Feeds

Microsoft hunts web nasties with honey monkeys

The Exploit-Net

  • alert
  • submit to reddit

Choosing a cloud hosting partner with confidence

Researchers for the software giant are building a system of Windows XP clients that crawl the web finding sites that use unreported vulnerabilities to compromise unsuspecting users, writes SecurityFocus's Robert Lemos.

Researchers at Microsoft are creating their own version of a million monkeys to crawl the internet looking for threats in an effort to secure the web for Windows.

The software giant's Cybersecurity and Systems Management (CSM) research group are building a system of virtual Windows XP computers that crawl the web looking for sites that use unreported vulnerabilities to compromise customer's PCs. Dubbed "honeymonkeys," the virtual machines run a full version of Windows XP with monitoring software and crawl high-risk areas of the web looking for trouble.

"Just by visiting a qebsite, (if) suddenly an executable is created on your machine outside the Internet Explorer folder, it is an exploit with no false positive - it's that simple," Yi-Ming Wang, senior researcher with Microsoft Research, said during a presentation at the IEEE Security and Privacy conference in Oakland last week.

The research is part of Microsoft's continuing effort to rein in the potential effects of vulnerabilities in Windows XP. The software giant has already added a host of security measures to the consumer operating system with its August security update, Service Pack 2. This month, Microsoft also announced that it would provide interim guidance on security threats to its users in the form of security advisories. In addition, the company has made several attempts to reach out to vulnerability researchers to limit the release of flaw information before its product groups have had to a chance to fix security problems.

Wang's research could give the software giant a heads up when a vulnerability is not reported to its security response team, but instead used by Internet crime groups to spread spyware or used as part of a web worm. The virtual PCs will crawl the seedier side of the web, which Wang calls the Exploit-Net, using addresses culled from spam email message and from the users of Microsoft's anti-spyware network. In addition, the virtual machines, which can test 7,000 sites a day, will crawl through the top million legitimate links just to check that no spyware has infected popular sites.

So far, Wang has set up half-a-dozen computers running various patch levels of Microsoft's consumer operating system, Windows XP, within virtual machines. Soon, his research group will have about three dozen machines running the software. The computers run an application known as Strider, also created by the research teams, which looks out for registry and other configuration changes as a way to detect surreptitious installations of malicious programs.

The technique is not totally new. The Honeynet Project, a group of researchers that focus on creating tools and monitoring Internet threats using networks of honeypots, is also looking into actively crawling the web with specially configured computers, which the group calls client honeypots.

The group has made a name for itself by creating networks of heavily monitored computers and waiting for attackers to exploit the systems. With the new researcher, the group intends to go out and seek sites that are installing malicious programs.

"As the bad guys are constantly adapting their tools and tactics, so too must we," Lance Spitzner, founder and president of the Honeynet Project, stated in an email. "Client honeypots represent just one such application of that."

The tactics has become a staple of some anti-spyware firms as well. Webroot Software, for example, uses computers to scan web pages on the internet, looking for those sites that automatically try to install spyware applications. While Microsoft seeks to find sites that exploit previously unknown flaws, Webroot instead seeks previously unknown spyware, even if it requires users interaction to be installed.

"Our system finds all the sources for all the bad stuff, then we turn the list over to a automated system," said Richard Stiennon, vice president of threat research for Webroot. "I think that is the only effective way to stay on top of the spyware menace."

Microsoft would not comment for this article, but a spokesperson did stress that Wang's research was preliminary.

Wang believes that an expanded system of honeymonkeys, but perhaps not the proverbial million, could patrol the web of the future, seeking hot zones before actual PC users are put at risk. Depending on the threat, the company could take legal action, contact law enforcement, or refer the issue to an internal product group.

"If any websites exploits a recently found vulnerability, we would talk to our patch team and security response teams to tell our the customers to apply the latest patch," he said. "If we ever identify a fully patched machine that got exploited, we got a big problem. We would involve the IE team and show them the threat."

His research has also illuminated the connection between the three tiers of the spyware problem: Content providers and advertisers, sites that install by exploiting flaws, and spyware software makers. Together, the three tiers have created a seedy part of the Internet that forms what Wang calls the Exploit-Net.

A widely deployed system would put spyware mavens on notice, he said.

"We will tell them, you are being watched," he said. "So, hopefully, if I get my way, and this is run completely automatically, Internet safety will be different."

Copyright © 2005, SecurityFocus logo

Related stories

Spyware wars
Microsoft Anti-Virus?
MS punts all-in-one security and backup service
Microsoft issues solitary patch
Microsoft fortifies monthly patches with interim advisories

Choosing a cloud hosting partner with confidence

More from The Register

next story
Knock Knock tool makes a joke of Mac AV
Yes, we know Macs 'don't get viruses', but when they do this code'll spot 'em
Feds seek potential 'second Snowden' gov doc leaker – report
Hang on, Ed wasn't here when we compiled THIS document
Why weasel words might not work for Whisper
CEO suspends editor but privacy questions remain
DEATH by PowerPoint: Microsoft warns of 0-day attack hidden in slides
Might put out patch in update, might chuck it out sooner
BlackEnergy crimeware coursing through US control systems
US CERT says three flavours of control kit are under attack
prev story

Whitepapers

Cloud and hybrid-cloud data protection for VMware
Learn how quick and easy it is to configure backups and perform restores for VMware environments.
Forging a new future with identity relationship management
Learn about ForgeRock's next generation IRM platform and how it is designed to empower CEOS's and enterprises to engage with consumers.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
New hybrid storage solutions
Tackling data challenges through emerging hybrid storage solutions that enable optimum database performance whilst managing costs and increasingly large data stores.
Security and trust: The backbone of doing business over the internet
Explores the current state of website security and the contributions Symantec is making to help organizations protect critical data and build trust with customers.