-5

I would like to create a honeypot (bot) to hunt browser zero-days (and browser extensions). What is the best way to find those 0days automatically (I would like to create a sandboxed bot which would visit websites and check if they are trying to exploit browser vulnerability). I think that just to sandbox this bot and attach a debugger would not be enough.

Is there anything else that I should consider?

My inspiration was this article from corelan.be: The Honeypot Incident – How strong is your UF (Reversing FU) from 2011.

If exploit is well-written and well-tested than nothing should crash and hence attached debugger would be pretty useless?


The idea is that we have our honeypot which would detect zero-days. It should be done by visiting websites, clicking on links, just imitating usual user behaviour. Our honeypot is actually a bot. Our bot is not allowed to download any executable binaries (we still want to be able to open PDF documents, Excel spreadsheets in a browser (Google Chrome allows it)). This is a hard task because we need to detect something undetectable, so we need to detect by its traces and by deduction.

If we detect any outgoing requests from our machine e.g. to C&C-server or detect some malware (we will use behaviour based malware detection, because we cannot detect just some hardcoded signatures, but we need to keep in mind that is very resource consuming), then we know, that we forbid to download & execute any executables and thus the only way to infect that sandboxed machine was through a zero-day.

Thus we need to keep track of memory states (memory dumps every X seconds, but is obviously very resource consuming), we need to create log files, execute our browsers in debug modes to trace even more. Because if we detect some strange behaviour on our machine, we need to check an initial data for traces of a zero-day, because it would be the only way how attackers were able to intrude into the system.

I think this is the only way reasonable in detecting it without to execute any executables (click_me_to_see_secret_documents.exe, would be too easy).


EDIT:

Here is nice tool advised from AV researcher: https://buffer.github.io/thug/

Here is a doc: https://buffer.github.io/thug/doc/

The number of client-side attacks has grown significantly in the past few years shifting focus on poorly protected vulnerable clients. Just as the most known honeypot technologies enable research into server-side attacks, honeyclients allow the study of client-side attacks. A complement to honeypots, a honeyclient is a tool designed to mimic the behavior of a user-driven network client application, such as a web browser, and be exploited by an attacker’s content.

Here is a somewhat similar question (but with less technical details): Recommendations for honeypot software


Take as an example Google Chrome browser, on Windows 10. And explain how you would set up such a honeypot.

AviD
  • 72,138
  • 22
  • 136
  • 218
Awaaaaarghhh
  • 562
  • 2
  • 18
  • *" What is the best way to find those 0days automatically ... "* - Given that such 0days are costly and get mostly used in targeted attacks you have to be a worthy target first or have access to the system of a worthy target in order to get attacked. – Steffen Ullrich Sep 02 '19 at 12:51
  • I know, that *0days* are expensive and require much to time to find them in the software. So they are not used to attack masses anymore? like it was done many years ago by using 0days inside flash applications? – Awaaaaarghhh Sep 02 '19 at 12:52
  • 5
    The time when 0days where used in mass-attacks against browsers seems to be currently over and hopefully never comes back. It was easy in the past because of insecure technologies like Java, Flash and ActiveX and because the browser were not hardened enough. This has fortunately changed. - Apart from that I still think that the question is too broad. You might think that it cannot be that hard to implement what you want and therefore feel it is not too broad. I think it is very complex and that's why I consider your question as too broad. – Steffen Ullrich Sep 02 '19 at 13:21
  • @SteffenUllrich Maybe you could make an answer from you comment and I will accept it. It would be nice if you would describe in a broad way (would be enough) how to set up such honeypot. Yes, I understand that is much more complex nowadays to catch zero-days, but the question was not about complexity of finding zero-days but about how to accomplish it. – Awaaaaarghhh Sep 02 '19 at 13:25
  • Your edit basically broadly describes such system. But the exact details to implement this are missing and adding everything necessary so that you would actually be able to build such thing would be a lot - that's why I still consider the question as too broad. Apart from that you still fail to address an essential aspect: how to achieve, that some attacker will even try to attack your system with a 0day attack? You might crawl lots of sites but it is unlikely that somebody will try to attack your system using a 0day exploit since these are expensive. – Steffen Ullrich Sep 02 '19 at 14:28
  • 1
    "How do I detect 0-days?" is extremely broad, and adding more details doesn't make it less broad. There are too many different "kinds" of 0-days that all have to be detected in different ways. You might as well ask "How do I secure my website?". – Conor Mancone Sep 02 '19 at 14:39
  • @SteffenUllrich I know that 0days are expensive. That's why I'm so interested in thst topic - if there is still someone out there who is still exploiting browser *0days* on masses or are 0days are really really just for a targeted attack (e.g. politicians). – Awaaaaarghhh Sep 02 '19 at 14:41
  • @ConorMancone no it is not broad. Because you're using your browser, you can open PDFs also with your browser (*googe chrome*). I'm not talking here about anything else. Of course you could still exploit on a much lower level by having some bugs in networking devices or other hardware, but I'm talking only about **browsers**. – Awaaaaarghhh Sep 02 '19 at 14:43
  • 3
    I know you are only asking about browsers. That is still *very* broad. Different browsers, different classes of vulnerabilities, different detection techniques... – Conor Mancone Sep 02 '19 at 14:53
  • @ConorMancone as I understand you correctly you're advising me 2 things (at least I imply it from your answer): **1.** split this question in different ""subquestions"" focusing specific browser vulnerabilties (e.g. uXSS (I hope you know the abbreviation for universal XSS) to file:// and then to system breakout (I doubt it will work, I just trying to mention other bugs) or just binary exploitation methods), e.g. *hunting for heap spraying attacks on chrome*. or **2.** don't ask anymore technical questions about browser exploitation (or detection of such exploitation) on security SE. – Awaaaaarghhh Sep 02 '19 at 15:00
  • 3
    Let me break this down for you. This is your question: "What is the best way to find [unspecified, undefined, unscoped] 0days [in any browser] automatically?" Yes, that is too broad. The best way to find 0-days is not to blindly hunt for the potential for some unknown exploit in the wild to teach you how their 0-day works. You do that by looking at the code **of the browser**. To do what you want to do would require such a broad spectrum of preparation for all the differrent things that could go wrong in any one browser. Explaining all that would take more than an answer could provide. – schroeder Sep 02 '19 at 15:06
  • @schroeder I hope you know that browser source code contains millions of lines of code depending on browser. security researchers are already performing static and dynamic analysis for browsers. but we don't deal we old bugs only, new browser bugs are "added" too: https://www.youtube.com/watch?v=WbuGMs2OcbE Actually I expected such a non-technical answer. It doesn't help. And I hope you know that you can get PoC or detailed writeups about browser zero-days on some blogs. No, this question is not about "help, how this browser zero-day works?". it is about how to create a honeypot to catch them. – Awaaaaarghhh Sep 02 '19 at 15:13
  • @Awaaaaarghhh yes, I know what you are asking. I never said that you were asking how a specific 0-day worked... If only you had, it would not be so broad. You're asking how to catch and analyse ***any*** 0-day on any browser (that's literally what I said). – schroeder Sep 02 '19 at 15:14
  • @schroeder do you mean I need to be much specific about browser and about possible vulnerability? Like: "how to detect that someone is trying to exploit buffer overflow on browser?" ? – Awaaaaarghhh Sep 02 '19 at 15:17
  • @Awaaaaarghhh ... your response is, "but analysis is hard?" And you want to devise an all-encompassing analysis platform to make sense of random, uncategorised code in the wild? That's much harder ... – schroeder Sep 02 '19 at 15:17
  • @schroeder Maybe I should move that question to reverse engineering SE or somewhere else to get more technical answer? – Awaaaaarghhh Sep 02 '19 at 15:18
  • @Awaaaaarghhh heck if you asked *that* question, I think we have a duplicate around here somewhere. Decomposing the problem is going to be a place to start. – schroeder Sep 02 '19 at 15:18
  • @schroeder, 'your response is, "but analysis is hard?"' where and when did I say that? – Awaaaaarghhh Sep 02 '19 at 15:20
  • 1
    @Awaaaaarghhh Perhaps you should try asking this exact question at Reverse Engineering and see what they tell you. My guess is: Exactly the same as we tell you here. –  Sep 02 '19 at 15:30
  • tool: https://buffer.github.io/thug/ – Awaaaaarghhh Sep 19 '19 at 12:11
  • 2
    I take issue with your latest edit to answer your question. Other than the fact that it violates the spirit of this site, your latest edit doesn't actually answer your question. You've referenced a honeypot client, which is a fine concept that I'm sure google and others likely use to detect malicious websites. However, that doesn't address the issue of finding **zero days**, which is what the bulk of your question was about. – Conor Mancone Sep 19 '19 at 12:39
  • 3
    I mean, if you're going to try to answer your question with an edit, you should make sure you at least **actually** answer your question... – Conor Mancone Sep 19 '19 at 12:40
  • 1
    Not to mention that the tone of your edit is perhaps not in line with the [Code of Conduct](https://meta.stackexchange.com/conduct) of Stack Exchange. –  Sep 19 '19 at 12:42

1 Answers1

4

If I had the means to automatically detect a 0-day exploit in a piece of software, the vendor of that software has the same potential, thus these exploits would be caught before the software was ever released.

Such things are done, of course, and they are called Source Code Analysis. They do exactly what you are trying to do: Automatically look for potential vulnerabilities and flag them. Developers then fix these vulnerabilities.

If exploit is well-written and well-tested than nothing should crash and hence attached debugger would be pretty useless?

You don't understand what a debugger does. A debugger doesn't "prevent" an exploit from happening. A debugger shows the internal state of an application as it runs, allowing you to better understand how the application works.

This is used in two scenarios: Debugging and Reverse Engineering.

What is debugging?

Debugging is the process of finding erroneous behavior in a program and finding the root cause of it. In order to do that, a developer uses a debugger to watch the execution of a program step-by-step, and compares the actual state of the program with the expected state of a program.

For instance, if a program rejects an input as erroneous, even though it should be accepted as valid, a developer can go through the function that makes this decision and find out exactly where the program makes a "wrong" decision and then fix this problem.

What is reverse engineering?

Reverse Engineering (also shortened as "RE") is the process of figuring out what exactly what a program with unknown source code is doing. This is done for a variety of reasons. To figure out if a program is (not) doing something specific, or to gather some other internal information.

"Reversers" use debuggers to reveal the same internal state of the program, but without access to the source code.

  • In Germany we say "Am Thema vorbei" (missed the topic). In you answer you're describing wrong things. Question was not about debugging, static/dynamic analysis, RE and stuff. It was about getting some tips how to setup a honeypot to catch browser based exploits - sandbox usage, logging, starting browsers in debug mode, just some general ideas what to consider without unnecessary going into details. Instead you're writing about what is RE, etc. It's a bit annoying. Yes, debugger can track an internal state, you're right here. But I think it is a not so easy to use to detect used exploits. – Awaaaaarghhh Sep 02 '19 at 13:17
  • Because you need to check debug log files automatically or manually and compare them to normal browser execution, so you need somehow to detect the difference in browser behaviour – Awaaaaarghhh Sep 02 '19 at 13:18
  • 1
    corelan was able to detect it. So how it comes that you're saying it is not possible? you can detect malware (delivered by some 0day) by their behaviour: if they're connecting to C&C servers, installing rootkits or something else. – Awaaaaarghhh Sep 02 '19 at 13:21
  • @MechMK1 some anti-viruses are using behaviour based approach, example: https://github.com/scVENUS/PeekabooAV (it scans email attachments, but we are talking in general, so if it works here it can be applied also for other software) – Awaaaaarghhh Sep 02 '19 at 13:28
  • "Behaviour Based Malware Detection" – Awaaaaarghhh Sep 02 '19 at 13:31
  • 1
    wait, what? so you're saying that in the year 2019 it is technically impossible to use *behaviour based malware detection* to say that your machine was somehow infected, because it didn't download any executables and thus the only chance of beeing infected was a zero-day. and you're saying that I'm trolling. – Awaaaaarghhh Sep 02 '19 at 13:42
  • 1
    Yes, that is what we are all saying to you - if it was practical for you to set up this sort of thing to run automatically, then the big A/V players would already have done so, but instead they are still doing it 'by hand'... – Mike Brockington Sep 02 '19 at 14:23
  • @MikeBrockington I think they are already doing it. I mean if you read that a google team compared all possible known malware (binaries) to detect how similar (assembly code, patterns) are they to deduce possible malware creator teams, I would say that is not so much impossible. It was 1 or 2 years ago during WannaCry malware. Afaik Bruce Schneider wrote something about this. I'll need to search for that article. – Awaaaaarghhh Sep 02 '19 at 14:31
  • *Bruce Schneier, not Schnei**d**er. – Awaaaaarghhh Sep 02 '19 at 18:45