Targets Include MySpace, Slashdot,
Amazon"> Wang said high-traffic properties that are a constant target include MySpace.com, Slashdot, Amazon.com, Expedia, Washington Post, New York Times, Microsoft.com and DisneyChannel.com. Deliberately misspelled domains for several major banking and financial services Web sites are also a constant target, he said. The URL Tracer utility provides four main functionalities. It supports a "URL Scan History" view that records the time stamp of each primary URL visited and its associated secondary URLs, grouped by domains. It also supports an alternative "Top Domains" view that, for each secondary URL domain, displays all the visited primary URLs that generated traffic to it."Its basically an extension of HoneyMonkey," Wang said, referring to another project within his group that helps Microsofts security teams find the source of zero-day exploits targeting the Windows XP operating system. Microsoft unwraps its HoneyMonkey detection project. Click here to read more. The Typo-Patrol scanner built into the tool currently consists of a network of 17 machines, each running a daemon process that monitors its own input-request queue residing in a folder on a central management machine. According to Wang, when a list of typo-domains is dropped into the queue, the daemon fetches the list and launches virtual machines to visit each domain. The daemon copies all recorded data to the host machine, including information on all secondary URLs visited, the content of all HTTP requests and responses, and optionally a screen shot. Upon completing the scan of the entire list, the daemon copies all data to its output folder on the central management machine, Wang said. Recorded data in the output folder is inserted into a typo-domain database for data queries and analysis. Check out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEK.com Security Center Editor Larry Seltzers Weblog.
For every URL displayed in either of the views, the tool provides a right-click menu with two options: the "Go" option that allows the URL to be revisited (so that the user can figure out which ad came from which URL) and the "Block" option that allows blocking of all future traffic to and from that domain.