View
3.358
Download
2
Category
Preview:
DESCRIPTION
A introduction to use Capture-HPC in OSDC.tw 2009
Citation preview
Identify Malicious URL using Capture-HPC
David Guandcguan@gmail.com
Who Are You?
• You are interested in malicious webpage• You are interested in Capture-HPC• You are not interested in the other session or
there are no more seats…there are no more seats…
About This Session
• NOT to protect your PC– You need to pay $$ for *protection*– Uninstall Windows might be a better idea
• Experience sharing for large scale web crawling • Experience sharing for large scale web crawling testing
• Use open source software for security research– Even individual can build your security lab
Drive-by Download Landing Site
Hopping Site
Download Site
The EVIL Browser Plug-in
Browser plug-in vulnerabilitiesSource: Secunia 2008 report
Malicious URL in Different Regions
Region Total URL Scanned
Total landingsite
Total download site
China 41000 253 28
Japan 21263 105 3
Google Safe Browsing Database
• Google gives you malicious URL – Md5 hash form– Quality data can be observed– safebrowsing-python + Django = ?– safebrowsing-python + Django = ?
URL Selection and Verification
• Google’s paper “All Your iFRAMEs Point to Us”
WWWRepository
MachineLearning
Score
Virtual Machine
Verification
Malicious URL
What is Honeypot?• A trap!• Collect malicious behavior• Server-side honeypot
– Wait to be probed, attacked, and compromisedcompromised
• Client-side honeypot– Actively crawler the web – Compromised by server
response
What is Capture-HPC ?
• A high-interactive client honeypot• Part of the Honeynet Project• Interact with malicious web site and observe
system activitiessystem activities• Freely available under GPL v2
– https://projects.honeynet.org/capture-hpc
Capture-HPC Concept
Capture-HPC Client
Capture-HPC Server
VMWare Sever
Capture-HPC Client
Capture-HPC Architecture
InternetExplorer
FirefoxCapture-HPC
Client
Capture-HPCServer
VMWare ServerControl
Report
Revert & Resume
Log
Config.xml
Win32 Subsystem
ExplorerClient
File Monitor
Process Monitor
RegistryMonitor
VMWare Guest OS
Capture Kernel Driver
Report
User Mode
Kernel Mode
Process 1
File Create
RegistryChange
Process 2
RegistryCreate
Process 3
Setup Server Environment
Unpack Capture-HPC server
VMWare server 1.0instead of 2.0Linux is better
Edit Capture-HPC Server setting Set up multiple VM
Setup Client Environment
Adjust security levelInstall Capture-HPC client
Install system monitortools
NO Windows Update! Disable firewall
Adjust security levelclient tools
Make Yourself More Vulnerable!
• Get old version software at http://oldapps.com
Editing Exception List
• Filter normal system events– Windows prefetch– Windows update– Internet Explorer activities– Internet Explorer activities– Capture-HPC client activities
• Events not filtered treat as malicious
Good URL? Bad URL?
• Collect normal web page– Open Directory Project– Yahoo!– Other countries?– Other countries?
• How about malicious page?– IT Information Security– Malware domain list– Blast's security lab
Execute Capture-HPC
• java – Djava.net.preferIPv4Stack=true – jar CaptureServer.jar – s <IP listening address>:<IP listening port> – s <IP listening address>:<IP listening port> – f <URL input file>
• DEMO Time!
Time to HarvestSystem Configuration
Target URL Result
•Intel E6420 (2.13GHz) with 2G RAM•VMWare server 1.0 with 3 VM
•Malicious URL from various sites•Total URL: 235
•Testing time: 2 hours(about 3000 URL per day)
•Malicious: 34•Network error: 13
• Check log files– Safe.log– Malicious.log– Error.log
(IE can not connect)•System error: 5
Large Scale Testing Issues
• VMWare issue– Revert VM hang– Network broken after VM revert
• Malicious software make guest OS unstable• Malicious software make guest OS unstable– Blue screen of death– Guest OS high CPU loading
Build Your Security Lab Using Open Source Software
• Many open source software available– Capture-HPC– Malzilla– DecryptJS– DecryptJS
• Easy to adapt to your application• Your effort can make better tools!
Thank You!
Comment and Question?dcguan@gmail.com
Recommended