I would like to create a honeypot (bot) to hunt browser zero-days (and browser extensions). What is the best way to find those 0days automatically (I would like to create a sandboxed bot which would visit websites and check if they are trying to exploit browser vulnerability). I think that just to sandbox this bot and attach a debugger would not be enough.
Is there anything else that I should consider?
My inspiration was this article from corelan.be: The Honeypot Incident – How strong is your UF (Reversing FU) from 2011.
If exploit is well-written and well-tested than nothing should crash and hence attached debugger would be pretty useless?
The idea is that we have our honeypot which would detect zero-days. It should be done by visiting websites, clicking on links, just imitating usual user behaviour. Our honeypot is actually a bot. Our bot is not allowed to download any executable binaries (we still want to be able to open PDF documents, Excel spreadsheets in a browser (Google Chrome allows it)). This is a hard task because we need to detect something undetectable, so we need to detect by its traces and by deduction.
If we detect any outgoing requests from our machine e.g. to C&C-server or detect some malware (we will use behaviour based malware detection, because we cannot detect just some hardcoded signatures, but we need to keep in mind that is very resource consuming), then we know, that we forbid to download & execute any executables and thus the only way to infect that sandboxed machine was through a zero-day.
Thus we need to keep track of memory states (memory dumps every X seconds, but is obviously very resource consuming), we need to create log files, execute our browsers in debug modes to trace even more. Because if we detect some strange behaviour on our machine, we need to check an initial data for traces of a zero-day, because it would be the only way how attackers were able to intrude into the system.
I think this is the only way reasonable in detecting it without to execute any executables (click_me_to_see_secret_documents.exe, would be too easy).
EDIT:
Here is nice tool advised from AV researcher: https://buffer.github.io/thug/
Here is a doc: https://buffer.github.io/thug/doc/
The number of client-side attacks has grown significantly in the past few years shifting focus on poorly protected vulnerable clients. Just as the most known honeypot technologies enable research into server-side attacks, honeyclients allow the study of client-side attacks. A complement to honeypots, a honeyclient is a tool designed to mimic the behavior of a user-driven network client application, such as a web browser, and be exploited by an attacker’s content.
Here is a somewhat similar question (but with less technical details): Recommendations for honeypot software
Take as an example Google Chrome browser, on Windows 10. And explain how you would set up such a honeypot.