Detecting malicious web pages with MonkeyWrench

Attacks on internet users with malicious web pages represent today’s number one infection vector. During a single visit of a crafted web page an attacker can try to exploit various vulnerabilities in the internet browser or its plug-ins in order to install malware without user interaction in a so-called drive-by-download.
In this talk we present a client honeypot system named MonkeyWrench, which is used to detect malicious web pages. MonkeyWrench uses a hybrid approach that overcomes the shortcomings of low-interaction client honeypots in dealing with obfuscated JavaScript while outperforming automated browsers used in high-interaction systems. Unlike other honeyclients MonkeyWrench is able to identify the exact vulnerabilities triggered by a malicious page, extract exploit payloads using advanced shellcode detection techniques and subsequently download malicious executables used in the attacks. The results presented in our talk will cover statistics of the detection of several hundred thousand malicious web pages with a single client honeypot and demonstrate MonkeyWrench's ability to support the work of our web security analysts.
Armin Buescher began studying Computer Science in Dortmund in 2002. He joined G Data in 2008 after finishing his diploma thesis on the analysis of web-based attacks. Now he works as a malware analyst and security researcher at the G Data Security Labs. His work focuses on the strategic development of exploit prevention techniques and analysis tools.