generated.htaccess

BehindtheScenesofOnlineAttacks:anAnalysisofExploitationBehaviorsontheWebDavideCanaliEURECOM,Francecanali@eurecom.
frDavideBalzarottiEURECOM,Francebalzarotti@eurecom.
frAbstractWebattacksarenowadaysoneofthemajorthreatsontheInternet,andseveralstudieshaveanalyzedthem,providingdetailsonhowtheyareperformedandhowtheyspread.
However,nostudyseemstohavesufcientlyanalyzedthetypicalbehaviorofanattackerafterawebsitehasbeencompromised.
Thispaperpresentsthedesign,implementation,andde-ploymentofanetworkof500fullyfunctionalhoneypotweb-sites,hostingarangeofdifferentservices,whoseaimistoattractattackersandcollectinformationonwhattheydoduringandaftertheirattacks.
In100daysofexperiments,oursystemautomaticallycollected,normalized,andclus-teredover85,000lesthatwerecreatedduringapproxi-mately6,000attacks.
Labelingtheclustersallowedustodrawageneralpictureoftheattacklandscape,identifyingthebehaviorbehindeachactionperformedbothduringandaftertheexploitationofawebapplication.
1IntroductionWebattacksareoneofthemostimportantsourcesoflossofnancialandintellectualproperty.
Inthelastyears,suchattackshavebeenevolvinginnumberandsophisti-cation,targetinggovernmentsandhighprolecompanies,stealingvaluablepersonaluserinformationandcausing-nanciallossesofmillionsofeuros.
Moreover,thenumberofpeoplebrowsingthewebthroughcomputers,tabletsandsmartphonesisconstantlyincreasing,makingweb-relatedattacksaveryappealingtargetforcriminals.
Thistrendisalsoreectedinthetopicofacademicre-search.
Infact,aquicklookatthepaperspublishedinthelastfewyearsshowshowalargenumberofthemcoverweb-relatedattacksanddefenses.
Someofthesestudiesfo-cusoncommonvulnerabilitiesrelatedtowebapplications,webservers,orwebbrowsers,andonthewaythesecompo-nentsgetcompromised.
Othersdissectandanalyzethein-ternalsofspecicattackcampaigns[13,5,17],orproposenewprotectionmechanismstomitigateexistingattacks.
Theresultisthatalmostallthewebinfectionspanoramahasbeenstudiedindetail:howattackersscantheweborusegoogledorkstondvulnerableapplications,howtheyrunautomatedattacks,andhowtheydelivermaliciouscon-tenttothenalusers.
However,thereisstillamissingpieceinthepuzzle.
Infact,noacademicworkseemstohavesuf-cientlydetailedthebehaviorofanaverageattackerduringandafterawebsiteiscompromised.
Sometimestheattack-ersareonlyaftertheinformationstoredintheserviceit-self,forinstancewhenthegoalistostealusercredentialsthroughaSQLinjection.
Butinthemajorityofthecases,theattackerwantstomaintainaccesstothecompromisedmachineandincludeitaspartofalargermaliciousinfras-tructure(e.
g.
,toactasaC&Cserverforabotnetortode-livermaliciousdocumentstotheuserswhovisitthepage).
Whiletherecentliteratureoftenfocusesoncatchytop-ics,suchasdrive-by-downloadsandblack-hatSEO,thisisjustthetipoftheiceberg.
Infact,thereisawidevarietyofmaliciousactivitiesperformedontheInternetonadailybasis,withgoalsthatareoftendifferentfromthoseofthehigh-prolecybercriminalswhoattractthemediaandthesecurityrms'attention.
Themainreasonforwhichnopreviousworkwasdoneinthisdirectionofresearchisthatalmostalloftheexistingprojectsbasedonwebhoneypotsusefake,or'mock'appli-cations.
Thismeansthatnorealattackscanbeperformedandthus,inthegeneralcase,thatallthestepsthatwouldcommonlybeperformedbytheattackeraftertheexploita-tionwillbemissed.
Asaresult,tobetterunderstandthemotivationofthevariousclassesofattackers,antiviruscompanieshaveoftenreliedontheinformationreportedbytheirclients.
Forex-ample,inarecentsurveyconductedbyCommtouchandtheStopBadwareorganization[7],600ownersofcompromisedwebsiteshavebeenaskedtollaquestionnairetoreportwhattheattackerdidafterexploitingthewebsite.
There-sultsareinteresting,buttheapproachcannotbeautomated,itisdifculttorepeat,andthereisnoguaranteethattheusers(mostofthetimenotexpertsinsecurity)wereabletosuccessfullydistinguishoneclassofattackfromtheother.
Inthispaperweprovide,forthersttime,acompre-hensiveandaggregatestudyofthebehaviorofattackersontheweb.
Wefocusouranalysisontwoseparateaspects:i)theexploitationphase,inwhichweinvestigatehowattacksareperfomeduntilthepointwheretheapplicationiscom-promised,andii)thepost-exploitationphase,inwhichweexaminewhatattackersdoaftertheytakecontroloftheap-plication.
Therstpartdealswithmethodsandtechniques(i.
e.
,the"how")usedtoattackwebapplications,whilethesecondparttriestoinferthereasonsandgoals(i.
e.
,the"why")behindsuchattacks.
Forthisreason,inthispaperwedonotanalyzecommonSQLinjectionsorcross-sitescriptingvulnerabilities.
In-stead,ourhoneypotistailoredtoattractandmonitorcrimi-nalsthatareinterestedingaining(andmaintaining)controlofwebapplications.
Ourresultsshowinterestingtrendsonthewayinwhichthemajorityofsuchattacksareperformedinthewild.
Forexample,weidentify4separatephasesand13differentgoalsthatarecommonlypursuedbytheattack-ers.
Withinthelimitsoftheavailablespace,wealsoprovidesomeinsightsintoafewinterestingattackscenariosthatweidentiedduringtheoperationofourhoneypots.
Theremainderofthepaperisorganizedasfollows:inSection2weexplorethecurrentstateoftheartconcerningwebhoneypotsandthedetectionandanalysisofwebat-tacks.
Section3describesthearchitectureofthehoneypotnetworkwedeployedforourstudy;Section4givesmoredetailsaboutthedeploymentofthesystemandthewaywecollecteddataduringourexperiments.
Finally,Section5andSection6summarizetheresultsofourstudyintermofexploitationandpost-exploitationbehaviors.
Section7concludesthepaperandprovidesideasonfuturedirectionsintheeld.
2RelatedWorkHoneypotsarenowadaysthetoolofchoicetodetectat-tacksandsuspiciousbehaviorsontheInternet.
Theycanbeclassiedintwocategories:clienthoneypots,whichdetectexploitsbyactivelyvisitingwebsitesorexecutingles,andserverhoneypots,whichattracttheattackersbyexposingoneormorevulnerable(orapparentlyvulnerable)services.
Inthisstudy,wearemainlyinterestedinthesecondcategory,sinceouraimistostudythebehaviorofat-tackersafterawebservicehasbeencompromised.
Sev-eralserver-sidehoneypotshavebeenproposedinthepastyears,allowingforthedeploymentofhoneypotsforvirtu-allyanypossibleservice.
Inparticular,wecandistinguishtwomainclasses:high-interactionandlow-interactionhon-eypots.
Therstonlysimulateservices,andthuscanobserveincomingattacksbutcannotbereallyexploited.
Thesehoneypotsusuallyhavelimitedcapabilities,butareveryusefultogatherinformationaboutnetworkprobesandautomatedattackactivities.
Examplesofthesearehon-eyd[21],Leurre.
com[20]andSGNET[16],whichareabletoemulateseveraloperatingsystemsandservices.
High-interactionhoneypots[19],ontheotherhand,presenttotheattackerafullyfunctionalenvironmentthatcanbeex-ploited.
Thiskindofhoneypotismuchmoreusefultogetinsightsintothemodusoperandiofattackers,butusuallycomeswithhighsetupandmaintenancecosts.
Duetothefactthattheycanbeexploited,high-interactionhoneypotsareusuallydeployedasvirtualmachines,allowingtheiroriginalstatetoberestoredafteracompromise.
Thestudyofattacksagainstwebapplicationsisoftendonethroughthedeploymentofwebhoneypots.
Exam-plesoflow-interactionwebhoneypotsaretheGoogleHackHoneypot[3](designedtoattractattackersthatusesearchenginestondvulnerablewebapplications),Glastopf[24]andtheDShieldWebHoneypotproject[4],allbasedontheideaofusingtemplatesorpatternsinordertomimicseveralvulnerablewebapplications.
Anotherinterestingapproachforcreatinglowinteractionwebhoneypotshasbeenpro-posedbyJohnetal.
[14]:withtheaidofsearchengines'logs,thissystemisabletoidentifymaliciousqueriesfromattackersandautomaticallygenerateanddeployhoneypotpagesrespondingtotheobservedsearchcriteria.
Unfortu-nately,theresultsthatcanbecollectedbylow-interactionsolutionsarelimitedtovisitsfromcrawlersandautomatedscripts.
Anymanualinteractionwiththesystemwillbemissed,becausehumanscanquicklyrealizethesystemisatrapandnotarealfunctionalapplication.
Apartfromthis,thestudypresentedin[14]collectedsomeinterestingin-sightsaboutautomatedattacks.
Forexample,theauthorsfoundthatthemediantimeforhoneypotpagestobeat-tackedaftertheyhavebeencrawledbyasearchenginespi-deris12days,andthatlocalledisclosurevulnerabilitiesseemtobethemostsoughtafterbyattackers,accountingtomorethan40%ofthemaliciousrequestsreceivedbytheirheat-seekinghoneypots.
Otherverycommonattackpatternsweretryingtoaccessspecicles(e.
g.
,webap-plicationinstallationscripts),andlookingforremoteleinclusionvulnerabilities.
Acommoncharacteristicofallthesepatternsisthattheyareverysuitableforanautomaticattack,astheyonlyrequiretoaccesssomexedpathsortryingtoinjectprecomputeddatainURLquerystrings.
Theauthorsalsoproposedasetupthatissimilartotheoneadoptedinthispaper,buttheydecidedtonotimplementitduetothetheirconcernsaboutthepossibilityforattackerstouseinfectedhoneypotmachinesasasteppingstoneforotherattacks.
WeexplainhowwedealwiththisaspectinSection3.
1.
Ifinterestedinstudyingtherealbehaviorofattackers,onehastotakeadifferentapproachbasedonhighinterac-tionhoneypots.
ArstattemptinthisdirectionwasdonebytheHIHATtoolkit[18].
Unfortunately,theevaluationofthetooldidnotcontainanyinterestingnding,asitwasrunforfewdaysonlyandthehoneypotreceivedonly8000hits,mostlyfrombenigncrawlers.
Tothebestofourknowl-edge,ourstudyistherstlargescaleevaluationofthepost-exploitationbehaviorofattackersontheweb.
However,somesimilarworkhasbeendoneoncatego-rizingtheattackers'behavioroninteractiveshellsofhigh-interactionhoneypotsrunningSSH[19,23].
Someinter-estingndingsofthesestudiesarethatattackersseemtospecializetheirmachinesforsomespecictasks(i.
e.
,scansandSSHbruteforceattacksarerunfrommachinesthataredifferentfromtheonesusedforintrusion),andthatmanyofthemdonotactasknowledgeableusers,usingverysimi-larattackmethodsandsequencesofcommands,suggestingthatmostattackersareactuallyfollowingcookbooksthatcanbefoundontheInternet.
Also,thecommandsissuedontheseSSHhoneypotshighlightthatthemainactivitiesperformedonthesystemswerecheckingthesoftwarecon-guration,andtryingtoinstallmalicioussoftware,suchasbotnetscripts.
AswedescribeinSection6,wealsoob-servedsimilarbehaviorsinourstudy.
Finally,partofourstudyconcernsthecategorizationoflesuploadedtoourhoneypots.
Severalpapershavebeenpublishedonhowtodetectsimilaritiesbetweensourcecodeles,especiallyforplagiarismdetection[6,26].
Othersim-ilarityframeworkshavebeenproposedforthedetectionofsimilaritiesbetweenimagesandothermultimediafor-mats,mostlyforthesamepurpose.
Unfortunately,wesawagreatvarietyoflesuploadedtoourhoneypots,andmanyofthemconsistedinobfuscatedsourcecode(thatrendersmostplagiarismdetectionmethodsuseless),binarydataorarchives.
Also,manyoftheproposedplagiarismdetectiontoolsandalgorithmsareveryresource-demanding,anddif-culttoapplytolargedatasets.
Thesereasonsmaketheplagiarismdetectionapproachesunsuitableforourneeds.
Theproblemofclassifyingandngerprintinglesofanytypehas,however,beenstudiedintheareaofforensics.
Inparticular,somestudiesbasedontheideaofsimilaritydigesthavebeenpublishedinthelastfewyears[15,25].
Theseapproacheshavebeenproventobereliableandfastwithregardtothedetectionofsimilaritiesbetweenlesofanykind,beingbasedonthebyte-streamrepresentationofdata.
Wechosetofollowthisapproach,andusethetwotoolsproposedin[15,25],forourwork.
3HoneyProxyOurhoneypotsystemiscomposedofanumberofweb-sites(500inourexperiments),eachcontainingtheinstal-lationofveamongthemostcommon-andnotoriouslyvulnerable-contentmanagementsystems,17pre-installedPHPwebshells,andastaticwebsite.
Wemitigatedtheproblemofmanagingalargenumberofindependentinstallationsbyhostingallthewebappli-cationsinourfacilities,insevenisolatedvirtualmachinesrunningonaVMWareServer.
Onthehostingprovidersideweinstalledonlyanad-hocproxyscript(HoneyProxy)inchargeofforwardingallthereceivedtrafctotherightVMonourserver.
Thisallowedustocentralizethedatacollec-tionwhilestillbeingabletodistinguishtherequestsfromdistincthosts.
Ahigh-leveloverviewofthesystemisshowninFigure1.
ThePHPproxyaddstwocustomheaderstoeachrequestitreceivesfromavisitor:X-Forwarded-For:thisstandardheader,whichisusedingeneralbyproxies,issettotherealIPaddressoftheclient.
Incasetheclientarriveswiththisheaderalreadyset,thenalX-Forwarded-ForwilllistallthepreviousIPsseen,keepingthustrackofalltheproxiestraversedbytheclient.
X-Server-Path:thiscustomheaderissetbythePHPproxyinordertomakeitpossible,forus,tounder-standthedomainofprovenanceoftherequestwhenanalyzingtherequestlogsonthevirtualmachines.
Anexampleofsuchanentryis:X-Server-Path:http://sub1.
site.
com/Thesetwoheadersaretransmittedfortrackingpurposesonlybetweenthehostingprovider'swebserverandthehon-eypotVM'swebserver,andthusarenotvisibletotheusersoftheHoneyProxy.
3.
1ContainmentEachvirtualmachinewasproperlysetuptocontaintheattackersandpreventthemfromcausinganyharmoutsideourhoneypot.
Inparticular,weblockedoutgoingconnec-tions(whichcouldotherwiseresultinattackstoexternalhosts),patchedthesourcecodeofthevulnerableblogandforumapplicationstohidemessagespostedbyspammers(thatcouldresultinadvertisingmaliciouslinks),andtunedthelesystemprivilegestoallowattackerstoperpetratetheirattacks,butnottotakecontrolofthemachineortomodifythemainsourcelesofeachapplication.
Still,thedangerofhostingmaliciouslesuploadedbyattackersex-ists,andwetacklethisproblembyrestoringeveryvirtualmachinetoitspristinestateatregulartimeintervals.
Inthefollowinglines,webrieyexplainthepossibleabusesthatcanbeperpetratedonahoneypotmachineandpresentourwaytopreventormitigatethem.
Gaininghighprivilegesonthemachine.
Wetacklethisproblembyusingvirtualmachineswithup-to-datesoftwareandsecuritypatches.
Ineachvirtual(a)Architectureofthesystem-highlevel.
(b)Architectureofthesystem-detail.
Figure1.
High-levelarchitectureofthesystem.
machine,thewebserverandallexposedservicesrunasnonprivilegeduser.
Ofcourse,thissolu-tiondoesnotguaranteeaprotectionagainstnew0-dayattacks,butwedidourbesttolimittheattacksurface,havingonly3servicesrunningonthema-chine(apache,sshd,mysqld),amongwhichonlythewebserverisexposedtotheInternet.
Weconsideredthepossibilityofa0-dayattackagainstapachefairlyremote,and,mayithappen,avastmajorityoftheIn-ternetwillbeexposedtoitaswell.
Usingthehoneypotmachineasasteppingstonetolaunchattacksoremailcampaigns.
Thisisprobablythemostimportantconcernthathastobeaddressedbeforedeployingafullyfunctionalhoneypotmachine.
Inourcase,weusedregulariptablesrulestoblock(andlog)alloutgoingtrafcfromthevirtualmachines,exceptforalreadyestablishedconnections.
Oneex-ceptiontothisruleistheIRCport(6667).
Wewillexplainthisinmoredetailinsections4and6.
Hostinganddistributingillegalcontent(e.
g.
,phishingpages).
Itisdifculttopreventthisthreatwhenappli-cationshaveremoteleuploadvulnerabilities.
How-ever,itispossibletomitigatetheriskofdistributingil-legalcontentbylimitingtheprivilegesofdirectoriesinwhichlescanbeuploadedandpreventingthemodi-cationofalltheexistingHTMLandPHPles.
Inaddi-tion,wealsomonitoreverychangeontheVMlesys-tems,andwheneveralechangeisdetected,thesys-temtakesasnapshotofit.
Thevirtualmachineisthenrestored,atregularintervals,toitsoriginalsnapshot,thuspreventingpotentiallyharmfulcontentfrombe-ingdeliveredtovictimsorindexedbysearchengines.
Illegallypromotinggoodsorservices(e.
g.
,spamlinks).
Anotherissueisraisedbyapplicationsthat,aspartoftheirbasicwayofworking,allowuserstowriteandpublishcommentsorposts.
ThisisthecaseforanyblogorforumCMS.
Theseapplicationsareoftenaneasytargetforspammers,aswewillshowinsec-tion5.
3.
1,andwhenhostinganhoneypotitisimpor-tanttomakesurethatlinksandpoststhatarepostedbybotsdonotreachanyenduserordonotgetin-dexedbysearchengines.
Wesolvedthisproblembymodifyingthesourcecodeoftheblogandforumap-plications(namely,WordpressandSimpleMachinesForum),commentingoutthesnippetsofcoderespon-sibleofshowingthecontentofposts.
Withthismodi-cation,itwasstillpossibleforattackerstopostmes-sages(andforustocollectthem),butnavigatingthepostsorcommentswillonlyshowblankmessages.
Thesecountermeasuresarelimitingtheinformationwecancollectwithourhoneypot(e.
g.
,inthecaseinwhichanattackeruploadsaback-connectscriptthatisblockedbyourrewall),butwebelievetheyarenecessarytopreventourinfrastructuretobemisusedformaliciouspurposes.
3.
2DataCollectionandAnalysisOuranalysisoftheattackers'behaviorisbasedontwosourcesofinformation:thelogsoftheincomingHTTPre-quests,andthelesthataremodiedorgeneratedbytheattackersaftertheyobtainaccesstothecompromisedma-chines.
WebuiltsometoolsfortheanalysisofHTTPrequestlogs,allowingustoidentifyknownbenigncrawlers,knownattacksonourwebapplications,aswellasobtainingde-tailedstatistics(numberandtypeofrequestsreceived,User-Agent,IPaddressandgeolocalizationofeveryvisitor,anal-ysisofthe'Referer'header,andanalysisoftheinter-arrivaltimebetweenrequests).
Ouranalysistoolsalsoallowustonormalizethetimeofattackrelativelytothetimezoneoftheattacker,andtodetectpossiblecorrelationsbetweenattacks(e.
g.
,anautomatedscriptinfectingawebapplicationup-loadingale,followedbyanotherIPvisitingtheuploadedlefromanotherIPaddress).
WealsodevelopedaparserfortheHTTPrequestlogsofthemostcommonlyusedPHPwebshells,allowingustoextracttherequestedcommandsandunderstandwhattheattackerwasdoingonoursystems.
Weemployedtwosourcesofuploadedormodiedles:webserverlogsandlesnapshotsfrommonitoreddirecto-ries.
Webserverlogsaretheprimarysourceofuploadedles,aseveryleuploadprocessedbyourhoneypotsisfullyloggedontheapachemodsecuritylogs.
Filesnap-shotsfrommonitoreddirectoriesonthevirtualmachines,instead,aretheprimarysourceforlesthataremodiedorgeneratedonthemachine,oraboutarchivesorencryptedlesthataredecompressedonthesystem.
Thetotalnum-berofleswewereabletoextractfromthesesourceswas85,567,ofwhich34,259unique.
Giventhehighnumberofuniqueleswecollected,amanualleanalysiswaspracticallyinfeasible.
Therefore,inordertoeasetheanalysisofthecollecteddata,werstseparatelesaccordingtotheirtypes,andthenapplysim-ilarityclusteringtoseehowmanyofthemactuallydif-ferfromeachotherinasubstantialway.
Thisallowsustoidentifycommonpracticesintheundergroundcommu-nities,suchasredistributingthesameattackorphishingscriptsafterchangingtheowner'sname,thelogincreden-tials,orafterinsertingabackdoor.
FirstofallweemployedtheleLinuxutilitytocate-gorizelesandgroupthemin10macro-categories:sourcecode,picture,executable,data,archive,text,HTMLdocu-ment,link,multimedia,andother.
Wethenobservedthatmanylesinthesamecate-goryonlydifferforfewbytes(oftenwhitespacesduetocut&paste)ortodifferenttextincludedinsourcecodecom-ments.
Therefore,toimprovetheresultsofourcompari-son,werstpre-processedeachleandtransformedittoanormalizedform.
Aspartofthenormalizationprocess,weremovedalldoublespaces,tabsandnewlinecharacters,weremovedallcomments(bothC-styleandbash-style),andwenormalizednewlinesandstrippedoutemailad-dressesappearinginthecode.
ForHTMLles,weusedthehtml2textutilitytostripoutallHTMLtagsaswell.
PHPlesunderwentanadditionalpre-processingstep.
WenoticedthatalargeamountofPHPlesthatwereup-loadedtoourhoneypotsasresultofanexploitationwereobfuscated.
Forlesinthisformitisverydifcult,evenwithautomatedtools,todetectsimilaritiesamongsimilarlesencodedindifferentways.
Inordertoovercomethisissue,webuiltanautomaticPHPdeobfuscationtoolbasedontheevalhookPHPextension[10],amodulethathookseverycalltodynamiccodeevaluationfunctions,allowingforstep-by-stepdeobfuscationofPHPcode.
Wedeployedourtoolonavirtualmachinewithnonetworkaccess(toavoidlaunchingattacksorscansagainstremotemachines,assomeobfuscatedscriptscouldstartremoteconnectionsorattacksuponexecution)and,foreachlewithatleastonelevelofdeobfuscation(i.
e.
,nestedcalltoeval()),wesaveditsdeobfuscatedcode.
OurapproachallowedustodeobfuscatealmostallthePHPlesthatwereobfuscatedusingregularbuilt-infea-turesofthelanguage(e.
g.
,gzipandbase64encodinganddecoding,dynamiccodeevaluationusingtheeval()func-tion).
TheonlyobfuscatedPHPleswewerenotabletodecodewerethoseterminatingwithanerror(oftenbecauseofsyntaxerrors)andthoseencodedwithspecializedcom-mercialtools,suchasZendOptimizerorionCubePHPEn-coder.
However,weobservedonlythreesamplesencodedwiththesetools.
Intotal,wesuccessfullydeobfuscated1,217distinctles,accountingfor24%ofthesourcecodewecollected.
Interestingly,eachlewasnormallyencodedmultipletimesandrequiredanaverageof9roundsofde-obfuscationtore-trievetheoriginalPHPcode(withfewsamplesthatrequiredastunning101rounds).
3.
2.
1SimilarityClustering.
Oncethenormalizationstepwascompleted,wecomputedtwosimilaritymeasuresbetweenanygivencoupleoflesinthesamecategory,us-ingtwostate-of-the-arttoolsfor(binarydata)similarityde-tection:ssdeep[15]andsdhash[25].
Wethenappliedasimpleagglomerativeclusteringalgorithmtoclusterallleswhosesimilarityscorewasgreaterthan0.
5intothesamegroup.
Wediscardedlesforwhichouranalysiswasnotabletondanysimilarelement.
Fortheremainingpart,weper-formedamanualanalysistocategorizeeachclusteraccord-ingtoitspurpose.
Sinceleshadalreadybeengroupedbysimilarity,onlytheanalysis(i.
e.
,openingandinspectingthecontent)ofonelepergroupwasnecessary.
Duringthisphase,wewereabletodeneseverallecategories,allow-ingustobetterunderstandtheintentionsoftheattackers.
Moreover,thisstepallowedustogainsomeinsightsonanumberofinterestingattackcases,someofwhicharere-portedinthefollowingsectionsasshortin-depthexamples.
4SystemDeploymentThe500honeyproxyhavebeendeployedonsharedhost-ingplans1chosenfromeightofthemostpopularinterna-tionalwebhostingprovidersontheInternet(fromUSA,France,Germany,andtheNetherlands).
InorderforourHoneyProxytoworkproperly,eachproviderhadtosupporttheuseofthecURLlibrariesthroughPHP,andallowout-goingconnectionstoportsotherthan80and443.
Tomakeourhoneypotsreachablefromwebusers,wepurchased100bulkdomainnamesonGoDaddy.
comwithprivacyprotection.
Thedomainswereequallydistributedamongthe.
com,.
org,and.
netTLDs,andassignedevenlyacrossthehostingproviders.
Oneachhosting1Thisisusuallythemosteconomicalhostingoption,andconsistsinhavingawebsitehostedonawebserverwheremanyotherwebsitesresideandsharethemachine'sresources.
provider,wecongured4additionalsubdomainsforev-erydomain,thushaving5distinctwebsites(topreservetheanonymityofourhoneypot,hereinafterwewillsim-plycallthemwww.
site.
com,sub1.
site.
com,sub2.
site.
com,sub3.
site.
com,sub4.
site.
com)Finally,weadvertisedthe500domainsonthehomepageoftheauthorsandontheresearchgroup'swebsitebymeansoftransparentlinks,asalreadyproposedbyM¨uteretal.
[18]forasimilarpurpose.
Weusedamodiedversionoftheftp-deployscript[11]toupload,inbatch,acustomizedPHPproxytoeachofthe500websitesinourpossession.
Thissimpliedthedeploy-mentandupdateofthePHPproxy,anduniformedthewayinwhichweuploadlestoeachhostingservice2,Thankstoacombinationof.
htaccess,ModRewrite,andcURL,wewereabletotransparentlyforwardtheuserrequeststotheappropriateURLonthecorrespondingvirtualmachine.
Anyattempttoreadanon-existingresource,ortoaccesstheproxypageitselfwouldresultinablankerrorpageshowntotheuser.
Nottakingintoaccountpossibletimingattacksorintrusionsonthewebhostingprovider'sservers,therewasnowayforavisitortounderstandthathewastalkingtoaproxy.
TheHoneyProxysysteminstalledoneverywebsiteiscomposedofanindexle,thePHPproxyscriptitselfandacongurationle.
Theindexleisthehomepageofthewebsite,anditlinkstothevulnerablewebapplicationsandtootherhoneypotwebsites,basedonthecontentsofthecongurationle.
Thelinkingstructureisnotthesameforeverysubdo-main,ascanbenoticedtakingacloserlookatFigure1(a).
Indeed,eachsubdomainlinkstoatmost2differentsubdo-mainsunderitssamedomain.
Weputinplacethissmalllinkinggraphwiththeaimofdetectingpossiblemalicioustrafcfromsystemsthatautomaticallyfollowlinksandper-formautomatedattacksorscans.
4.
1InstalledWebApplicationsWeinstalledatotalof5vulnerableCMSson7distinctVirtualMachines.
TheContentManagementSystemswerechosenamongthemostknownandvulnerableonesatthetimewestartedourdeployment.
ForeachCMS,wechoseaversionwithahighnumberofreportedvulnerabilities,oratleastwithacriticalonethatwouldallowtheattackertotakefullcontroloftheapplication.
Wealsolimitedourchoicetoversionnomorethan5yearsoldinordertoensureourwebsitesarestillofinteresttoattackers.
Ourchoicewasguidedbythebeliefthatattackersarealwayslookingforlow-hangingfruits.
Ontheotherhand,2Sharedwebhostingservicesfromdifferentprovidersusuallycomewiththeirowncustomadministrativewebinterfaceanddirectorystructure,andveryfewofthemoffersshaccessorother'advanced'managementoptions.
Thus,theonlypossiblewaytoautomatethedeploymentofthewebsiteswastouseFTP,theonlyprotocolsupportedbyeveryprovider.
ourhoneypotswillprobablymisssophisticatedanduncon-ventionalattacks,mostlytargetedtohighproleorganiza-tionsorwellknownwebsites.
However,theseattacksarenoteasytostudywithsimplehoneypotinfrastructuresandarethereforeoutsidethescopeofourstudy.
Table1describesthevulnerableapplicationsinstalledonthe7virtualmachines,alongwiththeirpublicationdateandthelistoftheirknownandexploitablevulnerabilities.
WehaveinstalledtwoinstancesofWordPress2.
8,onewithCAPTCHAprotectiononcomments,andonewithoutCAPTCHAprotection,inordertoseeifthereareattack-ersthatregisterfakeaccountsbyhand,orsystemsthatarecapableofautomaticallysolveCAPTCHAs.
Thisdoesnotseemtobethecase,sincewedidnotreceiveanypostontheCAPTCHA-protectedblog.
Therefore,wewillnotdiscussitanyfurtherintherestofthepaper.
4.
2DataCollectionWecollected100daysoflogsonourvirtualmachines,startingDecember23rd,2011.
Alltheresultspresentedinourworkderivefromtheanalysisofthelogsofthese7machines.
Overall,wecollected9.
5GbofrawHTTPrequests,con-sistinginapproximately11.
0MGETand1.
9MPOST.
Ourhoneypotswerevisitedbymorethan73,000differentIPad-dresses,spanning178countriesandpresentingthemselveswithmorethan11,000distinctUser-Agents.
ThisisoveroneorderofmagnitudelargerthanwhathasbeenobservedinthepreviousstudybyJohnetal.
onlowinteractionweb-applicationhoneypots[14].
Moreover,wealsoextractedover85,000lesthatwereuploadedormodiedduringat-tacksagainstourwebsites.
Therearetwodifferentwaystolookatthedatawecol-lected:oneistoidentifyandstudytheattackslookingatthewebserverlogs,andtheotheroneistotrytoassociateagoaltoeachofthembyanalyzingtheuploadedandmod-iedles.
ThesetwoviewsaredescribedinmoredetailinthenexttwoSections.
5ExploitationandPost-ExploitationBehav-iorsInordertobetteranalyzethebehaviorofattackersluredbyourhoneypots,wedecidedtodivideeachattackinfourdifferentphases:discovery,reconnaissance,exploitation,andpost-exploitation.
TheDiscoveryphasedescribeshowattackersndtheirtargets,e.
g.
byqueryingasearchengineorbysimplyscanningIPaddresses.
TheReconnaissancephasecontainsinformationrelatedtothewayinwhichthepageswerevisited,forinstancebyusingautomatedcrawlersorbymanualaccessthroughananonymizationproxy.
IntheExploitationphasewedescribethenumberVM#CMS,versionPluginsDescriptionVulnerabilities1phpMyAdmin,3.
0.
1.
1-MySQLdatabasePHPcodeinjectionmanager2osCommerce,2.
2-RC2a-Onlineshop2remoteleupload,arbitraryadminpasswordmodication3Joomla,1.
5.
0comgraphics,tinymceGeneric/multipurposeportalXSS,arbitraryadminpasswordmodication,remoteleupload,localleinclusion4Wordpress,2.
8kino,Blog(nonmoderatedRemoteleinclude,amphionlitethemecomments)adminpasswordreset5SimpleMachines-Forum(nonmoderatedposts)HTMLinjectioninposts,storedForum(SMF),1.
1.
3XSS,blindSQLinjection,localleinclude(partiallyworking)6PHPwebshells,staticsite-Staticsiteand17PHPshellsallowtorunanykindofcommandsonthehostPHPshells(reachablethroughhiddenlinks)7Wordpress,2.
8kino,Blog(captcha-protectedRemoteleinclude,amphionlitethemecomments)adminpasswordresetTable1.
Applicationsinstalledonthehoneypotvirtualmachines,togetherwithabriefdescriptionandalistoftheirknownandexploitablevulnerabilities.
andtypesofactualattacksperformedagainstourwebap-plications.
Someoftheattacksreachtheirnalgoalthem-selves(forinstancebychangingapagetoredirecttoama-liciouswebsite),whileothersareonlyuploadingasecondstage.
Inthiscase,theuploadedleisoftenawebshellthatislaterusedbytheattackertomanuallylogintothecom-promisedsystemandcontinuetheattack.
WerefertothislaterstageasthePost-Exploitationphase.
Itishardtopresentallpossiblecombinationsofbehav-iors.
Notallphasesarealwayspresentineachattack(e.
g.
,reconnaissanceandexploitationcanbeperformedinasin-glemonolithicstep),someofthevisitsneverleadtoanyactualattack,andsometimesitisjustimpossibletolinkto-getherdifferentactionsperformedbythesameattackerwithdifferentIPaddresses.
However,byextractingthemostcommonpatternsfromthedatacollectedateachstage,wecanidentifythe"typicalattackprole"observedinourex-periment.
Suchprolecanbesummarizedasfollows:1.
69.
8%oftheattacksstartwithascoutbotvisitingthepage.
ThescoutoftentriestohideitsUserAgentordisguiseasalegitimatebrowserorsearchenginecrawler.
2.
Fewsecondsafterthescouthasidentiedthepageasaninterestingtarget,asecondautomatedsystem(here-inafterexploitationbot)visitsthepageandexecutestherealexploit.
Thisisoftenaseparatescriptthatdoesnotfaketheuseragent,thereforeoftenappearingwithstringssuchaslibwww/perl.
3.
Ifthevulnerabilityallowstheattackertouploadale,in46%ofthecasestheexploitationbotuploadsawebshell.
Moreover,themajorityoftheattacksuploadthesamelemultipletimes(inaverage9,andsometimesupto30),probablytobesurethattheattackwassuc-cessful.
4.
Afteranaverageof3hoursand26minutes,theat-tackerlogsintothemachineusingthepreviouslyup-loadedshell.
Theaveragelogintimeforanattackerinteractivesessionis5minutesand37seconds.
Whilethisrepresentsthemostcommonbehaviorex-tractedfromourdataset,manyothercombinationswereob-servedaswell-someofwhicharedescribedintherestofthesection.
Finally,itisimportanttomentionthattheattackbehaviormaychangedependingontheapplicationandonthevulnerabilitythatisexploited.
Therefore,weshouldsaythatthepreviousdescriptionsummarizesthemostcommonbehaviorofattacksagainstosCommerce2.
2(thewebap-plicationthatreceivedbyfarthelargestnumberofattacksamongourhoneypots).
Figure2showsaquicksummaryofsomeofthecharac-teristicsofeachphase.
3Moreinformationandstatisticsarereportedintherestofthesection.
Then,basedontheanal-ysisofthelesuploadedormodiedduringtheexploita-tionandpost-exploitationphases,inSection6wewilltry3Thepicturedoesnotcountthetrafctowardstheopenforum,becauseitsextremelylargenumberofconnectionscomparedwithotherattackswouldhavecompletelydominatedthestatistics.
Figure2.
OverviewofthefourphasesofanattackFigure3.
VolumeofHTTPrequestsreceivedbyouthoneypotsduringthestudy.
tosummarizethedifferentgoalsandmotivationsbehindtheattacksweobservedinourexperiments.
5.
1DiscoveryTheveryrstHTTPrequesthitourhoneypotproxiesonly10minutesafterthedeployment,fromGooglebot.
TherstdirectrequestononeIPaddressofourvirtualmachines(runningonport8002)cameafter1hourand50minutes.
Duringtherstfewdays,mostofthetrafcwascausedbybenignwebcrawlers.
Therefore,wedesignedasim-plesolutiontolteroutbenigncrawler-generatedtrafcfromtheremainingtrafc.
SinceHTTPheadersalonearenottrustable(e.
g.
,attackersoftenuseUserAgentssuchas'Googlebot'intheirscripts)wecollectedpublicinfor-mationavailableonbots[2,1]andwecombinedthemFigure4.
Amountofrequests,byissuingcountry.
withinformationextractedfromourlogsandvalidatedwithWHOISresultsinordertoidentifycrawlersfromknowncompanies.
BycombiningUserAgentstringsandtheIPad-dressrangesassociatedtoknowncompanies,wewereabletoidentifywithcertainty14differentcrawlers,originatingfrom1965differentIPs.
Eventhoughthisisnotacompletelist(e.
g,Johnetal.
[14]usedamorecomplextechniquetoidentify16webcrawlers),itwasabletosuccessfullylteroutmostofthetrafcgeneratedbybenigncrawlers.
SomestatisticsabouttheoriginoftherequestsisshowninFigure3.
Theamountoflegitimatecrawlerrequestsismoreorlessstableintime,while,astimegoesbyandthehoneypotwebsitesgetindexedbysearchenginesandlinkedonhackingforumsoronlinkfarmingnetworks,thenumberofrequestsbymaliciousbotsornon-crawlershasanalmostlinearincrease.
Whenplottingthesegeneralstatisticswealsoidentiedanumberofsuspiciousspikesintheaccesspatterns.
Insev-eralcases,oneofourwebapplicationswasvisited,infewhours,byseveralthousandsofuniqueIPaddresses(com-paredwithanaverageof192perday),aclearindicationthatabotnetwasusedtoscanoursites.
Interestingly,weobservedtherstsuspiciousactivityonly2hoursand10minutesafterthedeploymentofoursystem,whenourforumwebapplicationstartedreceivingfewautomatedregistrations.
However,therstpostsontheforumappearedonlyfourdayslater,onDecember27th.
Evenmoresurprisingwasthefactthattherstvisitfromanon-crawlercoincidedwiththerstattack:4hours30min-utesafterthedeploymentofthehoneypots,abrowserwithPolishlocalevisitedourosCommercewebapplication4andexploitedaleuploadvulnerabilitytouploadamaliciousPHPscripttothehoneypot.
Figure4summarizesthevis-itsreceivedbyourhoneypot(benigncrawlersexcluded),groupedbytheirgeolocalization.
5.
1.
1RefererAnalysis.
TheanalysisoftheRefererHTTPheader(wheneveravailable)helpedusidentifyhowvisitorswereabletondourhoneypotsontheweb.
Basedontheresults,wecandistinguishtwomaincategoriesofusers:criminalsusingsearchenginestondvulnerableap-plications,andvictimsofphishingattacksfollowinglinkspostedinemailsandpublicforums(anexampleofthisphe-nomenonisdiscussedinSection6.
8).
Atotalof66,449visitorsreachedourhoneypotpageswiththeRefererheaderset.
Thedomainsthatappearmostfrequentlyasreferrersaresearchengines,followedbywebmailsandpublicforums.
Googleisleadingwith17,156en-tries.
Otherimportantsearchenginesusedbytheattackerstolocateourwebsites,wereYandex(1,016),Bing(263),andYahoo(98).
Atotalof7,325visitorsarrivedfromwebmailservices(4,776fromSFR,972fromFacebook,944werefromYahoo!
Mail,493fromLive.
com,407fromAOLMail,and108fromcomcast.
net).
Finally,15,746requestsoriginatedfromseveralpublicwebforums,partiallybe-longingtohackingcommunities,andpartiallyjusttargetedbyspambots.
Finally,weextractedsearchqueries(alsoknownas'dorks',whenusedformaliciouspurposes)fromRefererheaderssetbythemostcommonwebsearchengines.
Ouranalysisshowsthatthesearchtermsusedbyattackershighlydependontheapplicationdeployedonthehoneypot.
Forexample,themostcommondorkthatwasusedtoreachourJoomlawebapplicationcontainedthewords'joomlaallowsyou',whiletheSimpleMachinesForumwasoften4SinceUserAgentinformationcanbeeasilyspoofed,wecannotproveourassumptionsaboutthebrowserandtoolsrunbytheattacker,andhisorherlocale,arecorrect.
reachedbysearching'poweredbysmf'.
Ourmachinecon-tainingpublicwebshellswasoftenreachedviadorkslike'inurl:c99.
php','[cyberanarchyshell]'oreven'[ftpbute-forcer][securityinfo][processes][mysql][php-code][en-coder][backdoor][back-connection][home][enumerate][md5-lookup][word-lists][milw0rmit!
][search][self-kill][about]'.
Thelatterquery,eventhoughverylong,wasusedmorethan150timestoreachourmachinewithwebshells.
Itwasprobablypreferredtosearchingvia'intitle:'or'inurl:'becausescriptnamesandtitlesareoftencustomizedbyattackersandassuchsearch-ingfortheirtextualcontentmayreturnmoreresultsthansearchingforxedurlpatternsorpagetitles.
Somespecial-izedsearchenginesappeartobeusedaswell,suchasdev-ilnder.
com,whichwasadoptedin141casestoreachsomeoftheshellsonourmachines.
Thissearchengineclaimstoshowmorelow-rankingresultsthancommonsearchen-gines,nottostoreanysearchdata,andtoreturnupto300resultsonthesamewebpage,makingitverysuitableforattackerswillingtosearchfordorksandcollectlonglistsofvulnerablewebsites.
5.
2ReconnaissanceAfterremovingthelegitimatecrawlers,thelargestpartofthetrafcreceivedbyourhoneypotswasfromuniden-tiedsources,manyofwhichwereresponsibleofsendingautomatedHTTPrequests.
Wefoundthesesourcestoberesponsibleforthemajorityofattacksandspammessagestargetingourhoneypotsduringthestudy.
However,distinguishingattackersthatmanuallyvisitedourapplicationsfromtheonesthatemployedautomatedscoutbotsisnoteasy.
Weappliedthefollowingthreerulestoagtheautomatedrequests:Inter-arrivaltime.
IfrequestsfromthesameIPaddressarriveatafrequencyhigherthanacertainthreshold,weconsiderthetrafcasoriginatedfromapossiblemaliciousbot.
Requestofimages.
Automatedsystems,andespeciallythosehavingtooptimizetheirspeed,almostneverrequestimagesorotherpresentation-relatedcontentfromwebsites.
ScanningweblogsforvisitorsthatneverrequestimagesorCSScontentisthusaneasywayofspottingpossibleautomatedscanners.
Subdomainvisitpattern.
AsdescribedinSection4,eachwebsitewedeployedconsistedinanumberofsub-domainslinkedtogetheraccordingtoapredeter-minedpattern.
IfthesameIPaccessestheminashorttimeframe,followingourpatterns,thenitislikelytobeanautomatedcrawler.
Forexample,afterremovingthebenigncrawlers,ato-talof9.
5Mhitswerereceivedbysystemswhodidnotre-questanyimage,against1.
8Mfromsystemthatalsore-questedimagesandpresentationcontent.
Onthecontrary,only641IPaddresses(responsiblefor13.
4Khits)visitedourwebsitesbyfollowingourlinksinapreciseaccesspat-tern.
Amongthem,60%followedabreadthrstapproach.
85%oftheautomatedrequestsweredirectedtoourfo-rumwebapplication,andwereresponsibleforregisteringfakeuserprolesandpostingspammessages.
Ofthere-maining1.
4Mrequestsdirectedtothesixremaininghon-eypotapplications,95KweremimickingtheUser-Agentofknownsearchengines,and264Kswitchedbetweenmul-tipleUser-Agentsovertime.
TheremainingrequestsdidnotcontainanysuspiciousUser-Agentstring,didnotfol-lowpathsbetweendomains,neitherrequestedimages.
Assuch,weclassiedthemasunknown(possiblybenign)bots.
5.
3ExploitationTherstimportantactivitytodoinordertodetectex-ploitationattemptswasparsingtheloglesinsearchofattacktraces.
Luckily,knowingalreadythevulnerabilitiesaffectingourwebapplicationsallowedustoquicklyandreliablyscanforattacksinourlogsusingasetofregularexpressions.
Overall,welogged444distinctexploitationsessions.
Aninterestingndingisthat310ofthemadoptedtwoormoredifferentUser-Agentstrings,appearinginshortse-quencefromthesameIPaddress.
AsexplainedinthebeginningofSection5,thisoftenhappenswhenattackersemployacombinationofscoutbotsandautomaticattackscriptsinordertospeedupattacksandquicklyndnewtargets.
Inparticular,intwothirds(294)ofthetotalex-ploitationsessionsweobserved,theUser-AgentusedfortheexploitationwastheoneassociatedtotheLibWWWPerllibrary(libwww/perl).
Insomeoftheseexploitationsessions,theattackertriedtodisguisehertoolsandbrowserasknownbenignbots.
SomecrawlerUser-Agentstringsthatwereoftenusedduringexploitationsessionswere:FreeWebMonitoring,Gigabot/3.
0,gsa-crawler,IlTrovatore-Setaccio/1.
2,bing-bot/2.
0;,andGooglebot/2.
1.
Themostremarkablesideeffectofeveryexploitationsessionistheuploadormodicationoflesonthevic-timmachine.
Quitesurprisingly,wenoticedthatwhenanexploitationsessionuploadsale,theleisuploadedinaverage9.
75times.
Thisstrangebehaviorcanbeexplainedbythefactthatmostoftheexploitationtoolsareautomated,andsincetheattackerdoesnotcheckinreal-timewhethereachexploitsucceededornot,uploadingthesamelemul-tipletimescanincreasethechancefortheletobesuccess-fullyuploadedatleastonce.
Figure5.
Normalizedtimesdistributionforat-tacksessionsUsingtheapproachpresentedinSection3.
2,weauto-maticallycategorizedthelesuploadedtoourhoneypotsasaresultofexploitingvulnerableservices.
Wethencorre-latedinformationabouteachattacksessionwiththecatego-rizationresultsforthecollectedles.
Resultsofthisphaseshowthatthelesuploadedduringattacksessionsconsist,in45.
75%ofthecases,inwebshells,in17.
25%ofthecasesinphishingles(singleHTMLpagesorcompletephishingkits),in1.
75%ofthecasesinscriptsthatautomaticallytrytodownloadandexecutelesfromremoteURLs,andin1.
5%ofthecasesinscriptsforlocalinformationgather-ing.
Finally,32.
75%oftheuploadedleswerenotcatego-rizedbyoursystem,eitherbecausetheywerenotsimilartoanythingelsethatweobserved,orbecausetheyweremul-timedialesandpictures(e.
g.
,imagesorsoundtracksfordefacementpages)thatwerenotrelevantforourstudy.
Figure5showsthenormalizedtimesoftheattacksre-ceivedbyourhoneypots.
ThevalueswerecomputedbyadjustingtheactualtimeoftheattackwiththetimezoneextractedfromtheIPgeolocalization.
Assuch,ournormal-izationdoesnotreectthecorrectvalueincasetheattackerisproxyingitsconnectionthroughanIPinadifferentpartoftheworld.
However,thegraphshowsacleardaylighttrendforboththeexploitationandpost-exploitationphases.
Inparticular,fortheinteractivesessionsweobservedfewerattacksperformedbetween4amand10am,whenprobablyalsothecriminalsneedtogetsomesleep.
Interestingly,alsotheexploitationphase,thatismostlyautomated,showsasimilartrend(eventhoughnotasclear).
Thiscouldbetheconsequenceofscansperformedthroughbotnetinfectedmachines,someofwhichareprobablyturnedoffbytheirusersduringthenight.
Searchingourattacklogsforinformationaboutattack-ersreachingdirectlyourvirtualmachines,withoutpassingthroughthehoneypotproxies,wefoundthatasmall,butstillsignicantnumberofattackswerecarriedoutdirectlyagainsttheip:portofourhoneypots.
Inparticular,wefound25ofsuchattacksessionsagainstoure-commercewebhon-eypotand19againstourmachinehostingthewebshellsandthestaticwebsite.
Inbothcases,theattackermayhaveusedapreviousexploittoextracttheIPofourmachines(storedinaosCommercecongurationlethatwasoftendownloadedbymanyattackers,orbyinspectingthema-chinethroughaninteractiveshell)andusethisinformationinthefollowingattacks.
5.
3.
1Posts.
Sincethe1stdayofoperation,ourforumap-plicationreceivedaverylargeamountoftrafc.
Mostofitwasfromautomatedspammingbotsthatkeptoodingtheforumwithfakeregistrationsandspammessages.
Weana-lyzedeverysnapshotofthemachine'sdatabaseinordertoextractinformationabouttheforum'spostsandtheURLsthatwereembeddedineachofthem.
Thisallowedustoidentifyandcategorizeseveralspamandlinkfarmingcam-paigns,aswellasndingsomeroguepracticessuchassell-ingforumaccounts.
Atotalof68,201uniquemessageswerepostedontheforumduringourstudy,by15,753usersusing3,144uniqueIPaddresses.
Dailystatisticsontheforumshowtrendsthataretypicalofmediumtohightrafcmessageboards:anaverageof604postsperday(withamaxof3085),withanaverageof232onlineusersduringpeakhours(max403).
Evenmoresurprisingthanthenumberofpostsisthenumberofnewusersregisteredtotheforum:1907perdayinaverage,andreachingapeakof14,400onMarch23,2012.
Thisphenomenonwassocommonthat33.
8%oftheIPaddressesthatperformedactionsonourforumwerere-sponsibleofcreatingatleastonefakeaccount,butneverpostedanymessage.
Thisndingsuggeststherearesomeincentivesforcriminalstoperformautomaticuserregistra-tions,perhapsmakingthistaskevenmoreprotablethanthespammingactivityitself.
Ourhypothesisisthat,insomecases,forumaccountscanbesoldinbulktootheractorsintheblackmarket.
Weindeedfound1,260fakeaccountsthatwerecreatedfromanIPaddressandthenusedfewdayslaterbyother,differentIPs,topostmessages.
Thisdoesnotnecessarilyvalidateourhypothesis,butshowsatleastthatforumspamminghasbecomeacomplexecosystemanditisdifcult,nowadays,tondonlyasingleactorbehindaspamorlinkfarmingcampaign.
AcloserlookatthegeolocationofIPaddressesresponsi-bleforregisteringusersandpostingtotheforumshowsthatmostofthemarefromtheUnitedStatesorEasternEuropecountries(mostlyRussia,Ukraine,Poland,Latvia,Roma-nia).
Atotalof6687distinctIPaddresseswereactiveonourforum(thatis,postedatleastonemessageorregisteredoneormoreaccounts).
Amongthese,36.
8%wereassociatedtolocationsintheUS,while24.
6%camefromEasternEuro-peancountries.
ThecountrycoveragedrasticallychangesifweconsideronlyIPaddressesthatpostedatleastonemes-sagetotheforum.
Inthiscase,IPsfromtheUnitedStatesrepresent,alone,62.
3%ofalltheIPaddressesresponsibleforpostingmessages(EasternEuropeIPsinthiscaserep-resent21.
2%ofthetotal).
Finally,weperformedasimplecategorizationonallthemessagespostedontheforum,basedonthepresenceofcertainkeywords.
Thisallowedustoquicklyidentifycom-monspamtopicsandcampaigns.
Thankstothismethod,wewereabletoautomaticallycategorize63,763messages(93.
5%ofthetotal).
Thetrendsweextractedfrommessagetopicsshowclearlythatthemostcommoncategoryisdrugs(55%ofthecategorizedmessages,andshowingpeaksof2000messagesperday),followedbysearchengineoptimization(SEO)andelectronics(11%),adultcontent(8%),healthcareandhomesafety(6%).
Allthelinksinsertedintheforumpostsunderwentanin-depthanalysisusingtwoautomated,state-of-the-arttoolsforthedetectionofmaliciouswebpages,namelyGoogleSafeBrowsing[22]andWepawet[8].
Thedetectionresultsofthesetwotoolsshowthat,onthe221,423URLsweex-tractedfromtheforumposts,asmallbutnotinsignicantfraction(2248,roughly1outof100)consistedinmaliciousorpossiblyharmfullinks.
5.
4Post-ExploitationThepost-exploitationphaseincludestheanalysisoftheinteractionbetweentheattackersandthecompromisedma-chines.
Inourcase,thisisdonethroughthewebshellsin-stalledduringtheexploitationphaseor,toincreasethecol-lecteddata,throughtheaccesstothepublicshellsthatwealreadypre-installedinourvirtualmachines.
Theanalysisofthepost-exploitationphasedeservesspe-cialattentionsinceitismadeofinteractivesessionsinwhichtheattackerscanissuearbitrarycommands.
How-ever,thesewebshellsdonothaveanynotionofsession:theyjustreceivecommandsviaHTTPrequestsandprovidetheresponsesinastate-lessfashion.
Duringourexperimentswereceivedatotalof74,497shellcommands.
Thesevariedfromsimplelesystemnav-igationcommands,toleinspectionandediting,uptocom-plextasksasuploadingnewlesorperformingnetworkscans.
Tobetterunderstandwhatthisnumberrepresents,wede-cidedtogrouptogetherindividualcommandsinvirtual"in-teractivesessions"everytimetheyareissuedfromthesameIP,andtheidletimebetweenconsecutivecommandsislessthan5minutes.
Accordingtothisdenition,weregistered232interac-tivesessionsasaconsequenceofoneoftheexploitedser-vices,and8268inourpre-installedshells5.
Theaveragesessiondurationwasof5minutesand37seconds,however,weregistered9sessionslastingmorethanonehoureach.
Thelongest,intermsofcommandsissuedtothesystem,wasfromauserinSaudiArabiathatsent663commandstotheshell,includingthemanualeditingofseveralles.
Interestingly,oneofthemostcommonactionsper-formedbyusersduringanattackistheuploadofacus-tomshell,eveniftheattackerbrokeintothesystemusingashellthatwasalreadyavailableonthewebsite.
Therea-sonforthisisthatattackersknowthat,withahighproba-bility,shellsinstalledbyotherswillcontainbackdoorsandmostlikelyleakinformationtotheirowner.
Inadditiontothe17webshellssupportedbyourtools,wealsoidentiedtheHTTPpatternsassociatedtothemostcommoncustomshellsuploadedbytheattackers,sothatwecouldparsethemajorityofcommandsissuedtothem.
In83%ofthecases,attackerstriedtouseatleastoneactivecommand(uploadingoreditingale,changinglepermissions,creatinglesordirectories,scanninghosts,killingaprocess,connectingtoadatabase,sendingemails,etc.
).
Theremainingsessionswerepurelypassive,withtheattackersonlybrowsingoursystemanddownloadingsourceandcongurationles.
Finally,in61%ofthesessionstheattackersuploadedanewle,andin50%ofthemtheytriedtomodifyaleal-readyonthemachine(in13%ofthecasestoperformade-facement).
Regardingindividualcommands,themostcom-monlyexecutedweretheonesrelatedtolistingandread-inglesanddirectories,followedbyeditingles,uploadingles,runningcommandsonthesystem,listingtheprocessesrunningonthesystem,anddownloadingles.
6AttackersGoalsInthissectionweshiftthefocusfromthewaytheat-tacksareperformedtothemotivationbehindthem.
Inotherwords,wetrytounderstandwhatcriminalsdoaftertheycompromiseawebapplication.
DotheyinstallabotnetDotheytrytogainadministratorprivilegesonthehostDotheymodifythecodeoftheapplicationandinsertbackdoorsormaliciousiFrames5Forthepre-installedshells,wealsoremovedsessionsthatcontainedveryfastsequencesofcommandsorthatdidnotfetchimagesonthepages,becausetheycouldhavebeentheresultofcrawlersvisitingourpublicpages.
Sinceshellsuploadedbyattackerswerenotlinkedfromanypage,wedidnotapplythislteringtothem.
FileTypeClusteredNotClusteredClustersArchive335(82.
6%)71(17.
4%)159Data221(62.
5%)133(37.
5%)87Executable102(82.
3%)22(17.
7%)41HTMLdoc4341(100.
0%)0(0%)822Image1703(81.
9%)374(18.
1%)811Sourcecode3791(100.
0%)0(0%)482Text886(43.
8%)1138(56.
2%)219Various118(65.
9%)61(34.
1%)42Total11,497(86.
5%)1799(13.
5%)2663Table2.
ResultsofclusteringFigure6.
Attackbehavior,basedonuniquelesuploadedToanswerthesequestions,weanalyzedthelesup-loadedduringtheexploitationphase,andtheonescreatedormodiedduringthepost-exploitationphase.
Wenormal-izedeachlecontentasexplainedinSection3,andweclus-teredthemtogetheraccordingtotheirsimilarity.
Finally,wemanuallylabeledeachcluster,toidentifythe"purpose"oftheles.
Theresultsoftheclusteringaresummarizedintable2andcover,intotal,86.
4%oftheuniquelescol-lectedbyourhoneypots.
Forthem,Figure6showsthedis-tributionofthelecategories6.
Forexample,1.
7%oftheuniquelesweobservedinourexperimentswereusedtotrytoescalatetheprivilegesonthecompromisedmachine.
Thisisdifferentfromsayingthat1.
7%oftheattackerstriedtoescalatetheprivilegesofthemachine.
Unfortunately,linkingthelestotheattacksinwhichtheywereusedisnotalwayspossible.
Therefore,wecomputedanestimationoftheattackersthatperformedacertainactionbyidenti-fyingeachuniqueIPthatuploadedacertainleduringan6Weremovedfromthegraphtheirrelevantanddamageddocuments,thataccountedintotalfor10%oftheles.
attack.
IdentifyinganattackeronlybasedonhisorherIPaddressisnotalwayscorrect,butstillprovidesareasonableapproximation.
Thus,ifwesaythatacertaincategoryhasanestimatedattackersratioof20%,itmeansthat1attackeroutof5uploadedatleastoneleofthatcategoryduringhisorheroperation.
Only14%oftheattackersuploadedmultiplelesbe-longingatleasttotwoseparatecategories.
Thismeansthatmostoftheattackshaveaprecisegoal,orthatattackersof-tenchangetheirIPaddresses,makingitveryhardforustotrackthem.
Intherestofthesection,webrieyintroduceeachofthe13categories.
6.
1InformationgatheringUniquelesratio1.
8%Estimatedattackersratio2.
2%Theselesconsistmainlyinautomatedscriptsfortheanalysisofthecompromisedsystem,andareoftenusedasarststageofamanualattack,inwhichtheattackertriestogatherinformationontheattackedsystembeforeproceed-ingwithothermaliciousactions.
Ingeneral,weobservedanumberofattackersusingscriptstosearch,archive,anddownloadseveralsystemcongurationles.
Forexample,anattackusingsuchtoolshitourhoney-potsonApril7,2012.
Theattacker,usinganormalbrowserandcomingfromaMalaysianIPaddress,uploadedascriptcalledallsoft.
pl.
Onceexecuted,thescriptscansthesystemforalistofdirectoriescontainingcongurationlesofknownCMSs(e.
g.
,Wordpress,Joomla,WHM,phpBB,vBulletin,.
.
.
),createsatararchivecontainingallthelesitwasabletond,andreturnstotheattackeralinktothecreatedarchive,thatcanthusbeeasilydownloaded.
Thescriptiteratesonboththeusersandthepossiblemultiplehomedirectoriesinthesystemtryingtogatherinformationfromasmanyaccountsaspossibleontheattackedmachine.
6.
2Drive-byDownloadsUniquelesratio1.
2%Estimatedattackersratio1.
1%Wehavewitnessedfewattacksthataimedatcreatingdrive-bydownloadwebpages,byinsertingcustomexploitcodeintheHTMLsourceofthewebpagesofourhon-eypots,orbyuploadingdocumentsthatcontainexploitsforknownbrowservulnerabilities.
Thiskindofactivityisaimedatexploitingusersvisitingthewebsite,typicallytoconverttheirmachinesinbotsthatcanbelaterusedforalargespectrumofillicitactivity.
Anexampleofsuchattackswastheintu.
htmlwebpageuploadedtooneofourhoneypotsonFebruary28th,2012.
Whenopened,thepageshows'IntuitMarket.
Loadingyourorder,pleasewait.
.
.
'.
Behindthescenes,amaliciousjavascriptloadsaniframepointingtoadocumenthostedattwistedtarts.
net.
Thisdocumentismaliciousandcontainstwoexploits,forCVE-2010-0188andCVE-2010-1885.
Wepawet[8]reportedthedocumentasmaliciousonthesamedaythiswebpagewasuploadedtoourhoneypots.
6.
3SecondStagesUniquelesratio37.
2%Estimatedattackersratio49.
4%Thiscategoryincludesdownloaders(programsdesignedtodownloadandexecuteanotherle),uploaders(webpagesthatcanbeusedtoremotelyuploadotherles),webshells,andbackdoorsincludedinalreadyexistingdocu-ments.
Thesearethetoolsofchoiceforattackerstoper-formmanualweb-basedattacks.
Thereasonisthatsuchtoolsalloweithertouploadanyletothevictimmachine,ortoissuearbitrarycommandsasiftheattackerwasloggedintooneoftheserver'sterminals.
Themajorityoftheat-tacksloggedbyourhoneypotadoptedamixofwebshellsandcustomscriptstotrytohackthemachineandinstallmalicioussoftwareonit.
Anexampleofthisbehavioristheattackthatstartedat6:50am(GMT)onJanuary1st,2012.
AnIPaddressfromEnglewood,Colorado,withanUser-Agentsetto'blackberry8520ver1subvodafone'connecteddirectlytoourhoneypotvirtualmachinerunningosCommerceandex-ploitedaleuploadvulnerability,uploadingseveraldiffer-entPHPscripts,allofthemlaunchingIRCbotsconnectingtodifferentIRCservers.
ThesamepersonalsouploadedaPHPshell,andusedittodownloadthecongurationleoftheCMSinstalledonthemachine.
ThefactthattheattackerwasnotconnectingthroughourHoneyProxyinfrastructurebutdirectlytoourIPad-dresswasunusual,andattractedourattention.
Searchingbackwardsinourlogsstartingthedateoftheattack,wefoundoutthatlessthan24hoursbefore,anautomatedsys-temwithanUser-Agentsetto'bingbot/2.
0'connectedtooneofourwebsitesfromanotherIPaddressfromEngle-wood,Colorado,exploitedavulnerabilityanddownloadedtheosCommercecongurationle,whichcontainstherealIPofourvirtualmachinehostingthee-commercewebap-plication.
6.
4PrivilegeEscalationUniquelesratio1.
7%Estimatedattackersratio2.
2%Privilegeescalationexploitsareamongtheoldesttypesofexploitsinthecomputersecurityhistory,butarestillamongthemostsoughtafter,astheyallowanattackertogainadministratorprivilegesandthusfullcontrolofvul-nerablemachines.
Successfullyexecutingaprivilegeesca-lationexploitonservermachinesusedinasharedwebhost-ingenvironmentwouldmaketheattackerinthepositiontomodifythelesofeverywebsitehostedontheserver,pos-siblyallowingformassexploitationsofhundredsoreventhousandsofwebsitesatthesametime.
AnexampleofsuchkindofattackhitourhoneypotsonFebruary9,2012.
AnattackerwithanHungarianIPad-dressuploadedalecalledmempodipper.
ctoourma-chinehostingthewebshells,andusedoneoftheshellstotrytocompileitssourcecodewithgcc.
Themachinehadnoavailablecompiler,thus,lessthan5minuteslater,theattackeruploadedapre-compiledELFbinarynamedmempodipper,andtriedtoexecuteitthroughoneoftheshells.
Wefoundthisexploittobeforaveryrecentvul-nerability,theCVE-2012-0056,publishedlessthan20daysbeforethisattack.
Atthetimeoftheattack,theexploitforthisvulnerability,titledLinuxLocalPrivilegeEscalationviaSUID/proc/pid/memWritewasalreadypubliclyavail-able[27].
However,thekernelofourvirtualmachineswasnotvulnerabletoit.
6.
5ScannersUniquelesratio2.
3%Estimatedattackersratio2.
8%Thiskindofactivityisperformedtondotherlocalorremotevulnerabletargetwebsitesthatcouldpossiblybeex-ploitedbytheattacker.
Forexample,FTPscanning,query-ingsearchenginesusing'dorks',ortryingtolistallthedo-mainnamesbeinghostedonthemachinebelongtothiscat-egory.
Aconcreteexampleisthetrdomain.
phppage,uploadedtooneofourhoneypotsonDecember26th,fromaTurkishIPaddress.
Itcontainsalocaldomainnamescanner,thatpullsthedomainnamesconguredonthemachinefromthelocalcongurationles(suchasnamed.
conf),getstheirPageRankfromGoogle,aswellastheirdocumentrootandtheirowner'susername,andreturnsawebpagewithalistcontainingallthisinformation.
Thetitleofthepageis'Do-mainveUserListeLiyici—byWRooT';asoftoday,searchingsuchtitleonthewebstillyieldsmanyresults,showingthatthiskindofattackisverycommonandwidespread.
6.
6DefacementsUniquelesratio28.
1%Estimatedattackersratio27.
7%Attacksofthiskindareamongthemostfrequentonesonourhoneypots.
Inthiskindofattack,theattackersmodifyexistingwebpagesonthehoneypot,oruploadnewpageswiththepurposeofclaimingtheirresponsibilityforhack-ingthewebsite.
Usually,butnotalways,theclaimsareac-companiedbyreligiousorpoliticpropaganda,orbyfunnyorshockingimages.
ManyoftheattackersperformingsuchattackseveninsertlinkstotheirpersonalwebsiteorFace-bookpage,whereonecanseetheyaremainlyteenagerslookingforfameandbragginginfrontoftheirfriends.
Oneofthemanydefacementsattacksthathitourhon-eypotshappenedaround8pmGMTonthe6thofMarch.
SomebodyconnectingfromaGermanIPaddressfoundoneofthehiddenshellsinourmachinehostingthestaticweb-site,andusedittoeditoneofthestatichtmlpageshostedonthemachine.
Thecodeofthepagewasthusuploadedusingcopy-and-pasteinatextareaprovidedbythewebshell.
Thedefacementpagecontainedashortsloganfromtheauthor,ananimatedjavascripttextslowlyunveilingaPortuguesequote,andasetoflinkstothepersonalTwitterpagesofeachmemberofthehackingcrew,someofwhichhadmorethan1000tweetsandseveralhundredfollowers.
QuicklylookingattheseTwitterproles,wefoundoutthatallthemembersareactivelypostingtheirdefacementsontheirprolepages.
Apparently,theydosoinordertobuildsomesortofreputation.
ThisisconrmedbytheURLtheypostedasapersonalwebpageonTwitter,awebpagefromthezone-h.
orgwebsite,reportingstatisticsaboutprevi-ousdefacementsofthecrew.
Thestatisticsarequiteimpres-sive:atthetimeofwritingthewholecrewhasclaimedmorethan41,600defacementsstartingJuly20,2011,ofwhichalmost500areonimportantwebsiteswithhighreputation(governativewebsites,universities,multinationalcorpora-tions,etc.
).
Thankstoattackslikethiswefoundoutthatitiscom-monpracticeamongattackerstoadvertisetheirdeface-mentsonpubliclyaccessible'defacement'showcases,suchastheoneonthezone-h.
orgwebsite.
Itseemsthatsomeofthesepeoplearereallyinasortofcompetitioninordertoshowofftheirpresumedskillsathackingwebsites,andourhoneypotdomainswereoftenreportedastrophiesbyseveralgroups.
6.
7BotnetsUniquelesratio28.
1%Estimatedattackersratio27.
7%Severalattackers,afterexploitingourhoneypots,triedtomakeourserversjoinanIRCbotnetbyuploadingdedicatedPHPorPerlscripts.
Twoofthehoneypotvirtualmachines,andspecicallythosewiththemostseverevulnerabilities,allowingattack-erstouploadandrunarbitrarylesontheserver,havebeensetuptoallowoutgoingconnectionstoport6667(IRC).
WedidsoinordertomonitorIRCbotnetactivitylaunchedbyaneventualattackeronourmachines.
Weallowedconnec-tionsonlytoport6667,allowingthusonlybotnetsrunningonthestandardIRCporttoconnecttotheirmanagementchatrooms.
Toavoidbeingtrackeddownbybotmasters,everyconnectiontotheIRCportwastunneledthroughaprivacy-protectedVPNthatanonymizedourrealIPaddress.
Nootheroutgoingconnectionswereallowedfromthema-chines,inordertoavoidthepossibilityforourmachinestolaunchattacksorscansagainstotherhosts.
Ourexpectationsprovedtobecorrect,andweindeedloggedseveralconnectionsfromourtwomachinestoIRCcommandandcontrolservers.
Theanalysisofthepackettracesshowedsomeinterestinginformation.
Firstofall,wewereexpectingIRCbotnetstobequiterarenowadays,giventherelativelyhighnumberofweb-basedexploitpackscirculatingontheblackmarket.
How-ever,theanalysisofthelesthatwereuploadedonourhon-eypotsshowedanoppositetrend,withabout200distinctscriptslaunchingIRCbots.
Anotherinterestingobservationisthat,apparently,mostoftheseIRCbotnetsareoperatedbyyoungteenagers,assomeIRClogsshow.
SomeofthebotmastersevenputlinkstotheirFacebookorTwitterprolesinordertoshowoffwiththeirfriends.
Despitebeingrunbyyoungsters,how-ever,mostofourconnectionlogsshowIRCroomswithhundredstothousandsofbots(thebiggestIRCbotnetweobservedwascomprisedof11900bots).
Whilesomelogsshowedussomeofthebotmastersat-tackingrivalsonotherIRCservers(whichweconsideredatypicalscript-kiddiebehavior),wewereinterestedtoseethattheseyoungpeoplealreadydealwithmoneyandareabletouse(andprobablydevelopthemselves)automatedtoolsforsearchingonsearchenginesandexploitingwebvulnerabilities.
Wereceivedanumberofcommandstoper-formDoSattacks,searchenginesscansusingdorks,au-tomaticmassexploitations,andinstructionstoreportbackusernamesandpasswords,aswellascreditcardcredentials,stolenfromexploitedwebsites.
Analinterestingnding,supportedbythelanguageusedintheIRClogsandbyananalysisoftheIPaddressesusedfortheuploadoftheIRCscript,wasthatthemajorityoftheseIRCbotnetswereinstalledbyusersfromSouth-Easternasiancountries(mostlyMalaysiaandIndonesia).
6.
8PhishingUniquelesratio7.
3%Estimatedattackersratio6.
3%Phishingisoneofthemostdangerousactivitiesthaton-linecriminalsperformnowadays.
Wefoundproofofmanyattemptstoinstallphishingpagesorphishingkitsonourhoneypots.
Thiskindofactivityisalwaysprot-driven;thevastmajorityofphishingwebsitesarereplicasofon-linebankingwebsites,butwealsocollectedfewexamplesofonlineemailportalphishingandevenahandfulofwebpagesmimickingISPsandairlinecompanies'websites.
Duringthe100daysofoperation,ourhoneypotscol-lectedatotalof470phishing-relatedles,129ofwhichwerecompletephishingpackages(archivesoftencontain-ingafullphishingwebsiteinstallation,includingimages,CSSles,andthephishingscriptsthemselves).
Suspris-ingly,Nigeriaseemstobeaveryactivecountryforthiskindofattacks,withNigerianIPaddressesresponsibleforapproximately45%ofthephishingattacksloggedbyourhoneypots.
Aninterestingcasewasloggedbyourhoneypotsstart-ingonMarch27th.
AnalyzingtheRefererheaderoftherequestsreceivedbyourwebsites,wefound4776requests,from1762differentIPaddresses,reachingourpageswiththereferersettothemailserversofsfr.
fr,oneofthema-jorFrenchISPs.
Inspectingthewebserverlogs,wefoundoutthatalltheHTTPrequestshavingaRefererfromsfr.
frrequestedonlytwopngimages.
Bothleshadbeenup-loadedtoourhoneypotsonthe24thofMarch;whenthersthitfromSFRarrived,thevirtualmachineshadalreadybeencleanedupseveraltimes,butwefoundtheoriginalversionofthepicturesinoursnapshotsofuploadedles.
Surprisingly,thepicturesshowedamessageresemblingaregularcommunicationfromSFR'scustomerservice.
AlltheusersthathitourhoneypotswithaRefererfromsfr.
frhadthusreceivedaphishingemailcontaininglinkstothetwopngles,andtheirwebclientwasonlytryingtodown-loadandshowthemthecontentsoftheemail.
6.
9SpammingandmessageoodingUniquelesratio7.
8%Estimatedattackersratio9.
3%ManyusersstillseemtousespamasatechniquetomakeprotontheInternet.
Someofthescriptswefoundarein-deedmailers,i.
e.
,scriptsusedtosendoutspamtoalargenumberofrecipientsinanautomatedway.
SomeotherscriptswereemailorSMSooders,thatareinsteadusedforlaunchingDoSattacks.
Ourhoneypotscollectedaround600suchscripts.
Asanexample,onFebruary21st,ascriptcalleda1.
phpwasup-loadedfromaNigerianIPaddress.
Thisscriptisahighlycustomizablemailer,andallowssendingspamtoalistofrecipientsinplaintextorHTMLformat,withmanyop-tions.
ItcanalsobeconguredtologintoaremoteSMTPserverinordertosendspamthroughanauthenticatedac-count,andtodisconnectandreconnecttotheserverafteracertainthresholdofsentemailsisreached,probablywiththepurposeofavoidingbans.
6.
10LinkFarming&BlackHatSEOUniquelesratio2.
7%Estimatedattackersratio1.
0%Linkfarmsaregroupsofwebsiteslinkingtoeachother,usuallycreatingwebpageswithaverydenselinkstructure,whoseaimistoboostthesearchenginerankingofthewebsitesofthegroup.
Black-hatSEO,instead,referstousingillicitorunethicaltechniques,suchascloaking,toboostthesearchenginerankingofawebsite,ortomanipulatethewayinwhichsearchenginesandtheirspidersseeandcategorizeawebpages.
Ifweexcludeautomatedpostsontheforumwebapplication,whereahighpercentageofpostscontainedlinkstolinkfarmingnetworks,thiskindofbehaviorhasnotbeenobservedveryfrequentlyonourhoneypots.
AninterestingattackthatcreatedabigamountofwebpagesonourhoneypotswaslaunchedonMarch19th.
SomebodyinstalledanfullyfunctionalCMS,comprisinghundredsofstatichtmlpages,tooneofourhoneypots.
Allthegeneratedpageswereinstalledontheimages/rf/subdi-rectoryofoure-commercewebapplication,andcontainedrussiantext,alongwithimages,CSSandJavaScriptlesusedforpresentationpurposes.
ThispagestructureseemstobegeneratedthroughablogorCMScreationengine,asallthepageshaveaverydenselinkstructureandpointoneanotherusingabsolutelinks(thathadbeencustomizedandcontainedourhoneypotwebsite'sdomainname).
Weex-pectthistobepartofanattempttocreatealinkfarmingnetwork,orsimplytobeamarketingcampaignforsomecounterfeitgoods,asmostofthepagesweanalyzedwereactuallyadvertisingthesaleofreplicawatches.
Finally,onasmallerscale,wealsosawsomeattackerscreatingpageswithadsorinsertinglinkstopartnersitesontheiruploadedpages.
Thereasonforthisisstillmak-ingprotoutofads,orimprovingtheirortheirpartners'rankingonsearchengines.
6.
11ProxyingandtrafcredirectionUniquelesratio0.
6%Estimatedattackersratio0.
6%Onlinecriminalsalwayslookforreliablewaystohidetheirtracks,andastimegoesby,itbecomesmoreandmoredifculttorelyonlyonopenproxynetworks,theTORnet-work,oropenredirectionwebpagestoconductmaliciousactivities.
Infact,theseservicesareoftenoverloadedwith(malicious)trafcandassuchhaveverybadaverageper-formancesandareverylikelytobemonitoredbytheau-thorities.
Inthisscenario,thepossibilityoftunnelingtrafconinfectedhostsseemsidyllic,asitisquiteeasytoturnawebserverintoaproxy,andoftenwebserversrunningonhostingproviderspremiseshavehighbandwidths,makingthemaveryvaluabletarget.
Wesawsomeattackersup-loadingproxyscriptsortrafcredirectionsystems(TDS)toourhoneypots,forthepurposeofredirectingtrafcanony-mously(proxies)orredirectinguserstomalicioussourcesorafliatewebsites(TDSs).
Asanexample,anarchiveof504KBwasuploadedononeofourhoneypotsonFebruary22,2012.
ThearchivecontainedaproxytoolcalledVPSProxy,publiclyavailableathttp://wonted.
ru/programms/vpsproxy/;itisaPHPproxyfullycontrollablethroughaGUIclient.
Apparently,amongallitsfeatures,ifinstalledonmorethanoneserver,thetoolmakesiteasyforthepersonusingittobouncebetweendif-ferentconnections.
WebelievetoolslikethiscanbeveryusefultocriminalstryingtohidetheirtracesontheInter-net.
6.
12CustomattacksUniquelesratio1.
9%Estimatedattackersratio2.
6%Thiscategorygroupsallattacksthatwereeitherbuiltonpurposeforexploitingspecicservices,orthathadnoothermatchingcategory.
Forexample,attacksinthiscategoryin-cludeprogramswhoseaimistoscanandexploitvulnerablewebservicesrunningontheserver,suchasthecong.
phpscriptthatwasuploadedtooneofourwebsitesonAprilthe9th.
ThisPHPscriptpresentsapanelforndingandattacking9ofthemostknownContentManagementSys-tems:ifanyoftheseisfoundonthemachine,theattackercanautomaticallytamperwithitsconguration.
Thetoolalsocontainedotherscriptstolaunchlocalandremoteex-ploits.
6.
13DOS&BruteforcingtoolsUniquelesratio4.
6%Estimatedattackersratio2.
9%ThiscategoryincludesprogramsthatlaunchDenialofServiceorbruteforceattacksagainstspecicapplicationsandservices(e.
g.
,bruteforcingtoolsforFTPorwebser-vices,UDPandTCPoodingscripts).
Aninterestingexampleofthiskindofbehaviorwastheemailbruteforcescriptthatwasuploadedtooneofourhon-eypotsonApril7,2012.
AnIPaddressfromAzerbaijanusedawebshelltouploadalecalledn.
phpandawordlistcontaining1508words,calledword.
txt.
Then.
phple,onceexecuted,usesthecURLPHPlibrariestoconnecttothebox.
azemailportalandtheusesthewordlisttobrute-forcethepasswordforaspecicusernamethatwashard-codedintheprogram.
Ourhoneypotsactuallyloggedtheuploadofn.
phpseveraltimes,tothreedifferentdomains.
Theattackertriedmultipletimestoexecutethescript(10timesin16minutes)andtoeditit(4times)asiflookingforanerrorinthecode.
Inreality,thescripttrafcwassimplyblockedbyourrewall.
7ConclusionsInthispaperwedescribedtheimplementationandde-ploymentofahoneypotnetworkbasedonanumberofreal,vulnerablewebapplications.
Usingthecollecteddata,westudiedthebehavioroftheattackersbefore,during,andaf-tertheycompromisetheirtargets.
Theresultsofourstudyprovideinterestinginsightsonthecurrentstateofexploitationbehaviorsontheweb.
Ononeside,wewereabletoconrmknowntrendsforcertainclassesofattacks,suchastheprevalenceofeasternEuro-peancountriesincommentspammingactivity,andthefactthatmanyofthescamandphishingcampaignsarestillop-eratedbycriminalsinAfricancountries[12].
Pharmaceuti-caladsappeartobethemostcommonsubjectamongspamandcommentspammingactivities,asfoundbyotherrecentstudies[9].
Ontheotherhand,wewerealsoabletoobserveandstudyalargenumberofmanualattacks,aswellasmanyinfectionsaimedatturningwebserversintoIRCbots.
Thissuggeststhatsomeofthethreatsthatareoftenconsideredoutdatedareactuallystillverypopular(inparticularbe-tweenyoungcriminals)andarestillresponsibleforalargefractionoftheattacksagainstvulnerablewebsites.
Wearecurrentlyworkingtowardacompletelyauto-matedsystemthatcanmonitorthehoneypotinrealtime,identifyandcategorizeeachattack,andupdateadashboardwiththemostrecenttrendsandexploitationgoals.
8AcknowledgementsTheresearchleadingtotheseresultswaspartiallyfundedfromtheEUSeventhFrameworkProgramme(FP7/2007-2013)undergrantagreementn257007.
References[1]IPAddressesofSearchEngineSpiders.
http://www.
iplists.
com/.
[2]RobotsIPAddressRanges.
http://chceme.
info/ips/.
[3]GoogleHackHoneypot.
http://ghh.
sourceforge.
net/,2005.
[4]Dshieldwebhoneypotproject.
https://sites.
google.
com/site/webhoneypotsite/,2009.
[5]J.
Caballero,C.
Grier,C.
Kreibich,andV.
Paxson.
Measur-ingpay-per-install:Thecommoditizationofmalwaredistri-bution.
InProceedingsoftheUSENIXSecuritySymposium,2011.
[6]X.
Chen,B.
Francia,M.
Li,B.
Mckinnon,andA.
Seker.
Sharedinformationandprogramplagiarismdetection.
In-formationTheory,IEEETransactionson,50(7):1545–1551,2004.
[7]s.
Commtouch.
CompromisedWebsites:AnOwner'sPerspective.
http://stopbadware.
org/pdfs/compromised-websites-an-owners-perspective.
pdf,february2012.
[8]M.
Cova,C.
Kruegel,andG.
Vigna.
DetectionandAnaly-sisofDrive-by-DownloadAttacksandMaliciousJavaScriptCode.
InProceedingsoftheInternationalWorldWideWebConference(WWW),2010.
[9]CyberoamTechnologiesandCommtouch.
In-ternetThreatsTrendReportOctober2012.
http://www.
cyberoam.
com/downloads/ThreatReports/Q32012InternetThreats.
pdf,october2012.
[10]S.
Esser.
evalhook.
http://www.
php-security.
org/downloads/evalhook-0.
1.
tar.
gz,may2010.
[11]M.
HoferandS.
Hofer.
ftp-deploy.
http://bitgarten.
ch/projects/ftp-deploy/,2007.
[12]ImpervaInc.
Imperva'sWebApplicationAttackRe-port.
http://www.
imperva.
com/docs/HII_Web_Application_Attack_Report_Ed2.
pdf,january2012.
[13]J.
P.
John,F.
Yu,Y.
Xie,A.
Krishnamurthy,andM.
Abadi.
deSEO:CombatingSearch-ResultPoisoning.
InProceed-ingsoftheUSENIXSecuritySymposium,2011.
[14]J.
P.
John,F.
Yu,Y.
Xie,A.
Krishnamurthy,andM.
Abadi.
Heat-seekinghoneypots:designandexperience.
InPro-ceedingsoftheInternationalWorldWideWebConference(WWW),2011.
[15]J.
Kornblum.
Identifyingalmostidenticallesusingcon-texttriggeredpiecewisehashing.
DigitalInvestigation,3,Supplement(0):91–97,2006.
[16]C.
LeitaandM.
Dacier.
Sgnet:Aworldwidedeployableframeworktosupporttheanalysisofmalwarethreatmodels.
InDependableComputingConference,2008.
EDCC2008.
SeventhEuropean,may2008.
[17]T.
MooreandR.
Clayton.
Evilsearching:Compromiseandrecompromiseofinternethostsforphishing.
InFinancialCryptography,pages256–272,2009.
[18]M.
M¨uter,F.
Freiling,T.
Holz,andJ.
Matthews.
Agenerictoolkitforconvertingwebapplicationsintohigh-interactionhoneypots,2007.
[19]V.
Nicomette,M.
Kaaniche,E.
Alata,andM.
Herrb.
Set-upanddeploymentofahigh-interactionhoneypot:experimentandlessonslearned.
JournalinComputerVirology,june2010.
[20]F.
Pouget,M.
Dacier,andV.
H.
Pham.
V.
h.
:Leurre.
com:ontheadvantagesofdeployingalargescaledistributedhoney-potplatform.
InIn:ECCE2005,E-CrimeandComputerConference,pages29–30,2005.
[21]N.
Provos.
Avirtualhoneypotframework.
InProceedingsoftheUSENIXSecuritySymposium,pages1–14,2004.
[22]N.
Provos,P.
Mavrommatis,M.
A.
Rajab,andF.
Monrose.
AllYouriFramesPointtoUs.
InProceedingsoftheUSENIXSecuritySymposium,2008.
[23]D.
Ramsbrock,R.
Berthier,andM.
Cukier.
Prolingattackerbehaviorfollowingsshcompromises.
IninProceedingsofthe37thAnnualIEEE/IFIPInternationalConferenceonDe-pendableSystemsandNetworks,2007.
[24]L.
Rist,S.
Vetsch,M.
Koin,andM.
Mauer.
Glastopf.
http://honeynet.
org/files/KYT-Glastopf-Final_v1.
pdf,november2010.
[25]V.
Roussev.
Datangerprintingwithsimilaritydigests.
InK.
-P.
ChowandS.
Shenoi,editors,AdvancesinDigitalForensicsVI,volume337ofIFIPAdvancesinInformationandCommunicationTechnology,pages207–226.
SpringerBoston,2010.
[26]A.
Saebjornsen,J.
Willcock,T.
Panas,D.
Quinlan,andZ.
Su.
Detectingcodeclonesinbinaryexecutables.
InProceedingsoftheeighteenthinternationalsymposiumonSoftwaretestingandanalysis,ISSTA'09,pages117–128.
ACM,2009.
[27]zx2c4.
LinuxLocalPrivilegeEscalationviaSUID/proc/pid/memWrite.
http://blog.
zx2c4.
com/749,january2012.