First, we will investigate our observation of non-deterministic behavior of malicious web servers. Repeated interaction with a malicious web server did not consistently yield malicious behavior. Analysis of MPack/ IcePack exploitation kits allows us to - at least partially - explain this behavior.


Figure 3 - MPack Administrative Interface

MPack can be configured via the $BlockDuplicates option to only deliver an attack to a user it hasn't seen before. If this “IP tracking functionality” is enabled, MPack exectutes the CheckAddUser function shown in Figure 5 . The user's IP address with the browser identifier are hashed (line 08) and stored in the MPack database (mysql or txt file) (lines 48-49 and 23-25). Upon repeated visits by the user with the same IP address and browser identifier, the hash is once again generated and checked for existence in the MPack database (lines 15 and 29, 30, 41-42). If it is found, an “unhappy” emoticon is displayed and no attack is delivered (line 17 and 44). (Similar functionality exist in IcePack [7].)

The CheckAddUser function explains why certain URLs are malicious and then permanently go dormant. However, this would not explain URLs that exhibit malicious behavior, temporarily go dormant (maybe one or two requests), but then exhibit malicious behavior once again; this is a pattern we observed in our study. To explain this observation, we turn to an additional attack technique of Fast-Flux networks, which we more extensively describe in our Know Your Enemy: Fast-Flux Service Networks paper. Fast-Flux networks are networks computer systems with public DNS records that are constantly changing. If a malicious URL is part of such a network, it might resolve to actual different physical machines, which will only have access to their local IP tracking database. If a client honeypot accesses the same URL repeatedly, it might actually interact with several physical machines that each trigger initially, but then permanently go dormant. From the client honeypot's view, however, it appears as if it is sporadically attacked.

01: //checks and saves user's IP hashed with browser
02: //to avoid future browser's hangup
03: function CheckAddUser()
04: {
05: global $UseMySQL;
06: global $dbstats;
08: $ipua=md5(getenv("REMOTE_ADDR").getenv("HTTP_USER_AGENT"));
10: if ($UseMySQL==0) {
11: //text variant
12:   $fn="users.txt";
13:   if (file_exists($fn)) {
14:   $lines = file($fn);
15:     if (in_array($ipua."\n", $lines)==TRUE) {
16:     //got dup
17:     echo ";[";
18:     exit;
19:     }
20:   }
22:   //uniq record
23:   $fp=fopen($fn,"a");
24:   fwrite($fp,$ipua."\n");
25:   fclose($fp);
26: } else {
28: //mysql variant
29: $query = "SELECT * FROM ".$dbstats."_users WHERE data='".$ipua."'";
30: $res=mysql_query($query);
31: $merr=mysql_error();
32:   if ($merr!="") {
33: /    /looks like no table, create & add data
34:     $query="CREATE TABLE `".$dbstats."_users` (`data` VARCHAR( 32 ) NOT NULL ) ENGINE = MYISAM ;";
35:     mysql_query($query);
36:     $query = "INSERT INTO ".$dbstats."_users VALUES ('".$ipua."')";
37:     mysql_query($query);
39:   } else {
40:   //table found, check returned set count
41:   $rcount=@mysql_num_rows($res);
42:   if ($rcount>0) {
43:     //found data, prevent view
44:     echo ":[";
45:     exit;
46:   } else {
47:     //not found, add
48:     $query = "INSERT INTO ".$dbstats."_users VALUES ('".$ipua."')";
49:      mysql_query($query);
50:   }
51:   }
53: }
55: }

Figure 4 - CheckAddUser Function