Automated Web Patrol with Strider HoneyMonkeys: Finding Web Sites That Exploit Browser Vulnerabilities

Proceedings of the Symposium on Network and Distributed System Security, NDSS 2006

Volumn , Issue , 2006, Pages

  Wang, Yi Min ^a   Beck, Doug ^a   Jiang, Xuxian ^a   Roussev, Roussi ^a   Verbowski, Chad ^a   Chen, Shuo ^a   King, Sam ^a  

^a MICROSOFT RESEARCH   (United States)

Author keywords

[No Author keywords available]

Indexed keywords

MALWARE; SEARCH ENGINES; TOPOLOGY; ZERO-DAY ATTACK;

DESIGN AND IMPLEMENTATIONS; DETECTION SYSTEM; GRAPH-BASED; INTERNET ATTACKS; MALWARES; MICROSOFT; TOPOLOGY GRAPHS; TRAFFIC REDIRECTIONS; WEB-SITES; WINDOW XP;

WEBSITES;

EID: 84904088330     PISSN: None     EISSN: None     Source Type: Conference Proceeding    
DOI: None     Document Type: Conference Paper

References (55)

1. [AA] S. Andersen and V. Abella, “Data Execution Prevention. Changes to Functionality in Microsoft Windows XP Service Pack 2, Part 3: Memory Protection Technologies.,” http://www.microsoft.com/technet/prodtechnol/winxppro/maintain/sp2mempr.mspx.
2. [ABL04] L. von Ahn, M. Blum, and J. Langford, “Telling Humans and Computers Apart Automatically,” Communications of the ACM, Feb. 2004.
3. [AL] Alexa, http://www.alexa.com/.
4. [ASA+05] K. Anagnostakisy, S. Sidiroglouz, P. Akritidis, K. Xinidis, E. Markatos, and A. Keromytis. “Detecting Targeted Attacks Using Shadow Honeypots,” in Proc. USENIX Security Symposium, August 2005.
5. [ASLR] PaX Address Space Layout Randomization (ASLR). http://pax.grsecurity.net/docs/aslr.txt.
6. [B04] Xpire.info, http://www.vitalsecurity.org/xpiresplitinfinity-serverhack_malwareinstall-condensed.pdf, Nov. 2004.
7. [CBJ+03] C. Cowan, S. Beattie, J. Johansen, and P. Wagle. “PointGuard: Protecting pointers from buffer overflow vulnerabilities,” in Proc. USENIX Security Symposium, August 2003.
8. [CDF+04] C. Carella, J. Dike, N. Fox, and M. Ryan, “UML Extensions for Honeypots in the ISTS Distributed Honeypot Project,” in Proc. IEEE Workshop on Information Assurance, 2004.
9. [CWS05] “Webroot: CoolWebSearch Top Spyware Threat,” http://www.techweb.com/showArticle.jhtml?articleID=16040 0314, TechWeb, March 30, 2005.
10. [D04] Download.Ject, http://www.microsoft.com/security/incident/download_ject.ms px, June 2004.
11. [E04] Ben Edelman, “Who Profits from Security Holes?”, Nov. 2004, http://www.benedelman.org/news/111804-1.html.
12. [F04] “Follow the Money; or, why does my computer keep getting infested with spyware?” http://www.livejournal.com/users/tacit/125748.html.
13. [FHS+96] S. Forrest, S. Hofmeyr, A. Somayaji, and T. Longsta, “A sense of self for Unix processes,” in Proc. IEEE Symp. on Security and Privacy, May 1996.
14. [FKF+03] H. Feng, O. Kolesnikov, P. Fogla, W. Lee, and W. Gong, “Anomaly detection using call stack information,” in Proc. IEEE Symp. on Security and Privacy, May 2003.
15. [G05] “Googkle.com installed malware by exploiting browser vulnerabilities,” http://www.f-secure.com/vdescs/googkle.shtml.
16. [G04] Archana Ganapathi, Yi-Min Wang, Ni Lao, and Ji-Rong Wen, "Why PCs Are Fragile and What We Can Do About It: A Study of Windows Registry Problems", in Proc. IEEE DSN/DCC, June 2004.
17. [H] The Honeynet Project, http://www.honeynet.org/.
18. [HC] Honeyclient Development Project, http://www.honeyclient.org/.
19. [HD05] “Another round of DNS cache poisoning,” Handlers Diary, March 30, 2005, http://isc.sans.org/.
20. [HF] hpHOSTS community managed hosts file, http://www.hosts-file.net/downloads.html.
21. [HM] Strider HoneyMonkey Exploit Detection, http://research.microsoft.com/HoneyMonkey.
22. [HR05] T. Holz and F. Raynal, “Detecting Honeypots and other suspicious environments,” in Proc. IEEE Workshop on Information Assurance and Security, 2005.
23. [IF05] “iframeDOLLARS dot biz partnership maliciousness,” http://isc.sans.org/diary.php?date=2005-05-23.
24. [ISP] ISP Ranking by Subscriber, http://www.ispplanet.com/research/rankings/index.html.
25. [IW05] “Scammers use Symantec, DNS holes to push adware,” InfoWorld.com, March 7, 2005, http://www.infoworld.com/article/05/03/07/HNsymantecholesandadware_1.html?DESKTOP%20SECURITY.
26. [J04] Xuxian Jiang, Dongyan Xu, “Collapsar: A VM-Based Architecture for Network Attack Detention Center”, in Proc. USENIX Security Symposium, Aug. 2004.
27. [J105] Microsoft Security Advisory (903144) - A COM Object (Javaprxy.dll) Could Cause Internet Explorer to Unexpectedly Exit, http://www.microsoft.com/technet/security/advisory/903144. mspx.
28. [J205] Microsoft Security Bulletin MS05-037 - Vulnerability in JView Profiler Could Allow Remote Code Execution (903235), http://www.microsoft.com/technet/security/bulletin/ms05037.mspx.
29. [JKD+05] Ashlesha Joshi, Sam King, George Dunlap, Peter Chen, “Detecting Past and Present Intrusions Through Vulnerability-Specific Predicates,” in Proc. SOSP, 2005.
30. [KGO+05] Sven Krasser, Julian Grizzard, Henry Owen, and John Levine, “The Use of Honeynets to Increase Computer Network Security and User Awareness”, in Journal of Security Education, pp. 23-37, vol. 1, no. 2/3. March 2005.
31. [L05] Lallous,” Detect if your program is running inside a Virtual Machine,” March 2005, http://www.codeproject.com/system/VmDetect.asp.
32. [M52] Microsoft Security Bulletin MS05-002, Vulnerability in Cursor and Icon Format Handling Could Allow Remote Code Execution, http://www.microsoft.com/technet/security/Bulletin/MS05002.mspx.
33. [M311] Microsoft Security Bulletin MS03-011, Flaw in Microsoft VM Could Enable System Compromise, http://www.microsoft.com/technet/security/Bulletin/MS03011.mspx.
34. [M413] Microsoft Security Bulletin MS04-013, Cumulative Security Update for Outlook Express, http://www.microsoft.com/technet/security/Bulletin/MS04013.mspx.
35. [NK04] Neal Krawetz, Anti-honeypot technology, Security & Privacy Magazine, IEEE Volume 2, Issue 1, Jan.-Feb. 2004 Page(s):76–79.
36. [P04] Niels Provos, “A Virtual Honeypot Framework”, in Proc. USENIX Security Symposium, Aug. 2004.
37. [PVT] AMD Pacifica Virtualization Technology, http://enterprise.amd.com/downloadables/Pacifica.ppt.
38. [R05] “Russians use affiliate model to spread spyware,” http://www.itnews.com.au/newsstory.aspx?CIaNID=18926.
39. [R04] Team Register, “Bofra exploit hits our ad serving supplier,” http://www.theregister.co.uk/2004/11/21/register_adserver_attack/, November 2004.
40. [RP] Red Pill, http://invisiblethings.org/papers/redpill.html.
41. [S04] Symantec Gateway Security Products DNS Cache Poisoning Vulnerability, http://securityresponse.symantec.com/avcenter/security/Content/2004.06.21.html.
42. [S05] “Michael Jackson suicide spam leads to Trojan horse,” http://www.sophos.com/virusinfo/articles/jackotrojan.html, Sophos, June 9, 2005.
43. [SH] “What is Strider HoneyMonkey,” http://research.microsoft.com/honeymonkey/article.aspx, Aug. 2005.
44. [SK05] Stelios Sidiroglou and Angelos D. Keromytis, “A Network Worm Vaccine Architecture,” in 1st Information Security Practice and Experience Conference (ISPEC), April 2005.
45. [T05] Michael Ligh, “Tri-Mode Browser Exploits - MHTML, ANI, and ByteVerify,” http://www.mnin.org/write/2005_trimode.html, April 30, 2005.
46. [UML] Know Your Enemy: Learning with User-Mode Linux. Building Virutal Honeynets using UML, http://www.honeynet.org/papers/uml/.
47. [VMC+05] Michael Vrable, Justin Ma, Jay Chen, David Moore, Erik Vandekieft, Alex Snoeren, Geoff Voelker, and Stefan Savage, “Scalability, Fidelity and Containment in the Potemkin Virtual Honeyfarm,” in Proc. ACM Symposium on Operating Systems Principles (SOSP), Oct. 2005.
48. [VMW] Know Your Enemy: Learning with VMware. Building Virutal Honeynets using VMware, http://www.honeynet.org/papers/vmware/.
49. [VT] Vanderpool Technology, Technical report, Intel Corporation, 2005.
50. [W03] Yi-Min Wang, et al., “STRIDER: A Black-box, State-based Approach to Change and Configuration Management and Support”, in Proc. Usenix LISA, Oct. 2003.
51. [W04] Yi-Min Wang, et al., “Gatekeeper: Monitoring Auto-Start Extensibility Points (ASEPs) for Spyware Management”, in Proc. Usenix LISA, 2004
52. [W05] Yi-Min Wang, Doug Beck, Binh Vo, Roussi Roussev, and Chad Verbowski, “Detecting Stealth Software with Strider GhostBuster,” in Proc. DSN, June 2005
53. [WGS+04] Helen J. Wang, Chuanxiong Guo, Daniel R. Simon, and Alf Zugenmaier, “Shield: Vulnerability-Driven Network Filters for Preventing Known Vulnerability Exploits,” in Proc. ACM SIGCOMM, August 2004.
54. [XKI03] J. Xu, Z. Kalbarczyk and R. K. Iyer, “Transparent Runtime Randomization for Security,” in Proc. Symp. Reliable and Distributed Systems (SRDS), October 2003.
55. [XSS] “Code insertion in Blogger comments”, March 28, 2005, http://www.securityfocus.com/archive/1/394532.