WEF - Web Exploit Finder

WEF is an implementation of an automatic drive-by-download – detection in a virtualized environment, developed by Thomas Müller, Benjamin Mack and Mehmet Arziman, three students from the Hochschule der Medien (HdM), Stuttgart during the summer term in 2006. WEF can be used as an active HoneyNet with a complete virtualization architecture underneath for rollbacks of compromised virtualized machines.

Much has been written about security vulnerabilities in Microsoft Internet Explorer and Mozilla Firefox. Some of these security threats are designed to execute malicious code in the browser. Known as Remote-Code-Execution-Attacks, these threats typically exploit a specific utilization of buffer overflows in an application. They are not only limited to browsers but almost all services and applications that are part of the internet or that use it as a communication platform.

We focus on internet browsers here because of two key problems. First of all, browsers are the primary user interfaces to the World Wide Web. As the rendering engine transforms hypertext into a visual presentation for human, all parts of a webpage have to be interpreted and processed further by the browser—which leads to a complex and error-prone architecture, especially in regard to mobile code (JavaScript, Java, ActiveX, XUL etc.). Secondly, the browser is arguably the most frequently used program in the family of potentially vulnerable software. In contrast to server-based software, a browser is often used by non-technical users, many of whom neither understand the risks or know possible counteractive measures. And even experts are often exposed to the risk of an attack.

In view of this, our goal was to develop a system that automatically detects and identifies malicious websites.

In addition, this system would also be able to serve as a platform for other security and sandbox-tests. One use-case is to automatically analyze various kinds of malware in a secure and easy maintainable virtualized environment.