Pacific Northwest Chapter Status Report for 2011

ORGANIZATION

  • Christian Seifert, PhD - Full Member, Chief Executive/Financial Officer
  • Chiraag Aval
  • Barbara Endicott-Popovsky, PhD
  • Ashish Malviya
  • Julia Narvaez - Chapter Leader

DEPLOYMENTS
None.

RESEARCH AND DEVELOPMENT
Bare-Metal high interaction client honeypot:
Project sponsored by the Pacific Northwest National Laboratory. Given that some malware avoids launching attacks in the presence of virtualization, the team conducted a research project aiming to identify detection discrepancies in high interaction client honeypots running in virtual environments and high interaction client honeypots running in physical machines. The project included the following phases:

  • Bare-Metal honeypot development:
    Development of Bare-Metal client honeypot, which does not use virtualization
  • Collection of malware samples:
    Malware samples were provided by Microsoft, Shadow Server, and Malware Domain List.
  • Experiment:
    Access presumable malicious domains with Capture-HPC (using virtualization) and Bare-Metal (not using virtualization)
  • Malware analysis:
    Conducted in collaboration with students from the University of Hawaii
  • Experimental design:
    The team proposed and applied concepts of the deception theory for honeypot research

The chapter is developing a proof-of-concept of a Drive-by Exploit that detects Virtual Machine on the system and makes future decisions on whether to exploit.

FINDINGS

  • Inconsistencies in malware attacks were reflected in the honeypot classification results. Additional analysis is required to reach an understanding of the factors that result in an attack.
  • Honeypots with the same configuration produced different malware classification, which raises the question of how to measure the performance of honeypots.
  • The samples selected for malware reverse engineering did not conclude that malware was specifically looking to detect virtual machines.

PAPERS AND PRESENTATIONS

Papers

  1. Zozzle: Low-overhead Mostly Static JavaScript Malware Detection
    Authors: Charles Curtsinger, Benjamin Livshits, Benjamin Zorn, and Christian Seifert
    USENIX Security Symposium, August 2011; 2011
  2. "NOFUS: Automatically Detecting" String.fromCharCode(32) "ObFuSCateD ".toLowerCase() "JavaScript Code"
    Authors: Scott Kaplan, Benjamin Livshits, Benjamin Zorn, Christian Seifert, and Charles Curtsinger
    Microsoft Research Technical Report MSR-TR-2011-57, http://research.microsoft.com/en-us/um/people/livshits/papers/tr/nofus_tr.pdf; 2011
  3. ARROW: GenerAting SignatuRes to Detect DRive-By-DOWnloads
    Authors: Junjie Zhang, Jack W. Stokes, Christian Seifert, Wenke Lee
    World Wide Web, Hyderabad, India; 2011
  4. Cost-effective Detection of Drive-by-Download Attacks with Hybrid Client Honeypots
    Authors: Christian Seifert
    Computer Science, Victoria University of Wellington, 2010
    Degree: Doctor of Philosophy
    Supervisor: Ian Welch, Peter Komisarczuk
  5. WebCop: Locating Neighborhoods of Malware on the Web
    Authors: Stokes, J., Andersen, R., Chellapilla, K., Seifert, C.
    3rd Usenix Workshop on Large-Scale Exploits and Emergent Threats, San Jose; 2010
  6. Assessment of Virtualization as a Sensor Technique
    Authors: Narvaez, J., Aval, C., Endicott-Popovsky, B., Seifert, C., Malviya, A., Nordwall, D.
    Systematic Approaches to Digital Forensic Engineering (SADFE), 2010 Fifth IEEE International Workshop; 2010.
  7. Drive-by downloads.
    Authors: Narvaez, J., Endicott, B., Seifert, C., Aval, C., Frincke, D.
    Hawaii International Conference on System Sciences; 2010
  8. Digital records forensics: An interdisciplinary program for forensic readiness
    Authors: Duranti, L. and Endicott-Popovsky, B.
    In Proceedings of the Conference on Digital Forensics, Security and Law. St. Paul, MN; 2010

Presentations

  1. Honeynet Project Security Workshop – Paris; 2011
    For video of presentation please visit http://honeynet.org/SecurityWorkshops/2011_Paris/Session3_1-Honeyclient
  2. Presentation on Bare-Metal honeypot at the Annual Honeynet Workshop. Mexico City, Mexico; 2010
  3. "Next Generation Honeypots: Staying Ahead of the Bad Guys", Microsoft Research. Redmond, Washington; 2010
  4. "Cybersecurity Awareness Month," panelist in the Cybersecurity Panel, Seattle, Washington; 2010

GOALS

  • Research techniques and trends used to conduct drive-by-downloads attacks.
  • Develop tools to improve the analysis of the results of high interaction client honeypots.
  • Formulate a methodology incorporating the concepts of the deception theory to improve the detection of drive-by-downloads attacks.
  • Produce and release full documentation of Bare-Metal client honeypot.

MISC ACTIVITIES

  • Revived and led the Forensic Challenge effort in 2010
  • Actively involved in membership and ethics committee
  • Developed, organized, and led the Pacific Rim Collegiate Cyber Defense competition (PRCCDC). In this competition, student teams are presented with a pre-configured systems of a fictitious company that they are tasked to operate. The red team, which sits next door, attempts to vandalize and break into this network. The student teams need to defend against the attacks of this red team. In particular, the goals for each team are to: fulfill assigned business tasks, keep services operational, and prevent break-ins by the red team. Students are scored based on these goals. In 2011, this event included thirteen regional universities, community colleges and University of Washington departments.
    For additional information please visit http://ciac.ischool.washington.edu/?p=618
    Video is available at http://www.uwtv.org/video/player.aspx?dwrid=27982