Network Security & Hardware - eWeek


Is the Smart Grid a Dumb Idea?
Surgical Adhesive Offers Smarter Way to Mend Bones
Get Smarter Technology on Your Mobile!
  Network Security & Hardware


Strider HoneyMonkey: Trawling for Windows Exploits



 By: Ryan Naraine
2005-05-19
Article Rating:starstarstarstarstar / 1


There are 0 user comments on this Network Security & Hardware story.


Rate This Article:
Poor Best
Researchers at Microsoft believe a network of Windows XP "honeymonkeys" can pinpoint Web sites that exploit client-side browser vulnerabilities.

Microsoft Corp. is developing a network of Windows XP "honeymonkeys" to help detect rogue Web sites that exploit security holes to install malware on client machines.

The project, code-named Strider HoneyMonkey Exploit Detection, is being created by the Redmond, Wash., companys Cybersecurity and Systems Management Research Group to help the software giant find the source of zero-day exploits targeting the Windows XP operating system.

Microsoft is tight-lipped on details of Strider HoneyMonkey, which appears to be an expansion of the concept of using "honey pots" to attract—and decipher—malicious Web activity.

The technique is used primarily to monitor and track illegal intrusions on a host or network that has been deliberately exposed with known security vulnerabilities. Honey pots have been used in the past to collect data on the way intruders operate and to create early warning and prediction systems.

Click here to read about a group using honey pots to track malicious IM threats.

Yi-Min Wang, group manager of the security research unit, gave a five-minute overview of the project at the 2005 IEEE Symposium on Security and Privacy.

Resource Library:

According to SecurityFocus, which first reported on Wangs presentation, HoneyMonkey is a network in which multiple Windows XP machines, some unpatched and some fully updated, trawl the seedier side of the Web to attract browser-based exploits.

Wang described the known danger areas as the "Exploit-Net," where porn peddlers and scammers exploit Web browser flaws to install keystroke loggers, spyware, Trojans and computer viruses.

In one recent instance, virus writers added a new twist to the old practice of "typosquatting," where a slight variation of the Google.com domain name was used to prey on users who botch the spelling of the popular search engine.

The HoneyMonkey machines will use the internally developed Strider utility to pinpoint registry changes and other signs of infection. The idea is to trawl for exploits and then match the HoneyMonkey machine with a clean system to look for discrepancies and changes.

Strider already powers two prototypes coming out of the research lab: Strider Gatekeeper, which complements the traditional signature-based approach to detecting spyware; and Strider GhostBuster, a rootkit cleanup tool that implements hidden-file and hidden-registry detection techniques.

Click here to read about Microsofts worm-cleansing tool with rootkit detection.

"This [HoneyMonkey] research project is in the very earliest of stages of development," according to a Microsoft spokesperson. Yi-Mins presentation last week was an overview of a Microsoft Research project in progress and it was delivered for the benefit of the research community."

"Its a research project investigating whether public Web sites are using security exploits to install software on client machines. Like many other MSR efforts, this project involves a number of important security-related concepts that reflect our investment in helping to provide security-related guidance and information for our customers," the spokesperson told Ziff Davis Internet News.

The spokesperson described HoneyMonkey as a "work in progress" and declined to discuss future plans.

The company is also developing security projects aimed at containing zero-day Internet worms and thwarting malicious code execution attacks. These include Vigilante, a product that proposes a brand-new approach to automate worm containment, and Control-Flow Integrity, which promises a new approach to dealing with arbitrary code execution attacks.

Read more here about the Vigilante project.

The increased activity around security research comes at a crucial time for Microsoft. The company is pushing aggressively into the security software market with the planned rollout of Windows OneCare, a PC Health product with bundled anti-virus, anti-spyware and two-way firewall protection.

The Microsoft Security Response Center, which stands to benefit the most from the Strider HoneyMonkey project, is in the midst of revamping the way it reacts to publicly reported software vulnerabilities.

The Centers new Security Advisories pilot, which represents a major shift in the way the Microsoft communicates with customers, is meant as a bridge to provide information and guidance in between the time a flaw warning is released and a patch is ready for the monthly security bulletins.

Check out eWEEK.coms for Microsoft and Windows news, views and analysis.



  Reader Comments: Strider HoneyMonkey: Trawling for Windows Exploits
>>> Be the FIRST to comment on this article!
 

 
 
>>> More Network Security & Hardware Articles          >>> More By Ryan Naraine
 


x}r㶲s\@♵M=ҔlcؖgRJEĘ"H%g~u~|.{fʶKht7F; IM ל۔O]sSãw$5]!2I=*rdz&9%G jL7R}f]S kkL|N({j K&OxgMlM1eck`p,cw h{9Dm@~5; s!&2r$ZwvH~Th/wm<"ay# $aT$Nuol9 QY !)*Jd/B(?F#s?9CvN5{>Ӏk`Vl}qHkNmW ,ȓ ۭ@5lvi!rs!g ݻHݤoq@ؓIuh mUr'Өbb#Qހ]õ]&\./RF͌eCwtSz3]gԏ 1l{`<E9$7 V\jZJP0'C8:)X̠e[7G0ml_j| uvs<$s~3 jd1KU zcnK p==\'xtTa_eY7;Ͱ-6@6#M-jZUQ bkG{Q>o9{ۖ3bR;}k7?;Wʪ)Jw9ʑGA np[J^׵V\w{>~jr  + o%&W JDTRBh$" Pc@GNj${@B oVQ+ZVH+(H.##I-LcyO`%pbQUri[򓩥}o__]wzmo_wڧH>߈ekby 1=b Jw3Bz 7Ke{#kjꜴ{H ݹGtHMWh:w -Nկ7#>kxej;dPp9LwjT{$Zݓ6Py$Y)r"/ !}Ow| nr2GrI/]o,/K$j̱o>0@|ˤd&r, ߱n\S'G`ho__ VYK7) t%uWϝ5>Hr Ca)#8?݃EpJq䰉k.XSl \捇o4x ~&,|YB* b$rݢQ3>LK$o# yf\B(PHQ&NUIRe6\a>U<8vwܬu"*Դޙ-~4Ң[sqnH{⧋vІ%F ,I!e޴%VG%UGRŪc*%(YRS* rOL[ԑApl uu<|P ZG>OtvSjZi};N"5d}4>ljAGAticš4ά@7&hC:}ҍ:L wG|H{ }!PI}H )gV=H:}m5A%ǎC-ߟLu#09w ɝ5yPfkwCPAb,DM}PC\7 >)d@}>g XS9nвAc@*-qR% 53TYNjL=?n3!U~G,[E`z9r,T.i O6JԭybQ9ҴZ hҚ,Â-Gn]]ym&l`a PCb;.-: ?{ Ow Oz}G 3V3,+X5{0qycY@{wtӲ٢ͩqb_a!tLeBC`>.{^곙mQ3O>谔8-vyk3t\7.{ =p ؇å&|UrI۶ۿi R*CmEc7˅L4 +׬uPLg<)*h3q^i[OeSZ1l V7v/KT:?oWuR@H#oh m^²xS֧6R(kυ5Ӳ =R@Q"rCx EO-MfX5m,_&TYWӟ@x #.bՒhxK[A xBnJ ~g;&ʥ5ë6;qg=&.Ho[[M=-H &#Ea چe.FV!fj=Y[ 3D2|P\-XŌеә;˻ΰw^v˦?~Fl4^ۄ#֭C= D5)0۠,F؄>tļZB_`y&rI)jEclq,Yri*wڶ{?Qɺ 3Js6CZ"3G7MX8[φCBE-HxqzS??uPVƮ< J>:f} `'\s{nK PŁǨͰZ]zu6$TY(Qܧ&3S3&턇4`Hܸ/|P" 8 y}@*&j1-[ h [zqSEoAaaIt?IM<)G&sWyGY?OyyZ 9/ UjY GPvUc/|W4,40 S[(*;%!X'4v'f5 CLA~^it\Ʈ VN[6a]4YQW.hzT7DZ\/sqN_ 9U (5ľaK))r4*H+UtY/sOYy" 24A̙UT<F;Bc`"Mݨ[2`|&L#2B(KYMlaTJp9҃ `{RUGFW9K=XT\SGz8{Ich'c\khkc2}, EQպi2TBE-) 1Co 9CL4M B 7lq؀Kᘃ{Lo9 -q( eglK[ u޼܀8XnZ8,m!Upo4Lb? aMٸUZS%XӴI> Os1Qǭˤۧo}óf;.!7Xy*?~9C:C\Դ"Hw ضRsG'̄B.,ӄ1⾆bbE-ã (d2rYj ePDBZNbMxpS &1&OXO\6V"#6 VMG_8_`wNB HY)o9yb}@N^KJpUKユMVǼa|xo'f'xhCZCY^=4kjV1uwXܣy~rFnxOĉ+*qYBK+ CWw ./vgFȢ&i{>d̮Ƅ{`sk@ӜO)py3lS}`<%Ԫ9EqXx0eT@N,ĉH.s8tHK.}<﷯Is 09nJs jt#k5yՅ' r;kgO:tGo/zF]Yfg 'oc Ǿv/ݻw~Z:w[q*A=wC<,>+$c: I"I^U֭EdU)I=YEכ)C^GxL_/@o臥4LZ+gU뀞< h6`#Fm`"FsME[ofO<|ngO?a"Krm[}Nj& r?4hg azcgƹ39= < v4.;߭[(<A~F<v4*);˷x\z}in;d⻆ܖ~@F'ziXw+*Oc+ޙU^?2%;lߖc3cp/;U%ye l ֒k0s,BH|oTzۭM P ܻ'Vxeb[0| 4tj9K;~Oːu9X* ZRj(7m\s.9FC,,,繞hL/3۵iYc v9eg&|O{:w-#&Då(sYWJO>lєTOW֨l1/'#_#L(Ye3qF'~D/S0B$^M>u¯YޚLi^7)IPTOƮV 6 llj;u%^:ƳA(oaE W](@j ?KXF3 4dGMy#/=c'Fo>S 4Kw2dg@³]] d)\,|;?NNZe}I,M0]BbdAW7AgI # @j Մ@'[b8Nyii첎x=Rp(t#gX;ۊB&-GY>N+L_ :Y;p3b%>,xtDdNJ]y73/S؃HXR:OZPKqdD&!!y˃ 3tHVcʃ'cF F)LRebL%`eݦ^03g,[@+J4Z)1Zg*Gt3ܼI~$gj3d!qF)*oԵ*Ü O.jI !aB4ͳr6/IekʃH, /{OĢ) 3o\{P"$@8:yES2:llYp5N:ॲ$6y.F碑hJM$-@IN\%P(*[ JB3 oVxFUг`eGBvZޖ No!POjѩ1fK6;o$֔bPa5a51|GEnOBJqعKZeH/}>̀C[|Br{8r+G8))ϗњi*-phOD& 7KK,cxdŗʳPU0/bSIJ#5>g(B v2$_y!ޞƓAlIoE *JK< 0;B_R?APQUZ@Q+\sPD#Ճ$ôhvI+͗_dz>5֖tlO)MXܦSPk&T=saB/ݸmJiD$BGP$ >aP_H x4]uK+? l:R{AL3R)1z7-xV& /Ѱk]9Z(ecr[E~U_UV #vmѧކy_T%*U Vfy#jmJm2L~LrooooWn,j6MFR׼dFg[זWaZ{eR~H <T}oGvmK~mg4>hjIp}ts פug6@E軦L=o&  ͋ >B!v{c_#v~;ǻhI$ϛ k>vtUcl4`mŃ{Lo%\nЂ9<(uUPe .D G# von- ~mX=כJ,3<0m7NDQ4霼i{QǖmFت6TmM1 #~p=_YږU|,5OUʹd6>s(h ㍄.h;5~IkAcua{1ݱ;h%|j%GO0k?.W2ޥ?sgm)Q&վ&dw \'5Osi`|#,oɻzP :jΠ6k?0\ZɚLHj~жa+mն,-1ij[f0]GԽ+f0`Y_ˮYu c~2oH@85QY'6 [IHgs;wpŊ8e[ö@揱QL ᫽ z3݃^&=_})|Ms-Y ~SVӯ8K{~i[ N{T_߷867̋1ʿ$kz`'r-hMVLm!90 PC(BOusχHq{Q:#D<$(nkʁV=P,[JU+ RQiH:[q'H"{7Ec{(ʊvמS|l:^,7*ju:#,e^2 I YêP980=Β0WL68ߋ^X"-,Qku$vy1K%XS#o랽 Mӝa+*l@EL>:)er}K;TQ`o3_跔c.Cb>:>>V-V]M5stP2_;EC@ݹHm+nl@zX,t:w;#ѽl*nUZ TJ z'W[ ByFsgyGX^sjF.F{޽qʹG[RJYIvi~Xev7 tAtGw,@8|H 723?b)o&,=+sYl9 :d[3P]Lm*f63ZIi<B<1E @ (G #n%YZmI&{|>c{xR(ѪۣQ7>6<|xw}w-]BTD\!17[,*^pۇMA9(WTDv!񇇇/tX3+b=#-Ѩ# >xI2I= o xN9ep" wZ `Oi$}NK1B]qgl` /uh3Of\oz~}C +@}ڎ.a,8z;ù/+Chq? [C)@vQY k;IPZT=KޝQ>ɖCzEQt#?Kg0{x089Pq.5%Lj7!sB4_ DIM,×Y,=aЇ9\ 3+z+U”P*:P |+V0cU-%+_coS| wV7Xz+i+K9Iˑ*w4 :>'s;X``grڽ&Mrznu^yo4a[kN|Sw'ݫϧu粟kZ|j%<6/ ˙͓^9l^28SM1B"r4,xy^ϊ>*M xEüzzq7M6񏡙fullťNg%^NˢWkFN\3CM@o1"c/\Js@AC|kO{5BJe@?CBא9 B~7#)98h3O ds)4?2#ܜ5:;\ȇu2eF>{Ͻϐys9?π]"c~.`Y\d1 ϋ ȠOˌ_~OgGF_d^f%e\]f_O7CtAt3U}\A@?Ӄ2߃2g_esG ?e>eSn &+&~oon2/IR: >k^픊8#kgK "~)+P5ϐge3vڍna{r!gˀ^ kJ+ƥw*WY[xM}-k{[F1n6d b 5Ru(X2M*!+(,8%]}fMNJ 44k 7b]YDYAI{R}ntE I>4qLvw,,lcENj)&yQgΒ'8VɴV !,E}oAD6KA1wݣ,N5'H_ehĻOٞ<8{n}F_qLzuҚFG}u^E,E æᄽIگ!Ď` r܁R>K>@m^u+j>d9? ?q9L&ʠbCa4uv[F0|w=3?8MqgqD4;o0]Z=*ȾwJ=C[%' e]t%^F˫aBOxI{.mX 7Ga1h9!f5F+w*a=ݸ1,>R#.1^601񥻾{Ȯ=Qh5h_Ժchd9Lk c͘PcPFĊ 1L;-i܉M -gPK±-]~˳NmbM@u]ݍ:S/j@@rv|޲|} Md|/ b2Oty'W'#e#uG0MDkfAl! |n9/R|V5)D>4_&dOWl,^)1 K 9$I 0T`躷O 04 6 僇rClX+.Ġ/>'G4wB-xXugm$rq=wF ?H83"sB K0`n犑Lt6q>+so'a`a?>N@>FыpO`z_|ĠC)deⷦF{&3n=GIDOnӖuMjβْ؋?;Øz LJ @b C%rvM =c"1b1?0俈x!$k0W6p|![gA2D~{J=&*P=fZO:] n,0^z'ϒ֒gֶ CBq|"eI.~m% M*$|Cb1G8]x ""_R ani.y>ඁE":} S q:wa3D:>yePީ!/;v2 SL+4%RxSFZV?`` \ }wHv&,t>;/uԝ8G# d9a5 9>$(+u`'+~"v[ś,!Mt8/o9kn>7Q$T{ |iZQڃteRb0yNvCFc ?dDx#b[p.@>PM֧*R8WD K^)Ybd㚙69qgSg _(,OWt2Zy@t ] D pC'k_v ǯ-(Ǭ vJ^Qt tlmb @JƽnߢCZ^s F ' ]H'̳`,ӊHv"V윔KJLΡnbqQ!a#ٔ M(>,B.דOv!{Z|qƳ#|撟元>|{ ŗ$NSX?X :+ 7 + bKf|>o<̅{ٗNχܥ|;hYx(3JdbQx'ξiw>dtϻ1X7u7O~pxْ‚6҂&!t[4!jZɂX޿a*X8M]l_GbPfYWVI8Fv붢36EOZ\֓Rzv3F'e9TUɜKRSk$5OYVTNdƗZQbn؄;56BJFkl{65[$)