Escape from monkey island: Evading high-interaction honeyclients

Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)

Volumn 6739 LNCS, Issue , 2011, Pages 124-143

  Kapravelos, Alexandros ^a   Cova, Marco ^b   Kruegel, Christopher ^a   Vigna, Giovanni ^a  

^a UNIVERSITY OF CALIFORNIA   (United States)

^b UNIVERSITY OF BIRMINGHAM   (United Kingdom)

Author keywords

[No Author keywords available]

Indexed keywords

HONEYCLIENTS; SECURITY MODEL; SIDE EFFECT;

COMPUTER CRIME; USER INTERFACES; WORLD WIDE WEB;

RATING;

EID: 79960003584     PISSN: 03029743     EISSN: 16113349     Source Type: Book Series    
DOI: 10.1007/978-3-642-22424-9_8     Document Type: Conference Paper

References (47)

1. Anubis: Analyzing Unknown Binaries, http://anubis.seclab.tuwien.ac.at
2. Bayer, U., Kruegel, C., Kirda, E.: TTAnalyze: A Tool for Analyzing Malware. In: Proceedings of the European Institute for Computer Antivirus Research Annual Conference, EICAR (2006)
3. Boscovich, R. et al.: Microsoft Security Intelligence Report. Technical Report, vol. 7, Microsoft, Inc. (2009)
4. Broersma, M.: Web attacks slip under the radar (2007), http://news.techworld.com/security/10620/web-attacks-slip-under-the-radar/
5. Cova, M., Kruegel, C., Vigna, G.: Detection and Analysis of Drive-by-Download Attacks and Malicious JavaScript Code. In: Proceedings of the International World Wide Web Conference, WWW(2010)
6. CVE. Windows ANI LoadAniIcon() Chunk Size Stack Overflow (HTTP), http://cve.mitre.org/cgi-bin/cvename.cgi?name=2007-0038.
7. CWSandbox (2009), http://www.cwsandbox.org/
8. Dinaburg, A., Royal, P., Sharif, M., Lee,W.: Ether:Malware analysis via hardware virtualization extensions. In: Proceedings of the ACM Conference on Computer and Communications Security, CCS (2008)
9. Ferrie, P.: Attacks on Virtual Machines. In: Proceedings of the Association of Anti-Virus Asia Researchers Conference (2007)
10. Fewer, S.: Reflective DLL injection, http://www.harmonysecurity.com/ files/HS-P005-ReflectiveDllInjection.pdf
11. Fogla, P., Lee, W.: Evading Network Anomaly Detection Systems: Formal Reasoning and Practical Techniques. In: Proceedings of the ACM Conference on Computer and Communications Security CCS (2006)
12. Frei, S., Dübendorfer, T., Ollman, G., May, M.: Understanding the Web browser threat: Examination of vulnerable online Web browser populations and the insecurity iceberg. In: Proceedings of DefCon, vol. 16 (2008)
13. Garfinkel, T., Adams, K., Warfield, A., Franklin, J.: Compatibility is Not Transparency: VMM Detection Myths and Realities. In: Proceedings of the USENIX Workshop on Hot Topics in Operating Systems (2007)
14. Google. Safe Browsing API, http://code.google.com/apis/safebrowsing/
15. Holz, T.: AV Tracker (2009), http://honeyblog.org/archives/37-AV-Tracker. html
16. Jaeger, T.: Reference Monitor Concept. Encyclopedia of Cryptography and Security (2010)
17. Jiang, X., Wang, X., Xu, D.: Stealthy Malware Detection and Monitoring through VMM-Based Out-of-the-Box Semantic View Reconstruction. ACM Transactions on Information and System Security (TISSEC) 13(2) (February 2010)
18. Joebox: A Secure Sandbox Application for Windows (2009), http://www.joebox.org/
19. Klein, T.: ScoopyNG - The VMware detection tool, http://www.trapkit.de/ research/vmm/scoopyng/index.html
20. Krebs, B.: Former anti-virus researcher turns tables on industry (October 27, 2009), http://voices.washingtonpost.com/securityfix/2009/10/former-anti- virus-researcher-t.html
21. Liston, T., Skoudis, E.: On the Cutting Edge: Thwarting Virtual Machine Detection (2006), http://handlers.sans.org/tliston/ThwartingVMDetection-Liston- Skoudis.pdf
22. Martignoni, L., Paleari, R., Roglia, G.F., Bruschi, D.: Testing CPU Emulators. In: Proceedings of the International Symposium on Software Testing and Analysis, ISSTA (2009)
23. Microsoft. What is SmartScreen Filter?, http://www.microsoft.com/ security/filters/smartscreen.aspx
24. MITRE. HoneyClient, http://www.honeyclient.org/
25. Moshchuk, A., Bragin, T., Deville, D., Gribble, S., Levy, H.: SpyProxy: Execution-based Detection of Malicious Web Content. In: Proceedings of the USENIX Security Symposium (2007)
26. Moshchuk, A., Bragin, T., Gribble, S., Levy, H.: A Crawler-based Study of Spyware in the Web. In: Proceedings of the Symposium on Network and Distributed System Security, NDSS (2006)
27. Müller, T., Mack, B., Arziman, M.: Web Exploit Finder, http://www.xnos.org/security/web-exploit-finder.html
28. Nguyen, A., Schear, N., Jung, H., Godiyal, A., King, S., Nguyen, H.:MAVMM: Lightweight and Purpose Built VMM for Malware Analysis. In: Proceedings of the Annual Computer Security Applications Conference, ACSAC (2009)
29. Norman Sandbox (2009), http://www.norman.com/about-norman/technology/ norman-sandbox/
30. Paleari, R., Martignoni, L., Roglia, G.F., Bruschi, D.: A Fistful of Red-Pills: How to Automatically Generate Procedures to Detect CPU Emulators. In: Proceedings of the USENIX Workshop on Offensive Technologies, WOOT (2009)
31. Polychronakis, M., Mavrommatis, P., Provos, N.: Ghost Turns Zombie: Exploring the Life Cycle of Web-based Malware. In: Proceedings of the USENIX Workshop on Large-Scale Exploits and Emergent Threats, LEET (2008)
32. Provos, N., Mavrommatis, P., Rajab, M., Monrose, F.: All Your iFRAMEs Point to Us. In: Proceedings of the USENIX Security Symposium (2008)
33. Provos, N., McNamee, D., Mavrommatis, P., Wang, K., Modadugu, N.: The Ghost in the Browser: Analysis of Web-based Malware. In: Proceedings of the USENIX Workshop on Hot Topics in Understanding Botnet (2007)
34. Ptacek, T., Newsham, T.: Insertion, Evasion, and Denial of Service: Eluding Network Intrusion Detection. Technical report, Secure Networks, Inc. (1998)
35. Quist, D., Smith, V., Computing, O.: Detecting the Presence of Virtual Machines Using the Local Data Table, http://www.offensivecomputing.net/files/ active/0/vm.pdf
36. Raffetseder, T., Kruegel, C., Kirda, E.: Detecting System Emulators. In: Proceedings of the Information Security Conference (2007)
37. Rocaspana, J.: SHELIA: A Client HoneyPot For Client-Side Attack Detection (2009), http://www.cs.vu.nl/~herbertb/misc/shelia/
38. Rutkowska, J.: Red Pill. or how to detect VMM using (almost) one CPU instruction (2004), http://www.invisiblethings.org/papers/redpill.html
39. Sharif, M., Lee, W., Cui, W., Lanzi, A.: Secure In-VM Monitoring Using Hardware Virtualization. In: Proceedings of the ACMConference on Computer and Communications Security, CCS (2009)
40. The Honeynet Project. Capture-HPC, https://projects.honeynet.org/capture- hpc
41. ThreatExpert (2009), http://www.threatexpert.com/
42. Tsaur, W., Chen, Y., Tsai, B.: A New Windows Driver-Hidden Rootkit Based on Direct Kernel Object Manipulation. In: Proceedings of the Algorithms and Architectures for Parallel Processing Conference (2009)
43. Van Gundy, M., Chen, H., Su, Z., Vigna, G.: Feature Omission Vulnerabilities: Thwarting Signature Generation for Polymorphic Worms. In: Proceedings of the Annual Computer Security Applications Conference, ACSAC (2007)
44. Vasudevan, A., Yerraballi, R.: Cobra: Fine-grained Malware Analysis using Stealth Localized Executions. In: Proceedings of the IEEE Symposium on Security and Privacy (2006)
45. Vigna, G., Robertson, W., Balzarotti, D.: Testing Network-based Intrusion Detection Signatures Using Mutant Exploits. In: Proceedings of the ACM Conference on Computer and Communications Security CCS (2004)
46. Wang, Y.-M., Beck, D., Jiang, X., Roussev, R., Verbowski, C., Chen, S., King, S.: Automated Web Patrol with Strider HoneyMonkeys: Finding Web Sites That Exploit Browser Vulnerabilities. In: Proceedings of the Symposium on Network and Distributed System Security, NDSS (2006)
47. Yin, H., Poosankam, P., Hanna, S., Song, D.: HookScout: Proactive Binary-Centric Hook Detection. In: Proceedings of the Conference on Detection of Intrusions and Malware & Vulnerability Assessment, DIMVA (2010)