Feeds

Microsoft hunts web nasties with honey monkeys

The Exploit-Net

  • alert
  • submit to reddit

High performance access to file storage

Researchers for the software giant are building a system of Windows XP clients that crawl the web finding sites that use unreported vulnerabilities to compromise unsuspecting users, writes SecurityFocus's Robert Lemos.

Researchers at Microsoft are creating their own version of a million monkeys to crawl the internet looking for threats in an effort to secure the web for Windows.

The software giant's Cybersecurity and Systems Management (CSM) research group are building a system of virtual Windows XP computers that crawl the web looking for sites that use unreported vulnerabilities to compromise customer's PCs. Dubbed "honeymonkeys," the virtual machines run a full version of Windows XP with monitoring software and crawl high-risk areas of the web looking for trouble.

"Just by visiting a qebsite, (if) suddenly an executable is created on your machine outside the Internet Explorer folder, it is an exploit with no false positive - it's that simple," Yi-Ming Wang, senior researcher with Microsoft Research, said during a presentation at the IEEE Security and Privacy conference in Oakland last week.

The research is part of Microsoft's continuing effort to rein in the potential effects of vulnerabilities in Windows XP. The software giant has already added a host of security measures to the consumer operating system with its August security update, Service Pack 2. This month, Microsoft also announced that it would provide interim guidance on security threats to its users in the form of security advisories. In addition, the company has made several attempts to reach out to vulnerability researchers to limit the release of flaw information before its product groups have had to a chance to fix security problems.

Wang's research could give the software giant a heads up when a vulnerability is not reported to its security response team, but instead used by Internet crime groups to spread spyware or used as part of a web worm. The virtual PCs will crawl the seedier side of the web, which Wang calls the Exploit-Net, using addresses culled from spam email message and from the users of Microsoft's anti-spyware network. In addition, the virtual machines, which can test 7,000 sites a day, will crawl through the top million legitimate links just to check that no spyware has infected popular sites.

So far, Wang has set up half-a-dozen computers running various patch levels of Microsoft's consumer operating system, Windows XP, within virtual machines. Soon, his research group will have about three dozen machines running the software. The computers run an application known as Strider, also created by the research teams, which looks out for registry and other configuration changes as a way to detect surreptitious installations of malicious programs.

The technique is not totally new. The Honeynet Project, a group of researchers that focus on creating tools and monitoring Internet threats using networks of honeypots, is also looking into actively crawling the web with specially configured computers, which the group calls client honeypots.

The group has made a name for itself by creating networks of heavily monitored computers and waiting for attackers to exploit the systems. With the new researcher, the group intends to go out and seek sites that are installing malicious programs.

"As the bad guys are constantly adapting their tools and tactics, so too must we," Lance Spitzner, founder and president of the Honeynet Project, stated in an email. "Client honeypots represent just one such application of that."

The tactics has become a staple of some anti-spyware firms as well. Webroot Software, for example, uses computers to scan web pages on the internet, looking for those sites that automatically try to install spyware applications. While Microsoft seeks to find sites that exploit previously unknown flaws, Webroot instead seeks previously unknown spyware, even if it requires users interaction to be installed.

"Our system finds all the sources for all the bad stuff, then we turn the list over to a automated system," said Richard Stiennon, vice president of threat research for Webroot. "I think that is the only effective way to stay on top of the spyware menace."

Microsoft would not comment for this article, but a spokesperson did stress that Wang's research was preliminary.

Wang believes that an expanded system of honeymonkeys, but perhaps not the proverbial million, could patrol the web of the future, seeking hot zones before actual PC users are put at risk. Depending on the threat, the company could take legal action, contact law enforcement, or refer the issue to an internal product group.

"If any websites exploits a recently found vulnerability, we would talk to our patch team and security response teams to tell our the customers to apply the latest patch," he said. "If we ever identify a fully patched machine that got exploited, we got a big problem. We would involve the IE team and show them the threat."

His research has also illuminated the connection between the three tiers of the spyware problem: Content providers and advertisers, sites that install by exploiting flaws, and spyware software makers. Together, the three tiers have created a seedy part of the Internet that forms what Wang calls the Exploit-Net.

A widely deployed system would put spyware mavens on notice, he said.

"We will tell them, you are being watched," he said. "So, hopefully, if I get my way, and this is run completely automatically, Internet safety will be different."

Copyright © 2005, SecurityFocus logo

Related stories

Spyware wars
Microsoft Anti-Virus?
MS punts all-in-one security and backup service
Microsoft issues solitary patch
Microsoft fortifies monthly patches with interim advisories

High performance access to file storage

More from The Register

next story
Obama allows NSA to exploit 0-days: report
If the spooks say they need it, they get it
Parent gabfest Mumsnet hit by SSL bug: My heart bleeds, grins hacker
Natter-board tells middle-class Britain to purée its passwords
Web data BLEEDOUT: Users to feel the pain as Heartbleed bug revealed
Vendors and ISPs have work to do updating firmware - if it's possible to fix this
OpenSSL Heartbleed: Bloody nose for open-source bleeding hearts
Bloke behind the cockup says not enough people are helping crucial crypto project
One year on: diplomatic fail as Chinese APT gangs get back to work
Mandiant says past 12 months shows Beijing won't call off its hackers
Call of Duty 'fragged using OpenSSL's Heartbleed exploit'
So it begins ... or maybe not, says one analyst
German space centre endures cyber attack
Chinese code retrieved but NSA hack not ruled out
NSA denies it knew about and USED Heartbleed encryption flaw for TWO YEARS
Agency forgets it exists to protect communications, not just spy on them
prev story

Whitepapers

Securing web applications made simple and scalable
In this whitepaper learn how automated security testing can provide a simple and scalable way to protect your web applications.
Five 3D headsets to be won!
We were so impressed by the Durovis Dive headset we’ve asked the company to give some away to Reg readers.
HP ArcSight ESM solution helps Finansbank
Based on their experience using HP ArcSight Enterprise Security Manager for IT security operations, Finansbank moved to HP ArcSight ESM for fraud management.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Mobile application security study
Download this report to see the alarming realities regarding the sheer number of applications vulnerable to attack, as well as the most common and easily addressable vulnerability errors.