High-interaction honeyclients are the tools of choice to detect malicious web pages that launch drive-by-download attacks. Unfortunately, the approach used by these tools, which, in most cases, is to identify the side-effects of a successful attack rather than the attack itself, leaves open the possibility for malicious pages to perform evasion techniques that allow one to execute an attack without detection or to behave in a benign way when being analyzed. In this paper, we examine the security model that high-interaction honeyclients use and evaluate their weaknesses in practice. We introduce and discuss a number of possible attacks, and we test them against several popular, well-known high-interaction honeyclients. Our attacks evade the detection of these tools, while successfully attacking regular visitors of malicious web pages.
@inproceedings{Kapravelos2015Escape_from,
title = {{Escape from Monkey Island: Evading High-interaction Honeyclients}},
author = {Kapravelos, Alexandros and Cova, Marco and Kruegel, Christopher and Vigna, Giovanni},
booktitle = {Proceedings of the 8th International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment (DIMVA)},
year = {2011},
address = {Berlin, Heidelberg},
isbn = {978-3-642-22423-2},
pages = {124--143},
publisher = {Springer-Verlag},
url = {http://dl.acm.org/citation.cfm?id=2026647.2026658}
}