Proactive Detection of Client-Side Exploits

Hackers are taking advantage of client software’s vulnerabilities to control and infect systems, even the systems that are protected by firewalls. Once they are compromised, the attacker can use client side exploits for several malicious activities. For example; they can steal people’s online banking credentials. Even worth, they can use victims’ computer as part of their distributed denial of service (DDoS) attack or a spam delivery system. It is interesting to know; how an attacker utilizes vulnerabilities? Both client and server would be exploited by contagion worm. First attacker needs to upload malicious code to typical web server security flaws, then this code will be downloaded whenever users’ browser visits the website.

Attackers target client systems because not too many of client software are developed by expert people. Even most technical people are trained and just follow through with updating the server software. Most users are not trained to create secure software or run the most recent signatures antivirus product or even worth, they don’t update their operating system software.

Honeyclinets: Security depends on the knowledge of existing exploits and vulnerabilities. This knowledge can use to proactively patch vulnerable or create intrusion detection system.  Honeypot is a popular tool which is used to acquire advanced knowledge. Honeypot is a passive device and limited to detect server software attacks. The vulnerabilities are growing in client side (like mail or web browser). A new technology was needed to discover exploits for these vulnerabilities. Honeypot could not detect malicious behavior until the attacker happens upon them.

 Honeyclient is a concept which instruments client software and drives it to detect new exploits. It drives vulnerable client software (like web browser) to malicious websites and then monitors system behavior to indicate compromise. honeyclient emulates the client side and acts as a bot or spider, it monitors client behavior to see whether it falls outside of normal operational bounds.  

The first generation honeyclient: the author started designing honeyclient in 2004. The first honeyclient was open source prototype code. In order to detect exploits, the author used comprehensive check for changes on the client. Windows as an operation system and IE as a web browser were chosen because the largest populations of users were using them.  The idea was to let a real browser visit each suspected website. If honeyclient software becomes compromised when it encountered a malicious website, then that website can be presented as a bad websites and potential consequences of infections.

The second Generation honeyclients: the idea was to keep parts of the original prototype, but add new features such as running the honeyclient in virtual machines. Also they wanted to retain honeyclient quickly the compromised operating systems for later attack forensics analysis. The author wanted ease of use, speed and scalability.

The change in honeyclient architecture was to add plug-ins to enabled or disabled honeyclient. The second decision was client-server model. The server controls higher level operations for the honeyclient. These controls were:

·        Cloning and suspending virtual machines

·        Detecting changes to the honeyclent system

·        Communicating whit an external honeyclient database

·        Logging full packet captures

Reference:

Oram, Andy, Viega, John (2009). “Beautiful Security, Leading Security Experts Explain How They Think”, Copyright 2009 O’reilly Media, Inc.