Subscribe: by email or Podcast
Enter your Email to Track Changes in OSINFO


Powered by FeedBlitz
View Paulo Felix's profile on LinkedIn Follow osint on Twitter online ping broadband test
SEARCH SITE
NEWS & ARCHIVE
Navigation

Widget_logo

World Newspapers Frontpages

Login
« Businesses May Not Report Cyber Attacks | Main | Karakoram in Turmoil »
Wednesday
Aug102005

Microsoft's HoneyMonkeys Show Patching Windows Works 

DateWednesday, August 10, 2005 at 10:45

http://www.informationweek.com/story/showArticle.jhtml?articleID=167600716

By Gregg Keizer

TechWeb News

Aug. 8, 2005

Microsoft unveiled details of its Strider HoneyMonkey research, a

project that sniffs out sites hosting malicious code, and hands the

information to other parts of the company for patching or legal

action.

The technical report outlines the concept of cruising the Web with

multiple automated Windows XP clients -- some unpatched, some

partially patched, some patched completely -- to hunt for Web sites

that exploit browser vulnerabilities.

The HoneyMonkey concept, said Yi-Min Wang, the manager of the

Cybersecurity and Systems Management Research Group, is completely

different from the better-known honeypot approach to searching for

malicious exploits. "Honeypots are looking for server-based

vulnerabilities, where the bad guys act like the client. Honeymonkeys

are the other way around, where the client is the vulnerable one."

Using 12 to 25 machines as the "active client honeypots," Wang's group

instructed a PC to surf to one of the 5,000 URLs it had identified as

potentially malicious; that PC ran unpatched Windows XP SP1. If it

caught the site downloading software without any user action, it

passed it on to a Windows XP SP2 honeymonkey, which in turn would pass

it up the food chain if necessary to a partially-patched SP2 system,

then to a nearly-fully patched SP2 PC (all but the most recent patch),

and finally to a fully-patched SP2 computer.

In the first month, the honeymonkeys found 752 unique URLs operated by

287 Web sites that can successfully deliver exploit code against

unpatched Windows XP PCs.

That chain of monkeys gives Microsoft a good idea of the seriousness

of the exploit being used by a site, as well as the size of the

potential victim pool. And if what Wang called the

"end-of-the-pipeline monkey," the fully-patched SP2 system, reports a

URL as an exploit, Microsoft knows it has a zero-day browser exploit

on its hands, one for which no patch is currently available.

"Once we detect a zero day exploit, we contact Microsoft's Internet

Safety Enforcement Team and the Microsoft Security Response Center,"

said Wang.

In effect, the Strider HoneyMonkey project act as a "lead generator"

for both the security and legal enforcement arms of Microsoft.

"If it's a bad site, we want to take the site down permanently," said

Scott Stein, a senior attorney with Microsoft. To do that, Microsoft

may turn to the site's hosting vendor or ISP to shut down the

exploiter, or if that doesn't work, law enforcement.

"One of the most important things is getting this information into the

hands of our customers," said Stephen Toulouse, program manager for

Microsoft Security Response Center. "We can do that with a security

advisory, or in a bulletin, to tell customers not only that 'here's

the vulnerability,' but that this is actively being exploited and

perhaps should be given priority for patching."

During the initial run of the project, the honeymonkeys demonstrated

the value of keeping Windows XP up to date, said Toulouse. "One thing

I'd stress out of this is the importance of keeping software up to

date."

An unpatched XP SP1 PC, for instance, would be vulnerable to 688 URLs

and 270 sites, 91 and 94 percent, respectively, of all those uncovered

by the honeymonkeys. But update to SP2, and those numbers fall to 204

and 115 (27 and 43 percent). Better yet, a partially-patched SP box --

one updated to those fixes released through early 2005 -- is

vulnerable to only 17 malicious URLs and 10 sites (2 and 3 percent of

all those found).

Wang's honeymonkeys -- the "monkey" name comes from the idea that the

automated clients mimic a human's actions, as in 'monkey see, monkey

do' -- found its first zero-day browser exploit in early July, when it

identified a page using the Javaprxy.dll exploit that already publicly

known, but not yet patched.

(The July 12 patch batch included one that employed a work-around fix

for the Javaprxy.dll bug.)

The page found by the honeymonkeys was the first URL reported to the

Microsoft Security Response Center. Within two weeks, however, the

honeymonkeys detected that over 40 of the 752 exploit URLs had started

to "upgrade" to the exploit; the three Web sites responsible for all

the pages were reported to the center.

While Wang or Toulouse wouldn't comment on whether the honeymonkey

concept would be used to provide Internet Explorer 7 users with

information about malicious sites in the future, Want did say that the

project was already being expanded.

"We do expect to grow the network into the hundreds of machines so

that we can scan millions of pages," he said. Already, the team is

sending honeypots to a list of the most popular Web sites --

determined by the popularity of those sites in common search engines

-- in an attempt to find out if exploiters have infiltrated the "good

neighborhoods" of the Internet. Later, Wang intends to sic the

honeymonkeys on URLs embedded in spam and phishing e-mails.

"We know that the exploiters won't try to host malicious software on

the largest Web sites, because that's just too obvious," said Want.

"But what if they exploit the five-thousandth most-popular site?"

AuthorPF | CommentPost a Comment |
in

PrintView Printer Friendly Version

EmailEmail Article to Friend

Reader Comments

There are no comments for this journal entry. To create a new comment, use the form below.
Member Account Required
You must have a member account on this website in order to post comments. Log in to your account to enable posting.