2019. 07. 27 - codeground · 2019. 8. 26. · uniquemachine.org. 20 2.4 browser fingerprinting Ⅱ....

발표자_이지호 (고려대 정보보호대학원)

작성일_2019. 07. 27

2

Crouching Honeypot, Hidden Exploit

. IntroductionⅠ . BackgroundⅡ . ExperimentsⅢ

2.1 Browser Exploits

2.2 Client Honeypots

3.1 Overview

3.2 Online Scan Services

3.3 Honeypots in the Wild

3.4 Anti-Virus Products

1.1 Biography

1.2 Professor

1.3 Keywords 2.3 Cloaking

2.4 Browser Fingerprinting

3.5 Conclusion

1.4 Abstract

Cloaking Known Exploits by Tracking Client Honeypot Fingerprints

3

1.1 Biography

. IntroductionⅠ

프로필사진

이 지 호E-mail [email protected]

학 력 2017. 03 ~ 2018. 08

고려대 정보보호대학원석사해킹대응기술연구실소속

2003. 08 ~ 2008. 05

U. of Illinois @Urbana-Champign컴퓨터공학과학사

경력사항 2009. 03 ~

대한민국국군소속연구원


4

1.2 Professor Biography

. IntroductionⅠ

프로필사진

김 휘 강 지도교수E-mail [email protected]

학 력 2000. 03 ~ 2009. 02

산업및시스템공학과박사

1998. 03 ~ 2000. 02

KAIST 산업공학과 석사

경력사항 2017. 11

공동설립


1994. 03 ~ 1998. 02

KAIST 산업경영학과 학사

2010. 03 ~

고려대정보보호대학원교수

2004. 05 ~ 2010. 02

정보보안실장

1999. 09

설립

5

1.3 Keywords Crouching Honeypot, Hidden Exploit

• Browser Exploits

• Client Honeypots & Cloaking

• Browser Fingerprinting

• Fingerprint Resemblance

. IntroductionⅠ

6

1.4 Abstract Crouching Honeypot, Hidden Exploit

. IntroductionⅠ

• Client honeypots can be fingerprinted, too.

• By leveraging fingerprint resemblance, previously-seen client honeypots can be discerned and cloaked even with spoofed IP address and/or user agent name.

• It helps hide even known browser exploits.

7


. BackgroundⅡ


Is the Web safe?

8


. BackgroundⅡ


Browser exploits still persist

Detected vulnerabilities in browsers amounted to 14%

https://securelist.com/it-threat-evolution-q1-2019-statistics/90916/

https://securelist.com/it-threat-evolution-q1-2019-statistics/90916/

9


. BackgroundⅡ


SEP 10, 2018 A company that sells exploits to government agencies drops Tor Browser zero-day on Twitter after recent Tor Browser update renders exploit less valuable.

DEC 20, 2018 Microsoft issued an out-of-band patch for a zero day bug in its Internet Explorerbrowser.

MAR 8, 2019 Google Chrome zero-day: Now is the time to update and restart your browser.

MAR 21, 2019 Two zero-day Safari exploits found, one allowing complete takeover of Mac.

APR 12, 2019 Internet Explorer zero-day lets hackers steal files from Windows PCs. Microsoft refused to patch issue so security researcher released exploit code online.

JUN 18, 2019 Mozilla releases Firefox 67.0.3 to fix actively exploited zero-day.

Recent 0-days

10


. BackgroundⅡ


Attack types leveraging browser exploits

• Spear-phishing

•Malvertising

•Watering-hole: web shells on sale!

11


. BackgroundⅡ


What are defensive measures?

•Google Safe Browsing

•Online scan services e.g., VirusTotal

•Anti-virus products

12

2.2 Client Honeypot

. BackgroundⅡ


What is client honeypot?

Active security devices in search of malicious servers that attack clients.

- Wikipedia

13

2.3 Cloaking

. BackgroundⅡ


What is cloaking?

A technique in which the content presented to the search engine spider is different from that presented to the user's browser.

- Wikipedia

CrawlersWeb pageUsers

14

2.3 Cloaking

. BackgroundⅡ


Types of cloaking

• Easy: IP address, rDNS, GeoIP, user agent

•Normal: time window, human action

•Hard: emulation crash induction, “red pill”

15

2.3 Cloaking

. BackgroundⅡ


Thus, crouching honeypot, hidden exploit

I do not have it.

I am not a honeypot.Show me your

exploit.

16


. BackgroundⅡ


What is fingerprinting?

A procedure that maps an arbitrarily large data item to a much shorter bit string, its fingerprint, that uniquely identifies the original data for all practical purposes.

- Andrei Z. Broder

17


. BackgroundⅡ


How Unique is Your Web Browser? (2010)

Fingerprint contains at least 18.1 bits of entropy

=

Only 1 in 286,777 other browsers share its fingerprint

- P. Eckersley

panoticlick.eff.org

http://panoticlick.eff.org

18


. BackgroundⅡ


browserleaks.com

Example

http://browserleaks.com

19


. BackgroundⅡ


(Cross-)Browser Fingerprinting via OS and Hardware Level Features

99.24% unique fingerprints

- Cao et al.

uniquemachine.org

http://uniquemachine.org

20


. BackgroundⅡ


Implication

Possible to track users without cookie

Users Web page Tracking party

Application

• Tailored advertisement

• Fraud detection

21


. BackgroundⅡ


Dark Implication

Possible to track machines?

Honeypots

Web page Miscreants

Abusive Application

• Cloaking malicious campaigns

• Search engine optimization

22

3.1 Overview

. ExperimentsIII


Hypothesis

• Systems as complex as client honeypots are probably shared, copied, and/or derived.

• Client honeypots with different IP address and/or user agent may have identical/similar fingerprints.

• It should be possible to gradually identify more IP addresses and artifacts of client honeypots as fingerprint dataset grows.

• By leveraging the result, it should be possible to help hide browser exploits from detection.

Exploit Sample

Metasploit Framework’s 34 JavaScript-based browser exploits

23

3.1 Overview

. ExperimentsIII


Fingerprint Features

Entropy by features Canvas fingerprint example

24


. ExperimentsIII


Assessment of 23 Services

Cymon.io, Desenmascara.me, Dr.Web, Forcepoint CSI ACE Insight,

Google Safe Browsing site status, Hacker Combat, Hybrid Analysis, Is

It Hacked?, Joe Sandbox Cloud, Kaspersky VirusDesk, Malwares.com,

MalwareURL, Norton SafeWeb, Quttera, ReScan.Pro, SiteGuarding,

Sucuri SiteCheck, urlQuery, Urlscan.io, VirusTotal, Web of Trust,

Webroot BrightCloud, Zulu URL Risk Analyzer

25


. ExperimentsIII


Assessment of 23 Services

6 out of 23 detected 68% exploits on average

26


. ExperimentsIII


Fingerprints of 6 Services

2 out of 6 yielded fingerprints

•Joe’s Sandbox Cloud• All features static• single IP address

•Hybrid Analysis• All features are static except screen resolution• single IP address

0% detection

27


. ExperimentsIII


Data Collection & Analysis

INPUT• Referer URL• IP address• Fingerprint

INITIAL SET• IP addresses of 57 companies from RIR’s WHOIS databases

OUTPUT• IP addresses• Fingerprints

28


. ExperimentsIII


Result

COLLECTION• 872 fingerprints• 273 distinct fingerprints

ANALYSIS• 8 networks discovered

• Palo Alto Networks• Qihu Technology• Trend Micro

29


. ExperimentsIII


Sample Fingerprint #1

30


. ExperimentsIII



31


. ExperimentsIII



32

3.4 Anti-Virus Products

. ExperimentsIII


Assessment of Top 8 Products against Basic JavaScript Obfuscation

Avast Premier, Bitdefender Total Security, ESET Internet Security, Kaspersky

Internet Security, Malwarebytes Premium, McAfee LiveSafe, …

33

3.5 Conclusion

. ExperimentsIII


Observation

• Our approach makes• Online scan services ineffective• Helps discover hidden client honeypots as data collection continues

• Existing approach makes• Anti-virus products ineffective (against browser exploits)

Mitigation

• Anti-tracking for honeypots or all browsers• Honeypot operation policy• Dataset poisoning by sharing IP addresses

Improvement

Larger, labelled dataset

2019. 07. 27 - codeground · 2019. 8. 26. · uniquemachine.org. 20 2.4 browser fingerprinting Ⅱ....

Documents