Feeds

Microsoft hunts web nasties with honey monkeys

The Exploit-Net

  • alert
  • submit to reddit

Beginner's guide to SSL certificates

Researchers for the software giant are building a system of Windows XP clients that crawl the web finding sites that use unreported vulnerabilities to compromise unsuspecting users, writes SecurityFocus's Robert Lemos.

Researchers at Microsoft are creating their own version of a million monkeys to crawl the internet looking for threats in an effort to secure the web for Windows.

The software giant's Cybersecurity and Systems Management (CSM) research group are building a system of virtual Windows XP computers that crawl the web looking for sites that use unreported vulnerabilities to compromise customer's PCs. Dubbed "honeymonkeys," the virtual machines run a full version of Windows XP with monitoring software and crawl high-risk areas of the web looking for trouble.

"Just by visiting a qebsite, (if) suddenly an executable is created on your machine outside the Internet Explorer folder, it is an exploit with no false positive - it's that simple," Yi-Ming Wang, senior researcher with Microsoft Research, said during a presentation at the IEEE Security and Privacy conference in Oakland last week.

The research is part of Microsoft's continuing effort to rein in the potential effects of vulnerabilities in Windows XP. The software giant has already added a host of security measures to the consumer operating system with its August security update, Service Pack 2. This month, Microsoft also announced that it would provide interim guidance on security threats to its users in the form of security advisories. In addition, the company has made several attempts to reach out to vulnerability researchers to limit the release of flaw information before its product groups have had to a chance to fix security problems.

Wang's research could give the software giant a heads up when a vulnerability is not reported to its security response team, but instead used by Internet crime groups to spread spyware or used as part of a web worm. The virtual PCs will crawl the seedier side of the web, which Wang calls the Exploit-Net, using addresses culled from spam email message and from the users of Microsoft's anti-spyware network. In addition, the virtual machines, which can test 7,000 sites a day, will crawl through the top million legitimate links just to check that no spyware has infected popular sites.

So far, Wang has set up half-a-dozen computers running various patch levels of Microsoft's consumer operating system, Windows XP, within virtual machines. Soon, his research group will have about three dozen machines running the software. The computers run an application known as Strider, also created by the research teams, which looks out for registry and other configuration changes as a way to detect surreptitious installations of malicious programs.

The technique is not totally new. The Honeynet Project, a group of researchers that focus on creating tools and monitoring Internet threats using networks of honeypots, is also looking into actively crawling the web with specially configured computers, which the group calls client honeypots.

The group has made a name for itself by creating networks of heavily monitored computers and waiting for attackers to exploit the systems. With the new researcher, the group intends to go out and seek sites that are installing malicious programs.

"As the bad guys are constantly adapting their tools and tactics, so too must we," Lance Spitzner, founder and president of the Honeynet Project, stated in an email. "Client honeypots represent just one such application of that."

The tactics has become a staple of some anti-spyware firms as well. Webroot Software, for example, uses computers to scan web pages on the internet, looking for those sites that automatically try to install spyware applications. While Microsoft seeks to find sites that exploit previously unknown flaws, Webroot instead seeks previously unknown spyware, even if it requires users interaction to be installed.

"Our system finds all the sources for all the bad stuff, then we turn the list over to a automated system," said Richard Stiennon, vice president of threat research for Webroot. "I think that is the only effective way to stay on top of the spyware menace."

Microsoft would not comment for this article, but a spokesperson did stress that Wang's research was preliminary.

Wang believes that an expanded system of honeymonkeys, but perhaps not the proverbial million, could patrol the web of the future, seeking hot zones before actual PC users are put at risk. Depending on the threat, the company could take legal action, contact law enforcement, or refer the issue to an internal product group.

"If any websites exploits a recently found vulnerability, we would talk to our patch team and security response teams to tell our the customers to apply the latest patch," he said. "If we ever identify a fully patched machine that got exploited, we got a big problem. We would involve the IE team and show them the threat."

His research has also illuminated the connection between the three tiers of the spyware problem: Content providers and advertisers, sites that install by exploiting flaws, and spyware software makers. Together, the three tiers have created a seedy part of the Internet that forms what Wang calls the Exploit-Net.

A widely deployed system would put spyware mavens on notice, he said.

"We will tell them, you are being watched," he said. "So, hopefully, if I get my way, and this is run completely automatically, Internet safety will be different."

Copyright © 2005, SecurityFocus logo

Related stories

Spyware wars
Microsoft Anti-Virus?
MS punts all-in-one security and backup service
Microsoft issues solitary patch
Microsoft fortifies monthly patches with interim advisories

Protecting users from Firesheep and other Sidejacking attacks with SSL

More from The Register

next story
Spies would need SUPER POWERS to tap undersea cables
Why mess with armoured 10kV cables when land-based, and legal, snoop tools are easier?
Early result from Scots indyref vote? NAW, Jimmy - it's a SCAM
Anyone claiming to know before tomorrow is telling porkies
Jihadi terrorists DIDN'T encrypt their comms 'cos of Snowden leaks
Intel bods' analysis concludes 'no significant change' after whistle was blown
Israeli spies rebel over mass-snooping on innocent Palestinians
'Disciplinary treatment will be sharp and clear' vow spy-chiefs
TOR users become FBI's No.1 hacking target after legal power grab
Be afeared, me hearties, these scoundrels be spying our signals
Hackers pop Brazil newspaper to root home routers
Step One: try default passwords. Step Two: Repeat Step One until success
China hacked US Army transport orgs TWENTY TIMES in ONE YEAR
FBI et al knew of nine hacks - but didn't tell TRANSCOM
Microsoft to patch ASP.NET mess even if you don't
We know what's good for you, because we made the mess says Redmond
NORKS ban Wi-Fi and satellite internet at embassies
Crackdown on tardy diplomatic sysadmins providing accidental unfiltered internet access
prev story

Whitepapers

Providing a secure and efficient Helpdesk
A single remote control platform for user support is be key to providing an efficient helpdesk. Retain full control over the way in which screen and keystroke data is transmitted.
WIN a very cool portable ZX Spectrum
Win a one-off portable Spectrum built by legendary hardware hacker Ben Heck
Saudi Petroleum chooses Tegile storage solution
A storage solution that addresses company growth and performance for business-critical applications of caseware archive and search along with other key operational systems.
Protecting users from Firesheep and other Sidejacking attacks with SSL
Discussing the vulnerabilities inherent in Wi-Fi networks, and how using TLS/SSL for your entire site will assure security.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.