Microsoft Unwraps HoneyMonkey Detection Project

Microsoft Research releases details on its Strider HoneyMonkey project, which combs the seedy side of the Web to find active exploits.

Microsoft has officially lifted the wraps off its Strider HoneyMonkey research project, designed to trawl the dark side of the Internet looking for Web sites hosting malicious code.

Microsoft Corp. released a technical report, available here as a PDF, to introduce the concept of an Automated Web Patrol that uses multiple Windows XP machines, some unpatched and some fully updated, to streamline the process of finding zero-day Web-based exploits.

Yi-Min Wang, group manager of the Cybersecurity and Systems Management group in Microsoft Research, said a total of 752 unique URLs, hosted on 287 sites, were identified within the first month of launching the HoneyMonkey project.

From those URLs, the system was able to confirm that active exploits were infecting Windows XP machines, including one for a fully patched system running the companys newly hardened XP SP2 (Service Pack 2).

In an interview with Ziff Davis Internet News, Wang said his researchers were able to capture the connections between the exploit sites based on traffic redirection and pinpoint "several major players" who are responsible for a large number of exploit pages.

In the initial phase, Wangs unit used between 12 and 25 virtual machines serving as "active client honeypots" to perform the automated patrols across the Web.

The entire system consists of a "pipeline of monkey programs" running on VMs (Virtual Machines) with different patch levels in order to detect exploit sites with different capabilities, he explained.

In Wangs technical report, he describes the use of a "black-box approach" to lower the cost of patrolling billions of Web pages. "[We] run a monkey program with the Strider Flight Data Recorder to efficiently record every single file and Registry read/write," he said, referring to another research project within his unit.

/zimages/3/28571.gifRead more here about Microsofts Strider HoneyMonkey project.

"The monkey launches a browser instance for each suspect URL and waits for a few minutes. The monkey is not set up to click on any dialog box to permit installation of any software; consequently, any executable files that get created outside the browsers temporary folder are detected by the [data recorder] and signal an exploit," Wang said.

With the black box approach, Wang said, Strider HoneyMonkey gains an important advantage, because it allows the detection of known-vulnerability exploits and zero-day exploits in a uniform way, through virtual systems with different patch levels.

He said each monkey within the network also runs with the Strider Gatekeeper to detect any hooking of ASEPs (Auto-Start Extensibility Points) that may not involve creation of executables. The systems also run the Strider GhostBuster anti-rootkit tool to detect stealth malware programs that hide processes and ASEP hooks.

Once a monkey surfs to a malware site and gets infected, Wang said, the data is processed and sent to a "Monkey Controller" that destroys the infected virtual machine before restarting a new one.

/zimages/3/28571.gifClick here to read more about Strider GhostBuster, a prototype rootkit detection tool from Microsoft.

The restarted VM automatically launches the monkey, which then continues to visit the remaining URL list. The Monkey Controller also passes the detected exploit URL to the next monkey in the pipeline to continue investigating the strength of the exploit.

"When the end-of-the-pipeline monkey, running on a fully patched VM, reports a URL as an exploit, the URL is upgraded to a zero-day exploit and the malware programs that it installed are immediately investigated and passed on to the Microsoft Security Response Center," Wang said.

Wang said the project has proven that fully patched Windows XP systems are less likely to be infected by drive-by downloads that do not require any user action.

Wang plans to expand the HoneyMonkey network to "hundreds of virtual machines" to beef up the automation framework. "Once thats done, well be completely automated with monkeys running 24 hours a day to collect data and output that data feed to different teams within the company," he said.

/zimages/3/28571.gifTo read about how patches are made at the Microsoft Security Response Center, click here.

Going forward, the researchers will also start monitoring the top million click-through links from popular search engines to determine whether exploit sites have penetrated the "good neighborhoods" of popular sites.

"Preliminary results reveal that contaminated Web pages that unknowingly serve ads that exploit browser vulnerabilities may be a serious concern. We are beginning to monitor links contained in spam and phishing emails, because that is another way for the exploiters to lure Web users to the bad neighborhoods," Wang said.

In the long run, Wang said, the unit may launch multiple networks of HoneyMonkeys patrolling the Web from different corners of the world, so that it is not possible for the exploiters to blacklist HoneyMonkey network IP addresses and deliberately skip detection.

Microsoft plans to use the HoneyMonkey project data to assess the urgency of patch deployment and help with law enforcement.

Wang said the results will also be provided to Microsofts Enforcement Team to further investigate and possibly pursue legal action.

/zimages/3/28571.gifCheck out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at Security Center Editor Larry Seltzers Weblog.