Self-Taught Hashing: Kernelisation and Supervision Dell Zhang, Jun Wang, Deng Cai,

Extensions to Self-Taught Hashing: Kernelisation and Supervision Dell Zhang, Jun Wang, Deng Cai, Jinsong Lu Birkbeck, University of London dell.z@ieee.org The SIGIR 2010 Workshop on Feature Generation and Selection for Information Retrieval

796 views • 46 slides
Raphael Krause, Florian Briechle, Martin Erdmann, Christian Glaser AERA Meeting at KIT February

Raphael Krause, Florian Briechle, Martin Erdmann, Christian Glaser AERA Meeting at KIT February

Raphael Krause, Florian Briechle, Martin Erdmann, Christian Glaser AERA Meeting at KIT February 2017 Outline status calibration paper submitted to JINST on 03.02. submitted to arxiv on 05.02. arXiv: 1702.01392 calibration

427 views • 24 slides
AI is your Business - Translating Hype into Action Paul Brook Bernhard Otupal @paulbrookatDell

AI is your Business - Translating Hype into Action Paul Brook Bernhard Otupal @paulbrookatDell

AI is your Business - Translating Hype into Action Paul Brook Bernhard Otupal @paulbrookatDell @BernieAtDell bernhard.otupal@Dell.com paul.brook@dell.com + 33 621322968 + 44 (0) 7802 595 331 1 of Y Dell -Internal Use - Confidential 1 Dell

518 views • 30 slides
Quantum Mechanics: mysteries and solutions ANGELO BASSI Department of Theoretical Physics,

Quantum Mechanics: mysteries and solutions ANGELO BASSI Department of Theoretical Physics,

Quantum Mechanics: mysteries and solutions ANGELO BASSI Department of Theoretical Physics, University of Trieste, Italy and INFN - Trieste Frascati, 4 August 2014 Angelo Bassi 1 Quantization of light: Plancks hypothesis (1900) All

404 views • 19 slides
How Dell Simplified Email Template Design to Improve Engagement and Drive a Double-Digit

How Dell Simplified Email Template Design to Improve Engagement and Drive a Double-Digit

How Dell Simplified Email Template Design to Improve Engagement and Drive a Double-Digit Percentage Increase in Revenue Rate JESSICA VOGEL Global Marketing Consultant Dell, Inc. Jessica Vogel Global Marketing Consultant Dell, Inc. Reference

294 views • 18 slides
... sclass1 sclass10 Net-linux Net-linux DHCP DHCP The lab has 10 dell systems. Each dell

... sclass1 sclass10 Net-linux Net-linux DHCP DHCP The lab has 10 dell systems. Each dell

Notes on Running Dsniff and the Lab Network Environment Cyber Security Lab 2/16/10 1 General Overview 1.1 Initial machine configuration Outside World DMZ Management 192.168.50.50 192.168.50.60 Dmz 192.168.50.0/24 FW1 Outside =

182 views • 4 slides

More recommend