 |
 |
 |
 |
| |
|||||
|
|
|
Home > News & Events > MITRE Publications > The MITRE Digest > | |||||||||||||||||||
Honeyclients Root Out Attackers' Domains August 2007
The Internet is a dangerous place. As businesses and government agencies have discovered, hackers are finding innovative ways to exploit the security vulnerabilities in enterprise networks and client-side software applications. Worms, Trojan horses, and viruses can spread in minutes to affect millions of Internet users and cause billions of dollars in damage to computer networks. The growing threat of client-side attacks has network administrators increasingly worried. By setting up malicious servers, or by compromising servers and installing malicious software, hackers can take control of computers through vulnerable client programs, such as Web browsers. These attacks bypass most firewall protections. In July 2006, more than a million computers were infected through contact with a social networking website, where attackers bought a banner ad that they then embedded with malicious code. To address this threat, MITRE has developed a prototype open-source package that proactively monitors Internet servers for fast-running, malicious programs designed to infect user systems. The tool, called a "honeyclient," appears to the hacker as a vulnerable client, open to attack by malicious programs, generally known as "malware." Sweetening the Pot Honeyclients are an extension of earlier systems known as "honeypots." Honeypots are similar to honeyclients in that they are used as targets for attacks and that they gather information, but honeypots are otherwise wholly passive devices. They're also limited to discovering server-based attacks, while honeyclients focus on the emerging threat of client-side attacks. "There's a new cottage industry in low-level hacking," explains Kathy Wang, a MITRE lead information security scientist who directs the company's honeyclient research and development project. "It's easier to attack certain types of applications, such as Web browsers, than it is to attack servers. The honeyclient project is currently focused on vulnerabilities in popular web browsers like Internet Explorer (IE) and Firefox." These vulnerabilities develop because of the constant evolution of client-side applications, Wang says. As servers are upgraded and new functionality is unveiled, programmers add more lines of code. The additional complexity of the software opens up security holes. "The old security problems get fixed, but attackers come up with new attacks as the software gets more complex," she says. "We call this the 'arms race.'" Using Spiders to Attack Worms As the "arms race" escalates, Wang and her team are trying to discover and characterize zero-day exploits, new malware variants, and outrun what they believe is another serious emerging hacker threat—something called a "contagion worm attack." Such an attack has not yet been detected. But if a contagion worm were to target high-traffic Internet servers, Wang and her team estimate that it could cause immense damage to government and corporate computer networks worldwide.
In such an attack, the malicious code would initially be placed on a low-traffic server, awaiting contact from a vulnerable Web browser. The user of the vulnerable browser would have no idea that anything was amiss as he or she surfed from the low-traffic site to a high-traffic site such as a popular news server, depositing the malicious code "payload" and infecting millions of other Internet users when they visit that news server. "This is a wheel-and-spoke model of infection, one that would affect Internet users around the world, literally within minutes," Wang explains. In a worst-case scenario, a contagion worm attack could cripple or shut down an entire computer network—a fearful prospect for MITRE's government sponsors and private industry alike. To forestall such an event, honeyclients survey high-traffic sites randomly, checking those sites' file caches, along with other factors. "We spider the server the way Google spiders websites," she says. "If we see inconsistencies, we know there is a problem." (For more details on how a honeyclient works, see sidebar, "Weaving a Safer Web.") The honeyclient provides users with an automated worm and virus detection process, explains Darien Kindlund, a senior information security engineer and a member of Wang's development team. "Ideally, we envision companies and government agencies deploying honeyclients as a next-generation early warning system." Building a Framework to Sting Malware Today, no standard structure exists for capturing the malware data gathered by honeyclients. "We are developing a common framework that any organization can use to track various kinds of malware," Kindlund says. "We think the tool we're developing will provide a common platform for government agencies to leverage. We want to foster cross-collaboration among honeyclient deployments." Currently, MITRE has several honeyclients running 24 hours a day, seven days a week. The honeyclients have detected password stealers and "keylogger" attacks, and Wang says her group believes it may have recently seen evidence of a "zero-day" or previously unreported attack. Such security breaches are not detectable by traditional security devices. "I'm pretty proud to say that now we can actually identify malware on remote sites, which is a big step in our research process," she says. "We can capture the malicious code and analyze it. We can learn how it operates." As the project proceeds, MITRE researchers hope to identify and categorize other emerging worm and virus threats, explains J.D. Durick, a senior information security engineer who supported the project. "We're trying to keep a step ahead of the current threats," he says. This is easier said than done, because hackers are notoriously fast-moving. "The tough part is finding a malicious site and getting to really study it, since they don't stay up for long." The project also aims to answer other key network security questions, such as:
The work is part of a MITRE research project. Representatives from commercial Internet security vendors, academia, and government are interested in possibly collaborating with Wang and her team on honeyclient research and development. "MITRE is in a unique position to be at the center of all this," Wang says. "We have received support from developers outside of MITRE. Articles have been written about the MITRE honeyclient project. This is a great opportunity to bring organizations together to address the growing area of client-side application exploitation." The Buzz on Honeyclients Grows Given the urgency of the threat, the MITRE honeyclient development team has already released an open-source version of the honeyclient prototype available for public use. MITRE has also launched a website (http://www.honeyclient.org/trac) from which anyone will be able to download the honeyclient source code, modify it, and contribute to the project. "The best way to get acceptance is to have buy-in from academics and government and industry folks," Wang says. These same groups may also contribute to informal working sessions that will assist with ongoing honeyclient research and development. The real value for MITRE sponsors and other honeyclient users will be in the time gained for responding to hacker attacks, Durick says. "Government agencies are always hit—they are a huge bull's-eye for the hackers," he says. "Having a heads-up about an ongoing attack will allow our sponsors to limit the damage. For example, they could update firewall rules in near real-time to block access to those malicious sites flagged by honeyclients." —by Maria S. Lee Related Information Articles and News
Technical Papers and Presentations
Websites |
||||||||||||||||||||
| Page last updated: August 13, 2007 | Top of page |
Solutions That Make a Difference.® |
|
|
