Feeds

Microsoft hunts web nasties with honey monkeys

The Exploit-Net

  • alert
  • submit to reddit

Build a business case: developing custom apps

Researchers for the software giant are building a system of Windows XP clients that crawl the web finding sites that use unreported vulnerabilities to compromise unsuspecting users, writes SecurityFocus's Robert Lemos.

Researchers at Microsoft are creating their own version of a million monkeys to crawl the internet looking for threats in an effort to secure the web for Windows.

The software giant's Cybersecurity and Systems Management (CSM) research group are building a system of virtual Windows XP computers that crawl the web looking for sites that use unreported vulnerabilities to compromise customer's PCs. Dubbed "honeymonkeys," the virtual machines run a full version of Windows XP with monitoring software and crawl high-risk areas of the web looking for trouble.

"Just by visiting a qebsite, (if) suddenly an executable is created on your machine outside the Internet Explorer folder, it is an exploit with no false positive - it's that simple," Yi-Ming Wang, senior researcher with Microsoft Research, said during a presentation at the IEEE Security and Privacy conference in Oakland last week.

The research is part of Microsoft's continuing effort to rein in the potential effects of vulnerabilities in Windows XP. The software giant has already added a host of security measures to the consumer operating system with its August security update, Service Pack 2. This month, Microsoft also announced that it would provide interim guidance on security threats to its users in the form of security advisories. In addition, the company has made several attempts to reach out to vulnerability researchers to limit the release of flaw information before its product groups have had to a chance to fix security problems.

Wang's research could give the software giant a heads up when a vulnerability is not reported to its security response team, but instead used by Internet crime groups to spread spyware or used as part of a web worm. The virtual PCs will crawl the seedier side of the web, which Wang calls the Exploit-Net, using addresses culled from spam email message and from the users of Microsoft's anti-spyware network. In addition, the virtual machines, which can test 7,000 sites a day, will crawl through the top million legitimate links just to check that no spyware has infected popular sites.

So far, Wang has set up half-a-dozen computers running various patch levels of Microsoft's consumer operating system, Windows XP, within virtual machines. Soon, his research group will have about three dozen machines running the software. The computers run an application known as Strider, also created by the research teams, which looks out for registry and other configuration changes as a way to detect surreptitious installations of malicious programs.

The technique is not totally new. The Honeynet Project, a group of researchers that focus on creating tools and monitoring Internet threats using networks of honeypots, is also looking into actively crawling the web with specially configured computers, which the group calls client honeypots.

The group has made a name for itself by creating networks of heavily monitored computers and waiting for attackers to exploit the systems. With the new researcher, the group intends to go out and seek sites that are installing malicious programs.

"As the bad guys are constantly adapting their tools and tactics, so too must we," Lance Spitzner, founder and president of the Honeynet Project, stated in an email. "Client honeypots represent just one such application of that."

The tactics has become a staple of some anti-spyware firms as well. Webroot Software, for example, uses computers to scan web pages on the internet, looking for those sites that automatically try to install spyware applications. While Microsoft seeks to find sites that exploit previously unknown flaws, Webroot instead seeks previously unknown spyware, even if it requires users interaction to be installed.

"Our system finds all the sources for all the bad stuff, then we turn the list over to a automated system," said Richard Stiennon, vice president of threat research for Webroot. "I think that is the only effective way to stay on top of the spyware menace."

Microsoft would not comment for this article, but a spokesperson did stress that Wang's research was preliminary.

Wang believes that an expanded system of honeymonkeys, but perhaps not the proverbial million, could patrol the web of the future, seeking hot zones before actual PC users are put at risk. Depending on the threat, the company could take legal action, contact law enforcement, or refer the issue to an internal product group.

"If any websites exploits a recently found vulnerability, we would talk to our patch team and security response teams to tell our the customers to apply the latest patch," he said. "If we ever identify a fully patched machine that got exploited, we got a big problem. We would involve the IE team and show them the threat."

His research has also illuminated the connection between the three tiers of the spyware problem: Content providers and advertisers, sites that install by exploiting flaws, and spyware software makers. Together, the three tiers have created a seedy part of the Internet that forms what Wang calls the Exploit-Net.

A widely deployed system would put spyware mavens on notice, he said.

"We will tell them, you are being watched," he said. "So, hopefully, if I get my way, and this is run completely automatically, Internet safety will be different."

Copyright © 2005, SecurityFocus logo

Related stories

Spyware wars
Microsoft Anti-Virus?
MS punts all-in-one security and backup service
Microsoft issues solitary patch
Microsoft fortifies monthly patches with interim advisories

The essential guide to IT transformation

More from The Register

next story
Rupert Murdoch says Google is worse than the NSA
Mr Burns vs. The Chocolate Factory, round three!
Microsoft cries UNINSTALL in the wake of Blue Screens of Death™
Cache crash causes contained choloric calamity
Germany 'accidentally' snooped on John Kerry and Hillary Clinton
Dragnet surveillance picks up EVERYTHING, USA, m'kay?
Know what Ferguson city needs right now? It's not Anonymous doxing random people
U-turn on vow to identify killer cop after fingering wrong bloke
Snowden on NSA's MonsterMind TERROR: It may trigger cyberwar
Plus: Syria's internet going down? That was a US cock-up
Who needs hackers? 'Password1' opens a third of all biz doors
GPU-powered pen test yields more bad news about defences and passwords
e-Borders fiasco: Brits stung for £224m after US IT giant sues UK govt
Defeat to Raytheon branded 'catastrophic result'
prev story

Whitepapers

Endpoint data privacy in the cloud is easier than you think
Innovations in encryption and storage resolve issues of data privacy and key requirements for companies to look for in a solution.
Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Top 8 considerations to enable and simplify mobility
In this whitepaper learn how to successfully add mobile capabilities simply and cost effectively.
Solving today's distributed Big Data backup challenges
Enable IT efficiency and allow a firm to access and reuse corporate information for competitive advantage, ultimately changing business outcomes.
Reg Reader Research: SaaS based Email and Office Productivity Tools
Read this Reg reader report which provides advice and guidance for SMBs towards the use of SaaS based email and Office productivity tools.