MASARYKOVA UNIVERSITY FACULTY OF INFORMATICS A CLIENT HONEYPOT MASTER’S THESIS BC. VLADIMÍR BARTL BRNO, FALL 2014 STATEMENT OF AUTHORSHIP Hereby I declare that this thesis is my original work, which I accomplished independently. All sources, references and literature I use or refer to are accurately cited and stated in the thesis. Signature:............................................ i ACKNOWLEDGEMENT I wish to express my gratitude to RNDr. Marian Novotny, Ph.D. for governance over this thesis. Furthermore, I wish to thank my family and my girlfriend for their support throughout the process of writing. TUTOR: RNDr. Marian Novotny, Ph.D. ii ABSTRACT This thesis discusses a topic of malicious software giving emphasis on client side threats and vulnerable users. It gives an insight into concept of client honeypots and compares several implementations of this approach. A configuration of one selected tool is proposed and tested in the experiment. KEYWORDS client honeypot, low-interaction, high-interaction, malware, attacker, exploit, vulnerability, Cuckoo Sandbox iii TABLE OF CONTENTS 1 INTRODUCTION .......................................................................................................................... 3 1.1 MOTIVATION ........................................................................................................................ 4 1.2 CONTRIBUTION .................................................................................................................... 6 2 BACKGROUND THEORY ........................................................................................................... 7 2.1 WHAT IS HONEYPOT ........................................................................................................... 8 2.1.1 DEFINITION OF A HONEYPOT ................................................................................................ 9 2.1.2 SERVER VS. CLIENT HONEYPOT ............................................................................................. 9 2.1.3 HONEYPOT BY INTERACTION LEVEL................................................................................... 11 2.1.4 HONEYPOT BY DEPLOYMENT ENVIRONMENT ................................................................... 13 2.2 ATTACKERS ....................................................................................................................... 14 2.2.1 TARGETS OF ATTACKS .......................................................................................................... 16 2.2.2 POSSIBLE MOTIVES ................................................................................................................ 16 2.2.3 STRUCTURE OF AN ATTACK ................................................................................................. 17 2.3 MALWARE ......................................................................................................................... 18 2.3.1 TYPES OF MALWARE ............................................................................................................. 19 2.3.2 ATTACK VECTORS .................................................................................................................. 21 2.3.2.1 HTML ............................................................................................................................ 23 2.3.2.2 JavaScript .................................................................................................................... 23 2.3.2.3 SQL Injection ............................................................................................................. 24 2.3.2.4 Cross-site scripting ................................................................................................. 25 2.3.2.5 Buffer Overflow........................................................................................................ 27 2.3.2.6 Drive-by download attack ................................................................................... 28 2.3.3 PROTECTION TOOLS .............................................................................................................. 32 2.3.3.1 AVG Web TuneUp .................................................................................................... 32 2.3.3.2 McAfee SiteAdvisor ................................................................................................ 33 2.3.3.3 Sandboxie ................................................................................................................... 34 2.3.4 ANALYSIS TOOLS .................................................................................................................... 36 2.3.4.1 urlQuery.net .............................................................................................................. 36 2.3.4.2 VirusTotal.com ......................................................................................................... 38 2.3.4.3 Malwr.com ................................................................................................................. 39 2.3.4.4 herdProtect.com ...................................................................................................... 42 2.3.5 MALWARE RESOURCES REPOSITORIES .............................................................................. 44 3 HANDS ON CLIENT HONEYPOT .......................................................................................... 46 3.1 LOW INTERACTION ........................................................................................................... 46 3.1.1 HONEYC .................................................................................................................................. 46 3.1.2 THUG ....................................................................................................................................... 47 3.1.3 YALIH ...................................................................................................................................... 50 1 3.2 HIGH INTERACTION .......................................................................................................... 53 3.2.1 CAPTUREHPC ........................................................................................................................ 53 3.2.2 STRIDER HONEYMONKEY .................................................................................................... 55 3.2.3 CUCKOO SANDBOX ................................................................................................................ 56 3.2.4 HONEYSPIDER NETWORK 2.0 ............................................................................................ 60 3.3 COMPARING HONEYCLIENTS ............................................................................................ 66 4 CUCKOO SANDBOX ................................................................................................................. 69 4.1 DETAILED DESCRIPTION ................................................................................................... 69 4.1.1 ARCHITECTURE & MODULARITY ......................................................................................... 69 4.1.2 STARTING AN ANALYSIS ....................................................................................................... 71 4.1.3 AN ANALYSIS .......................................................................................................................... 72 4.1.4 OUTPUT OF AN ANALYSIS ..................................................................................................... 73 4.1.5 WEB FRONT-END .................................................................................................................. 74 4.2 DEPLOYING THE HONEYPOT ............................................................................................. 76 4.2.1 HOST OPERATING SYSTEM AND SOFTWARE ...................................................................... 76 4.2.2 GUEST VM SYSTEMS INSTALLATION .................................................................................. 77 5 EXPERIMENT ............................................................................................................................ 80 5.1 CONFIGURATION OF CUCKOO INSTANCE ......................................................................... 80 5.2 DEFINING THE EXPERIMENT ............................................................................................ 82 5.3 PROCESS OF THE EXPERIMENT ......................................................................................... 82 5.4 OUTPUT ............................................................................................................................. 84 5.5 SAMPLE ANALYSIS ............................................................................................................ 87 5.6 EVALUATION ..................................................................................................................... 90 6 SUMMARY .................................................................................................................................. 91 2 1 INTRODUCTION The trends of the modern age of humanity are making a tremendous use of computer technology as well as of the Internet. The escalation of everyday use is exponential. A different kind of computer can be seen almost in every type of an electronic device, but not limited only to these devices. Computers are being operated by a vast amount of people with greatly diverse levels of knowledge and operation skills,