Sicherheit'08: "Monkey-Spider: Detecting Malicious Websites with Low-Interaction Honeyclients"
Sunday, July 6. 2008
Back in April, our paper on low-interaction, client-side honeypots entitled "Monkey-Spider: Detecting Malicious Websites with Low-Interaction Honeyclients" was published at Sicherheit'08, the main security conference for the German speaking community. The paper presents a client-side honeypot that can be used to detect malicious web sites. The basic idea is to use the crawler Heritrix to download content efficiently and then analyze the downloaded content with different means, e.g., AV scanners, CWSandbox, or other tools. To our surprise, the paper won the best paper award of the conference :-)
Abstract:
Client-side attacks are on the rise: malicious websites that exploit vulnerabilities in the visitor’s browser are posing a serious threat to client security, compromising innocent users who visit these sites without having a patched web browser. Currently, there is neither a freely available comprehensive database of threats on the Web nor sufficient freely available tools to build such a database. In this work, we introduce the Monkey-Spider project. Utilizing it as a client honeypot, we portray the challenge in such an approach and evaluate our system as a high-speed, Internet-scale analysis tool to build a database of threats found in the wild. Furthermore, we evaluate the system by analyzing different crawls performed during a period of three months and present the lessons learned.
The full paper is now also available for download and the software is published at SourceForge: http://monkeyspider.sourceforge.net/. The software is released under the terms of GPLv3 and the maintainer is Ali Ikinci (ali at ikinci dot info).
Abstract:
Client-side attacks are on the rise: malicious websites that exploit vulnerabilities in the visitor’s browser are posing a serious threat to client security, compromising innocent users who visit these sites without having a patched web browser. Currently, there is neither a freely available comprehensive database of threats on the Web nor sufficient freely available tools to build such a database. In this work, we introduce the Monkey-Spider project. Utilizing it as a client honeypot, we portray the challenge in such an approach and evaluate our system as a high-speed, Internet-scale analysis tool to build a database of threats found in the wild. Furthermore, we evaluate the system by analyzing different crawls performed during a period of three months and present the lessons learned.
The full paper is now also available for download and the software is published at SourceForge: http://monkeyspider.sourceforge.net/. The software is released under the terms of GPLv3 and the maintainer is Ali Ikinci (ali at ikinci dot info).
".
