Close
  • Latest News
  • Artificial Intelligence
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
Read Down
Sign in
Close
Welcome!Log into your account
Forgot your password?
Read Down
Password recovery
Recover your password
Close
Search
Logo
Logo
  • Latest News
  • Artificial Intelligence
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
More
    Home Cybersecurity
    • Cybersecurity

    Microsoft Unwraps HoneyMonkey Detection Project

    By
    Ryan Naraine
    -
    August 5, 2005
    Share
    Facebook
    Twitter
    Linkedin

      Microsoft has officially lifted the wraps off its Strider HoneyMonkey research project, designed to trawl the dark side of the Internet looking for Web sites hosting malicious code.

      Microsoft Corp. released a technical report, available here as a PDF, to introduce the concept of an Automated Web Patrol that uses multiple Windows XP machines, some unpatched and some fully updated, to streamline the process of finding zero-day Web-based exploits.

      Yi-Min Wang, group manager of the Cybersecurity and Systems Management group in Microsoft Research, said a total of 752 unique URLs, hosted on 287 sites, were identified within the first month of launching the HoneyMonkey project.

      From those URLs, the system was able to confirm that active exploits were infecting Windows XP machines, including one for a fully patched system running the companys newly hardened XP SP2 (Service Pack 2).

      In an interview with Ziff Davis Internet News, Wang said his researchers were able to capture the connections between the exploit sites based on traffic redirection and pinpoint “several major players” who are responsible for a large number of exploit pages.

      In the initial phase, Wangs unit used between 12 and 25 virtual machines serving as “active client honeypots” to perform the automated patrols across the Web.

      The entire system consists of a “pipeline of monkey programs” running on VMs (Virtual Machines) with different patch levels in order to detect exploit sites with different capabilities, he explained.

      In Wangs technical report, he describes the use of a “black-box approach” to lower the cost of patrolling billions of Web pages. “[We] run a monkey program with the Strider Flight Data Recorder to efficiently record every single file and Registry read/write,” he said, referring to another research project within his unit.

      /zimages/3/28571.gifRead more here about Microsofts Strider HoneyMonkey project.

      “The monkey launches a browser instance for each suspect URL and waits for a few minutes. The monkey is not set up to click on any dialog box to permit installation of any software; consequently, any executable files that get created outside the browsers temporary folder are detected by the [data recorder] and signal an exploit,” Wang said.

      With the black box approach, Wang said, Strider HoneyMonkey gains an important advantage, because it allows the detection of known-vulnerability exploits and zero-day exploits in a uniform way, through virtual systems with different patch levels.

      He said each monkey within the network also runs with the Strider Gatekeeper to detect any hooking of ASEPs (Auto-Start Extensibility Points) that may not involve creation of executables. The systems also run the Strider GhostBuster anti-rootkit tool to detect stealth malware programs that hide processes and ASEP hooks.

      Once a monkey surfs to a malware site and gets infected, Wang said, the data is processed and sent to a “Monkey Controller” that destroys the infected virtual machine before restarting a new one.

      /zimages/3/28571.gifClick here to read more about Strider GhostBuster, a prototype rootkit detection tool from Microsoft.

      The restarted VM automatically launches the monkey, which then continues to visit the remaining URL list. The Monkey Controller also passes the detected exploit URL to the next monkey in the pipeline to continue investigating the strength of the exploit.

      “When the end-of-the-pipeline monkey, running on a fully patched VM, reports a URL as an exploit, the URL is upgraded to a zero-day exploit and the malware programs that it installed are immediately investigated and passed on to the Microsoft Security Response Center,” Wang said.

      Wang said the project has proven that fully patched Windows XP systems are less likely to be infected by drive-by downloads that do not require any user action.

      Wang plans to expand the HoneyMonkey network to “hundreds of virtual machines” to beef up the automation framework. “Once thats done, well be completely automated with monkeys running 24 hours a day to collect data and output that data feed to different teams within the company,” he said.

      /zimages/3/28571.gifTo read about how patches are made at the Microsoft Security Response Center, click here.

      Going forward, the researchers will also start monitoring the top million click-through links from popular search engines to determine whether exploit sites have penetrated the “good neighborhoods” of popular sites.

      “Preliminary results reveal that contaminated Web pages that unknowingly serve ads that exploit browser vulnerabilities may be a serious concern. We are beginning to monitor links contained in spam and phishing emails, because that is another way for the exploiters to lure Web users to the bad neighborhoods,” Wang said.

      In the long run, Wang said, the unit may launch multiple networks of HoneyMonkeys patrolling the Web from different corners of the world, so that it is not possible for the exploiters to blacklist HoneyMonkey network IP addresses and deliberately skip detection.

      Microsoft plans to use the HoneyMonkey project data to assess the urgency of patch deployment and help with law enforcement.

      Wang said the results will also be provided to Microsofts Enforcement Team to further investigate and possibly pursue legal action.

      /zimages/3/28571.gifCheck out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEK.com Security Center Editor Larry Seltzers Weblog.

      Ryan Naraine
      Get the Free Newsletter!
      Subscribe to Daily Tech Insider for top news, trends & analysis
      This email address is invalid.
      Get the Free Newsletter!
      Subscribe to Daily Tech Insider for top news, trends & analysis
      This email address is invalid.

      MOST POPULAR ARTICLES

      Latest News

      Zeus Kerravala on Networking: Multicloud, 5G, and...

      James Maguire - December 16, 2022 0
      I spoke with Zeus Kerravala, industry analyst at ZK Research, about the rapid changes in enterprise networking, as tech advances and digital transformation prompt...
      Read more
      Applications

      Datadog President Amit Agarwal on Trends in...

      James Maguire - November 11, 2022 0
      I spoke with Amit Agarwal, President of Datadog, about infrastructure observability, from current trends to key challenges to the future of this rapidly growing...
      Read more
      IT Management

      Intuit’s Nhung Ho on AI for the...

      James Maguire - May 13, 2022 0
      I spoke with Nhung Ho, Vice President of AI at Intuit, about adoption of AI in the small and medium-sized business market, and how...
      Read more
      Applications

      Kyndryl’s Nicolas Sekkaki on Handling AI and...

      James Maguire - November 9, 2022 0
      I spoke with Nicolas Sekkaki, Group Practice Leader for Applications, Data and AI at Kyndryl, about how companies can boost both their AI and...
      Read more
      Cloud

      IGEL CEO Jed Ayres on Edge and...

      James Maguire - June 14, 2022 0
      I spoke with Jed Ayres, CEO of IGEL, about the endpoint sector, and an open source OS for the cloud; we also spoke about...
      Read more
      Logo

      eWeek has the latest technology news and analysis, buying guides, and product reviews for IT professionals and technology buyers. The site’s focus is on innovative solutions and covering in-depth technical content. eWeek stays on the cutting edge of technology news and IT trends through interviews and expert analysis. Gain insight from top innovators and thought leaders in the fields of IT, business, enterprise software, startups, and more.

      Facebook
      Linkedin
      RSS
      Twitter
      Youtube

      Advertisers

      Advertise with TechnologyAdvice on eWeek and our other IT-focused platforms.

      Advertise with Us

      Menu

      • About eWeek
      • Subscribe to our Newsletter
      • Latest News

      Our Brands

      • Privacy Policy
      • Terms
      • About
      • Contact
      • Advertise
      • Sitemap
      • California – Do Not Sell My Information

      Property of TechnologyAdvice.
      © 2022 TechnologyAdvice. All Rights Reserved

      Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.

      ×