Microsoft Corp. is developing a network of Windows XP “honeymonkeys” to help detect rogue Web sites that exploit security holes to install malware on client machines.
The project, code-named Strider HoneyMonkey Exploit Detection, is being created by the Redmond, Wash., companys Cybersecurity and Systems Management Research Group to help the software giant find the source of zero-day exploits targeting the Windows XP operating system.
Microsoft is tight-lipped on details of Strider HoneyMonkey, which appears to be an expansion of the concept of using “honey pots” to attract—and decipher—malicious Web activity.
The technique is used primarily to monitor and track illegal intrusions on a host or network that has been deliberately exposed with known security vulnerabilities. Honey pots have been used in the past to collect data on the way intruders operate and to create early warning and prediction systems.
Yi-Min Wang, group manager of the security research unit, gave a five-minute overview of the project at the 2005 IEEE Symposium on Security and Privacy.
According to SecurityFocus, which first reported on Wangs presentation, HoneyMonkey is a network in which multiple Windows XP machines, some unpatched and some fully updated, trawl the seedier side of the Web to attract browser-based exploits.
Wang described the known danger areas as the “Exploit-Net,” where porn peddlers and scammers exploit Web browser flaws to install keystroke loggers, spyware, Trojans and computer viruses.
In one recent instance, virus writers added a new twist to the old practice of “typosquatting,” where a slight variation of the Google.com domain name was used to prey on users who botch the spelling of the popular search engine.
The HoneyMonkey machines will use the internally developed Strider utility to pinpoint registry changes and other signs of infection. The idea is to trawl for exploits and then match the HoneyMonkey machine with a clean system to look for discrepancies and changes.
Strider already powers two prototypes coming out of the research lab: Strider Gatekeeper, which complements the traditional signature-based approach to detecting spyware; and Strider GhostBuster, a rootkit cleanup tool that implements hidden-file and hidden-registry detection techniques.
“This [HoneyMonkey] research project is in the very earliest of stages of development,” according to a Microsoft spokesperson. Yi-Mins presentation last week was an overview of a Microsoft Research project in progress and it was delivered for the benefit of the research community.”
“Its a research project investigating whether public Web sites are using security exploits to install software on client machines. Like many other MSR efforts, this project involves a number of important security-related concepts that reflect our investment in helping to provide security-related guidance and information for our customers,” the spokesperson told Ziff Davis Internet News.
The spokesperson described HoneyMonkey as a “work in progress” and declined to discuss future plans.
The company is also developing security projects aimed at containing zero-day Internet worms and thwarting malicious code execution attacks. These include Vigilante, a product that proposes a brand-new approach to automate worm containment, and Control-Flow Integrity, which promises a new approach to dealing with arbitrary code execution attacks.
The increased activity around security research comes at a crucial time for Microsoft. The company is pushing aggressively into the security software market with the planned rollout of Windows OneCare, a PC Health product with bundled anti-virus, anti-spyware and two-way firewall protection.
The Microsoft Security Response Center, which stands to benefit the most from the Strider HoneyMonkey project, is in the midst of revamping the way it reacts to publicly reported software vulnerabilities.
The Centers new Security Advisories pilot, which represents a major shift in the way the Microsoft communicates with customers, is meant as a bridge to provide information and guidance in between the time a flaw warning is released and a patch is ready for the monthly security bulletins.