521 524
- 1. ISSN: 2278 – 1323
International Journal of Advanced Research in Computer Engineering & Technology
Volume 1, Issue 4, June 2012
Design and Implementation of Virtual Client
Honeypot
Himani Gupta, Gurpal Singh Chhabra
School of Mathematics and Computer Applications, Thapar University, Patiala
himanigupta4@gmail.com, gurpalsingh123@gmail.com
Abstract— Computers security has become a major issue in classification, honeyclient is the other term that is generally
many organization. There are different solutions to response to used and accepted. The concept of client honeypots was
this needs but they remain insufficient to truly secure network. firstly articulated by Lance Spitzner (2004). Later several
Honeypot is used in the area of computer and Internet Security. client honeypots were developed: Honeyclient;
It is resource which is intended to be attacked and comprised to HoneyMonkey [2]; HoneyC [3]; and Capture [4].
gain more information about the attacker and their attack
HoneyClient was the first open source client honeypot,
techniques. Compared to an intrusion detection system,
Honeypots have the big advantage that they do not generate which was developed in 2004 by K. Wang [5], and
false alerts as all traffic is suspicious, because no productive subsequently developed at MITRE. However, in spite of the
components are running on the system. Client Honeypot is a continuous progress with client honeypots technology, they
honeypot actively searches for malicious sites on the web. In are still immature technology. In this paper, we will study
this paper, we design and implement virtual Client Honeypot to threat against client user, Goals of Client Honeypot,
collect the internet malwares. Architecture of Client Honeypot, Functional Diagram of
Virtual Client Honeypot and Comparison of Honeyclient
Index Terms—Intrusion detection system; Honeypots; with IDS.
Honeyclients; client-side attacks; malware; crawler;
II. THREATS AGAINST CLIENT USERS
I. INTRODUCTION
One of the new major attack types that we are faced recently
Malwares have become a major threat to the internet as their
are client-side attacks. Client-side attacks refer to the attacks
occurrence in the internet had significantly increased in past
launched in opposition to client user. In this type of attacks,
few years. In response to this increasing malware attacks,
an attacker uses client application vulnerability to take
honeypots has emerged as one of the popular practical
control of client system by malicious server. A typical target
defence technique. The Honeypots are the information
is web browser. However, these attacks can occur on any
system resources capable to attract, capture and collect
malware attacks. client/server pairs such as email, instant messaging, FTP,
multimedia streaming, etc[6] In this section we will
While the fight is ongoing on the Internet between blackhats discuss some issues relating to client-side threats: drive-by
and whitehats, attackers have started to transfer the battlefield download, code obfuscation, phishing and Typo-squatting.
to the client user; as they believe the client applications are A. Drive-by download
more likely to have security breaches and vulnerabilities. A very effective way to infect a victim’s machine is to exploit
Client user has become the weakest link in the network vulnerabilities and execute malware without the user noticing
security chain, and since the security chain is only robust as such actions and without any user interaction. A drive-by
its weakest link, we need to detect attacks against client side download usually initiates a number of downloads and
to protect the whole security system [1]. installations, after the successful exploitation of a
vulnerability in the browser or one of its plug-ins. The
Traditional honeypots are servers (or devices that expose executables are malware used for different purposes that
server services) that wait passively to be attacked. Client cause changes to the system state and affect the user’s
Honeypots are active security devices in search of malicious machine depending on their type. The main changes are
servers that attack clients. The client honeypot poses as a observed in the registry, the system’s processes and
client and interacts with the server to examine whether an network’s activity. [7] Once a user visits a page that launches
attack has occurred. Often the focus of client honeypots is on drive-by attacks, a common first step in the attack is to
web browsers, but any client that interacts with servers can be perform fingerprinting of the visitor’s browser. To this end, a
part of a client honeypot (for example ftp, ssh, email, etc.). script collects information about the browser version and
There are several terms that are used to describe client language, operating system version, or enumerates the
honeypots. Besides client honeypot, which is the generic installed plug-ins.
All Rights Reserved © 2012 IJARCET 521
- 2. ISSN: 2278 – 1323
International Journal of Advanced Research in Computer Engineering & Technology
Volume 1, Issue 4, June 2012
B. Code Obfuscation V. ARCHITECTURE OF CLIENT HONEYPOT
Obfuscation means using encoding to make the code
ambiguous, and more difficult to interpret. Hiding the exploit A client honeypot is composed of three components. The first
vector is an effective way of evading signature-based component, a queuer, is responsible for creating a list of
detection systems such as virus scanners and filtering servers for the client to visit. This list can be created, for
firewalls. Criminals use code obfuscation to make the example, through crawling. The second component is the
malicious JavaScript or VBscript unreadable during client itself, which is able to make a requests to servers
transportation from the web server to the browser. These identified by the queuer. After the interaction with the server
scripts are decoded and interpreted by the browser. [8] has taken place, the third component, an analysis engine, is
responsible for determining whether an attack has taken place
on the client honeypot.
C. Phishing
Phishing is an attack combines between social engineering The Active honeypot architecture is divided into following
techniques and sophisticated attack vectors to harvest three modules:
financial information or sensitive data from end users.
Phisher typically tries to lure her victim into clicking a URL
pointing to a rogue page In phishing, users could be easily
tricked into submitting their username and password into
fraudulent web sites whose appearance look similar to the
genuine one. [9]
D. Typo-squatting
Typo-squatting refers to the practice of registering domain
names that are typo variations of popular websites, which
usually host websites with significant traffic. The individuals
or organizations who register typo-squatting domains (or
typo domains) are referred to as typosquatters. Some major
typo-squatters are known to have registered thousands or
more of typo domains.
Fig 1. Architecture of client honeypot
III. GOALS OF CLIENT HONEYPOT
The components are explained as:
The ultimate goal of client honeypots is to detect and identify
1. Queuer: the queuer is responsible for creating the list of
any malicious activity coming from the Internet. This ideal
the URLs that has to be browsed by the Active Honeypot.
case of client honeypot can be summarized as follows:
There are several techniques used to create URL lists,
1. Client honeypot should detect any known and unknown including search engines, Blacklists, Phishing and spam
threats against any client user application. Application can be messages, and instant messaging.
any server/client based application. Client honeypot should 2. Client Module: the client is the component that makes
be able to check various URLs (images, executable files, requests and interacts with the web servers. It emulates the
html, scripts, etc). Ideal client honeypot has rate zero false browser level vulnerabilities.
positive. 3. Analysis engine: the analysis engine is responsible for
2. Client honeypot should detect the attacks in real-time. determining and checking the state of the client honeypot to
see if an attack has occurred or not.
3. Client honeypot should be able to dynamically modify the
detection and security policy rules to fit the current situation.
VI. VIRTUAL HONEYCLIENT
[10]
IV. CLIENT HONEYPOT With the improvement of software security, attacks based on
RPC vulnerabilities declined, however, attacks based on
Client honeypots are client-side, they simulates drives client application software vulnerabilities have increased.
client-side software and do not expose services to be Such client application software includes web browsers,
attacked. Client honeypots typically are active, they actively Email client and Office. The spread of malware using these
initiate interact with remote servers to be attacked. The software vulnerabilities has become a severe threat to today’s
client-side honeypot must recognize which server is Internet. In allusion to this kind of threat, we have tried to
malicious and which is benign. Honeyclient is an active develop a prototype system to collect the internet malwares
honeypot that mimics, either manually or automatically, the by actively visiting the malicious websites using client
normal series of steps a regular user would make when honeypots. This system can not only collect malware but also
visiting various websites. [11] The intended goal of detect malicious website. Here when we are visiting the
honeyclients is to identify malicious websites which target websites in a virtual machine, we monitor the activities such
the client application vulnerabilities. as file system, network monitor etc. The end results of the
system are collected malware executable binaries, PCAP
network data.
All Rights Reserved © 2012 IJARCET 522
- 3. ISSN: 2278 – 1323
International Journal of Advanced Research in Computer Engineering & Technology
Volume 1, Issue 4, June 2012
VII. DESIGN AND IMPLEMENTED VIRTUAL infections. We have set the execution of each site for 90 sec.
CLIENT HONEYPOT Also we use the DCHSniffer for capturing PCAP data.
After all the processing has been done virtual machine
High-interaction honeyclients give an attacker the capability stops and all the executable and binary files be shown on the
to interact with real system rather than simulation. They base machine with the URL from where they came.Then
detect the security violations via state changes check; which analysis and reporting, we are inserting the mailicious URLs
means the need to monitor filesystem, registry entries, into database.We have also used bridge-util is used for
processes, network connection and physical resources such creation of bridge, gcc compiler is GNU C compiler used in
as memory and CPU, etc. State change checks should give linux platform, HTTP: sessionizer is for re-session of http
first insight into whether a system has been compromised. communication and Fuse util is being used for virtual file
There are various honeyclients developed based on this system
approach such as Capture-HPC, HoneyClient and
HoneyMonkey. installed on the machine starts monitors the VIII. EXPERIMENTAL RESULTS
file system for suspicious activity caused by malware
URL STEM HOSTNA md5
Insert all the links to the ME
. database http://admarcont ///live.txt admarcont cc4c77ee54d
abil.sites.uol.co abil.sites.u e37e9089c7a
m.br///live.txt ol.com.br ae2e24d9a2
Fetch a group of links from http://ew.correa. ///RITINH ew.correa. 5912d4f1845
the database sites.uol.com.br// A.jpg sites.uol.c de44a4e5c9e
/RITINHA.jpg om.br 9db891c65f
http://pixwall.net ///summer pixwall.ne ae8621d33a5
///summer/XvidS /XvidSetu t d184534bab8
Start the virtual Machine
etup.exe p.exe 44a0716d1b
http://strandedna ///media/ strandedna ae8621d33a5
ked.com///media XvidSetu ked.com d184534bab8
/XvidSetup.exe p.exe 44a0716d1b
Starts the Capturing pcap
Starts the Execute the links http://depaulamd ///aut.jpg depaulam 337877a8689
Capturing pcap using IE-xplorer p.sites.uol.com.b dp.sites.uo 824558ba8c1
r///aut.jpg l.com.br 7a03763776
http://gucosilva.s ///downlo gucosilva. 5d1cdf7ff4c5
ites.uol.com.br/// ada.jpg sites.uol.c 7503c2352f1
Stop the virtual machine downloada.jpg om.br d6bf3a149
http://loys.com.b ///oportuni loys.com. 3f7d7f857f13
r///oportunidade/ dade/imag br 174261540d6
images/01.jpg es/01.jpg db7c48e2d
Process the pcap data
using HTTP-Sessionizer
Table 1. Experiment results collecting malwares
In the above table the term ―URL‖ means the website which
Save the extracted Insert the host name, we opened, ―stem‖ means from where the malware found and
malware to malware url, to the database ―md5‖ means the unique number for malware just like a
folder numeric value.
IX. COMPARISON OF HONEYCLIENT WITH IDS
Fig 2. functional diagram of virtual honeyclient
Client Honeypot is an active honeypot,which uses client
application and collects the malwares. As we know, Client
In the implementation of virtual client honeypot, we have
Honeypot and IDS are both network security terms but Client
used linux red hat as base machine and Virtual Box based
honeypot is better than IDS because IDS only generates the
honeypot for browsing of URLs and monitoring file system,
alerts when the signature of attacker matches with the
network activities. Firstly, we manually feed the URL’s in the
log file which we want to check for malwares or we can a database but client honeypot detects the malware of unknown
crawler to collect web page URLs, and store them in a signatures also. Also Intrusion detection systems in large
database. After that when we fetch the links from the networks suffer from the high amount of traffic while client
database and start the virtual machine. The machine starts to honeypot in contrary just have to handle traffic directed to
open these fetched links one by one and MwWatcher tool themselves. Client Honeypot does not need high
configurations.
All Rights Reserved © 2012 IJARCET 523
- 4. ISSN: 2278 – 1323
International Journal of Advanced Research in Computer Engineering & Technology
Volume 1, Issue 4, June 2012
[10] C. Clementson,‖ Client-Side Threats and a Honeyclient-Based Defense
X. CONCLUSION AND FUTURE WORK Mechanism, Honeyscout‖, Master’s Thesis, Linköping University Electronic
Computer networks have brought the world together by Press, 2009.
bridging the information gap among people. Network [11] R. A. Grimes, ―Tracking Malware with Honeyclients‖,
InfoWorld, 2006 http://www.infoworld.com/d/securitycentral/
technology has undergone a revolution with better and
tracking-malware-honeyclients-852 .
faster ways of sending information between computers.
Unfortunately security systems and policies to govern
these networks have not progressed as the same speed.
Today’s network is very complex and the whole world is
focusing on ease of use and functionality. This is diversity
to our concern for the security towards the ease of use and
increase of functionality. Cyber crime is also no longer the
prerogative of lone hackers or random attackers. So there
is a huge need of detecting and preventing the threats and
intrusion. In this work, we presented the Internet malware
system using client-side honeypot. We use the active ability
of client-side honeypot to collect malware that traditional
honeypot cannot get in the Internet. We introduced the
category of Internet malware, the client side attack
techniques and overall framework of the system in detail. We
mainly gave the design and implementation of client
honeypots based malware collection. During the work done
so far, client honeypot based solution is very useful to collect
the internet malwares and to detect the malicious websites.
Our developed Virtual Box powered Honeyclient
is very useful for collection of internet malwares but it is
having a limited capabilities or we can say that it is just a
prototype. There is a requirement of integration of crawler as
data acquirement, at present there is no such component in
our developed module. Further there is also a possibility of
addition of various client side applications such as firefox,
pdf etc because currently we only using Internet Explorer for
actively visiting the websites. And there is also a possibility
of addition of automatically analysis of collected malwares.
We can confirm that we cannot cover all the challenges such
human user simulation, logic bomb, time triggered websites
but we have developed a prototype solution to get better
understanding of client honeypots.
REFERENCES
[1] R. Danford, ―2nd Generation Honeyclients‖, SANS Internet Storm
Center,2006
http://handlers.dshield.org/rdanford/pub/Honeyclients_Danford_SANS
06.pdf
[2]Zero Day Initiative, ―Adobe Flash Player JPEG Parsing Heap
Overflow Vulnerability‖, 9 December 2009.
http://www.zerodayinitiative.com/advisories/ZDI-09-092/
[3]C. Seifert. HoneyC - The Low-Interaction Client Honeypot. 2006.
CiteSeerX
http://citeseer.ist.psu.edu/seifert06honeyc.html.
[4]R. A. Grimes, ―Tracking Malware with Honeyclients‖, InfoWorld, 2006
http://www.infoworld.com/d/security-central/tracking-malwarehoneycl
ients- 852
[5] K. Wang. Honeyclient Development Project.
http://www.honeyclient.org/
[6] Offensive-Security, Client Side Attacks, 2009
http://www.offensive-security.com/metasploit-unleashed/Client-
Side-Attacks
[7] C. Seifert, R. Steenson, T. Holz, Y. Bing, and M. A. Davis, ―Know your
enemy: Malicious web servers.‖ The Honeynet Project, 2007.
http://www.honeynet.org/papers/mws/
[8] HoneySpider Network Project, ―The Honeyspider Network – Fighting
Client-Side Threats‖,2009 http://www.honeyspider.net/wpcontent/
uploads/2009/06/hsn-first2008-article-v02.pdf
[9] S. Garera, N. Provos ,M. Chew , and A. D. Rubin, ―A Framework For
Detection And Measurement Of Phishing Attacks‖, Proceedings of the 2007
ACM workshop on Recurring Malcode, 2007
All Rights Reserved © 2012 IJARCET 524