Original URL: http://www.theregister.co.uk/2005/08/09/ms_honeymonkey/
Flies swarm around MS Honeymonkey
Project sniffs out malicious code
Microsoft 's experimental Honeymonkey project has found almost 750 web pages that attempt to load malicious code onto visitors' computers and detected an attack using a vulnerability that had not been publicly disclosed, the software giant said in a paper released this month.
Known more formally as the Strider Honeymonkey Exploit Detection System, the project uses automated Windows XP clients to surf questionable parts of the Web looking for sites that compromise the systems without any user interaction. In the latest experiments, Microsoft has identified 752 specific addresses owned by 287 websites that contain programs able to install themselves on a completely unpatched Windows XP system.
Honeymonkeys, a name coined by Microsoft, modify the concept of honeypots - computers that are placed online and monitored to detect attacks.
"The honeymonkey client goes [to malicious websites] and gets exploited rather than waiting to get attacked," said Yi-Min Wang, manager of Microsoft's Cybersecurity and Systems Management Research Group. "This technique is useful for basically any company that wants to find out whether their software is being exploited this way by websites on the internet."
The experimental system, which SecurityFocus first reported on in May, is one of the software giant's many initiatives to make the web safer for users of the Windows operating system. Online fraudsters have become more savvy about fooling users, from more convincing phishing attacks to targeting individuals who likely have access to high-value data. Some statistical evidence has suggested that financial markets are holding software makers such as Microsoft responsible for such problems.
The software giant has not focused on any single strategy to secure its customers. A year ago, the company released a major update, known as Service Pack 2, to its Windows XP operating system - an update that focused almost exclusively on security. The company has also started working closer with the independent security researchers and hackers that find the flaws in its operating system and offering rewards for information on the virus writers that have historically attacked its software.
The honeymonkey project, first discussed at the Institute of Electrical and Electronics Engineers' Symposium on Security and Privacy in Oakland, California in May, is the latest attempt by the software giant to detect threats to its customers before the threats become widespread. The honeymonkeys consist of virtual machines running different patch levels of Windows. The "monkey" programs browse a variety of websites looking for sites that attempt to exploit browser vulnerabilities.
Security researchers have given the initiative high marks.
"In terms of detection capabilities, it's a really elegant hack," said Dan Kaminsky, principal security researcher for Doxpara Research. "The antivirus model - scan for dangerous patterns - can't find previously unknown attacks. No, the best way to find out if a web page, if executed, would attack the browser is to spawn a browser and let it execute potentially hostile code."
New tactics like honeymonkeys will be a useful way to stave off the dangers of the internet, said Lance Spitzner, president of the Honeynet Project, which creates software and tools for administering false networks of systems that appear to be vulnerable targets.
Where the Honeynet Project focuses on fake servers to lure in attackers, client-side honeypots, what Microsoft has called honeymonkeys, are important as well, Spitzner said.
"As the bad guys continue to adapt and change, so too must we," he said.
In the first month, Microsoft's legion of honeymonkeys found 752 different addresses at 287 websites that exploited various vulnerabilities in Windows XP, according to a paper published last week. The researchers determine whether each monkey's system has been compromised by using another ongoing project, the Strider Flight Data Recorder, which detects changes to system files and registries. The Monkey Controller kills the infected virtual machine and restarts a new one that picks up scanning the original monkey's list. Another monkey program, running a different patch level of Windows, tries the original internet address to detect the strength of the exploit.
In early July 2005, the project discovered its first exploit for a vulnerability that had not been publicly disclosed, the researchers said in the paper. The attack used the JView profiler vulnerability that Microsoft announced later in July. Known as "zero-day" exploits, such attack methods could be especially pernicious if widely used before Microsoft updated its user base with protections. In fact, the network of websites that use such attacks, which researcher Want has dubbed the Exploit-Net, seem to share exploits. Within two weeks of the initial discovery, 40 of the 752 websites adopted the exploit.
Microsoft believes that the sites could act as canaries in a coal mine, alerting the company to dangerous zero-day exploits, before the attacks gained widespread usage.
"Our conjecture is that these websites are the popular ones, because we could find them in one month, and so, if we kept monitoring the sites, we could catch new exploits very fast, because any new exploit would quickly be picked up by these sites," said Wang.
Microsoft's Security Response Center, the group that acts on vulnerability information, will used the honeymonkey system to keep it apprised of future zero-day attacks, said Stephen Toulouse, program manager for the MSRC.
"It is not just important for us to know that... but for customers to know that it is being exploited, so they can get patches quickly," Toulouse said.
Among the researchers' other findings is that even a partially patched version of Windows XP Service Pack 2 blocks the lion's share of attacks, cutting the number of sites that could successfully compromise a system from 287 for an unpatched system to 10 for a partially patched Windows XP SP2 system. A fully patched Windows XP SP2 systems could not be compromised by any websites, according to the group's May-June data. (The zero-day exploit of javaprxy.dll happened after this data set.)
Microsoft plans to continue the honeymonkey research to collect new information on threats. In the end, such research could help put the source of such attack behind bars. After investigating sites that use exploits to compromise systems, Microsoft plans to forward the information to law enforcement, said Scott Stein, an attorney with Microsoft's Internet Safety Enforcement Team and former US Department of Justice prosecutor.
"Our mission is to keep the internet safe - for that mission, this is a great lead generation tool," Stein declared.