Figure 1: An attack by a malicious website on a vulnerable browser.
NTT works to detect and monitor these websites using a combination of high and low-interaction honeyclients. A high-interaction honeyclient is a real browser that can precisely detect browser exploits and malware downloads. A low-interaction honeyclient is a browser emulator, which can emulate many different client profiles, trace complicated redirections and hook code executions in detail. These two methods are complementary and improve our overall analysis capabilities.
To observe evasive code, we constructed redirect graphs and performed differential analysis on them. We then performed further manual analysis on the code to classify and identify particular evasion techniques based on code similarity.
Figure 2: Differential analysis was performed on redirect graphs from high and low-interaction honeyclients.
We found the following evasive code by manually analysing one representative point in each cluster.
Figure 3: Identified evasion techniques.
To determine whether these evasion techniques could be used as Indicators of Compromise (IOC), we investigated more than 860,000 URLs with Alexa top domain names. The setTimeout() evasive code was detected in 26 URLs, all of which were used in compromised websites. The other evasion techniques were used unintentionally in benign websites or were no longer used.
Figure 4: Differences in browser responses to the setTimeout() function.
We hope these findings help incident responders understand and analyse modern malicious websites, and contribute to improving the analysis capabilities of conventional honeyclients.
This article is based on a presentation given at the 30th Annual FIRST Conference in Kuala Lumpur, Malaysia. The slides can be found here [PDF].
Dr. Yuta Takata is a researcher at NTT R&D and has been a member of NTT-CERT in Japan since 2013. He focuses on developing honeyclients that effectively analyse websites and exhaustively extract malicious behaviours, for example, browser exploitations and malware infections.
The views expressed by the authors of this blog are their own and do not necessarily reflect the views of APNIC. Please note a Code of Conduct applies to this blog.
Nice article. Can you please share which honeyclients you used? I want to install these honeyclients also.
I am sure you are asking about the Low Interaction Honeyclient
Thank you for your question.
The high-interaction honeyclient is IE-based and the low-ineteraction one is HtmlUnit-based. Of course, we extend functions, such as logging and NW trace functions, to our honeyclients. But you can follow our experiments using the following tools.
Selenium with IE: https://www.seleniumhq.org/