It's no secret that advanced browser-based malware manage to circumvent NIDS platforms that scan for content-based signatures. Today's web exploit kits can be polymorphic and display different behaviors that are pretty hard to fingerprint through HTTP analysis.
Attackers switch between different types of malware, move their exploit kits between servers or constantly morph the traffic to look legitimate. By the time relevant data is collected and transformed into a signature for a defender’s NIDS, the attacker might have already breached the network and reached their objective.
According to a new study by researchers at the University of North Carolina, relevant new content-based signatures can be created using dynamic honeyclient on-the-wire network analysis. The UNC researchers found a new way to detect network-based exploit kits. They designed a honeyclient that acts as a smart filter, receiving traffic and caching it while impersonating both the client and the server in order to get the exploit kit to activate. This way, the malware decloaks itself and a signature can be generated.
The researchers created a single honeyclient to scan for flash-based exploits, and installed it in the University's network. They managed to trigger and detect several types of exploit kits, such as Nuclear, Angler, and Flashpack. This is no easy feat, in order to get the exploit kit to run, the honeyclient must perfectly mimic the targeted server and service. For example, the honeyclient must run the right version of Flash (the exact version that the malware is designed to exploit).
How does it work?
The system is based on semantic content caching: the honeyclient caches several minutes of received network traffic. When data packets come in through the net, the honeyclient first reassembles them at the TCP level and connects them to the relevant data stream, and then reassembles them at the HTTP level. Object types are determined using a combination of their HTTP content type header, the file extension specified in the URL, and the first 512 bytes of the payload. In order to be more effective, the honeyclient performs the caching in the application layer and not the network layer. This is because much of the incoming traffic arrives from the same sources – Google, Facebook, Youtube, etc. – and is easier to compress without the data being added to the packets in the network layer. The honeyclient then impersonates the server to which the data was sent, in order to trigger and fingerprint malicious code using unmodified versions of Cuckoo Sandbox1 and ShellOS.
What does this mean for defenders?
The research carried out at UNC shows creative usage of honeypots to battle web attacks and defend servers, using a defender's most powerful asset: their knowledge of their own network. The ability to detect malicious code on-the-wire is essential for defenders, and we hope more companies will see the benefits of deception-based protection and implement deception security solutions as part of their networks.