HoneyCirculator: distributing credential honeytoken for introspection of web-based attack cycle

A web user who falsely accesses a compromised website is usually redirected to an adversary’s website and is forced to download malware after being exploited. Additionally, the adversary steals the user’s credentials by using information-leaking malware. The adversary may also try to compromise public websites owned by individual users by impersonating the website administrator using the stolen credentials. These compromised websites then become landing sites for drive-by download malware infection. Identifying malicious websites using crawling techniques requires a large amount of resources and time. To monitor the web-based attack cycle for effective detection and prevention, we propose a monitoring system called HoneyCirculator based on a honeytoken, which actively leaks bait credentials and lures adversaries to our decoy server that behaves like a compromised web content management system. To recursively analyze attack phases on the web-based attack cycle, our proposed system involves collecting malware, distributing bait credentials, monitoring fraudulent access, and inspecting compromised web content. It can instantly discover unknown malicious entities without conducting large-scale web crawling because of the direct monitoring behind the compromised web content management system. Our proposed system enables continuous and stable monitoring for about one year. In addition, almost all the malicious websites we discovered had not been previously registered in public blacklists.

[1]  Stefan Savage,et al.  Manufacturing compromise: the emergence of exploit-as-a-service , 2012, CCS.

[2]  Chris Kanich,et al.  GQ: practical containment for measuring modern malware systems , 2011, IMC '11.

[3]  Juan Caballero,et al.  FIRMA: Malware Clustering and Network Signature Generation with Mixed Network Behaviors , 2013, RAID.

[4]  Lior Rokach,et al.  HoneyGen: An automated honeytokens generator , 2011, Proceedings of 2011 IEEE International Conference on Intelligence and Security Informatics.

[5]  Alfred O. Hero,et al.  Deep Community Detection , 2014, IEEE Transactions on Signal Processing.

[6]  Roberto Perdisci,et al.  ExecScent: Mining for New C&C Domains in Live Networks with Adaptive Control Protocol Templates , 2013, USENIX Security Symposium.

[7]  Shang-Hua Teng,et al.  Spectral partitioning works: planar graphs and finite element meshes , 1996, Proceedings of 37th Conference on Foundations of Computer Science.

[8]  Mitsuaki Akiyama,et al.  Active Credential Leakage for Observing Web-Based Attack Cycle , 2013, RAID.

[9]  Salvatore J. Stolfo,et al.  Baiting Inside Attackers Using Decoy Documents , 2009, SecureComm.

[10]  Pierre-Marc Bureau SAME BOTNET, SAME GUYS, NEW CODE , 2011 .

[11]  Chao Yang,et al.  PoisonAmplifier: A Guided Approach of Discovering Compromised Websites through Reversing Search Poisoning Attacks , 2012, RAID.

[12]  Vern Paxson,et al.  Measuring Pay-per-Install: The Commoditization of Malware Distribution , 2011, USENIX Security Symposium.

[13]  Salvatore J. Stolfo,et al.  BotSwindler: Tamper Resistant Injection of Believable Decoys in VM-Based Hosts for Crimeware Detection , 2010, RAID.

[14]  Haining Wang,et al.  BogusBiter: A transparent protection against phishing attacks , 2010, TOIT.

[15]  Jack W. Stokes,et al.  WebCop: Locating Neighborhoods of Malware on the Web , 2010, LEET.

[16]  Paolo Milani Comparetti,et al.  EvilSeed: A Guided Approach to Finding Malicious Web Pages , 2012, 2012 IEEE Symposium on Security and Privacy.

[17]  A.-R. Sadeghi,et al.  Phishing Phishers - Observing and Tracing Organized Cybercrime , 2007, Second International Conference on Internet Monitoring and Protection (ICIMP 2007).

[18]  Steven D. Gribble,et al.  A Crawler-based Study of Spyware in the Web , 2006, NDSS.

[19]  Takeshi Yagi,et al.  Controlling malware HTTP communications in dynamic analysis system using search engine , 2011, 2011 Third International Workshop on Cyberspace Safety and Security (CSS).

[20]  U. Feige,et al.  Spectral Graph Theory , 2015 .

[21]  Mitsuaki Akiyama,et al.  Design and Implementation of High Interaction Client Honeypot for Drive-by-Download Attacks , 2010, IEICE Trans. Commun..

[22]  Shujun Li,et al.  A novel anti-phishing framework based on honeypots , 2009, 2009 eCrime Researchers Summit.

[23]  Mitsuaki Akiyama,et al.  Searching Structural Neighborhood of Malicious URLs to Improve Blacklisting , 2011, 2011 IEEE/IPSJ International Symposium on Applications and the Internet.

[24]  Mark Newman,et al.  Networks: An Introduction , 2010 .

[25]  Niels Provos,et al.  All Your iFRAMEs Point to Us , 2008, USENIX Security Symposium.

[26]  C. Seifert Know Your Enemy: Malicious Web Servers , 2007 .

[27]  Mitsuaki Akiyama,et al.  Client Honeypot Multiplication with High Performance and Precise Detection , 2015, IEICE Trans. Inf. Syst..

[28]  Jose Nazario,et al.  PhoneyC: A Virtual Client Honeypot , 2009, LEET.

[29]  Xuxian Jiang,et al.  Automated Web Patrol with Strider HoneyMonkeys: Finding Web Sites That Exploit Browser Vulnerabilities , 2006, NDSS.

[30]  Davide Balzarotti,et al.  Behind the Scenes of Online Attacks: an Analysis of Exploitation Behaviors on the Web , 2013, NDSS.

[31]  Mark E. J. Newman,et al.  Spectral methods for network community detection and graph partitioning , 2013, Physical review. E, Statistical, nonlinear, and soft matter physics.