Microsoft's HoneyMonkeys Show Patching Windows Works - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


Microsoft's HoneyMonkeys Show Patching Windows Works

Microsoft's Strider HoneyMonkey research project sniffs out sites hosting malicious code, and turns the information over for patching or legal action.

Microsoft unveiled details of its Strider HoneyMonkey research, a project that sniffs out sites hosting malicious code, and hands the information to other parts of the company for patching or legal action.

The technical report outlines the concept of cruising the Web with multiple automated Windows XP clients -- some unpatched, some partially patched, some patched completely -- to hunt for Web sites that exploit browser vulnerabilities.

The HoneyMonkey concept, said Yi-Min Wang, the manager of the Cybersecurity and Systems Management Research Group, is completely different from the better-known honeypot approach to searching for malicious exploits. "Honeypots are looking for server-based vulnerabilities, where the bad guys act like the client. Honeymonkeys are the other way around, where the client is the vulnerable one."

Using 12 to 25 machines as the "active client honeypots," Wang's group instructed a PC to surf to one of the 5,000 URLs it had identified as potentially malicious; that PC ran unpatched Windows XP SP1. If it caught the site downloading software without any user action, it passed it on to a Windows XP SP2 honeymonkey, which in turn would pass it up the food chain if necessary to a partially-patched SP2 system, then to a nearly-fully patched SP2 PC (all but the most recent patch), and finally to a fully-patched SP2 computer.

In the first month, the honeymonkeys found 752 unique URLs operated by 287 Web sites that can successfully deliver exploit code against unpatched Windows XP PCs.

That chain of monkeys gives Microsoft a good idea of the seriousness of the exploit being used by a site, as well as the size of the potential victim pool. And if what Wang called the "end-of-the-pipeline monkey," the fully-patched SP2 system, reports a URL as an exploit, Microsoft knows it has a zero-day browser exploit on its hands, one for which no patch is currently available.

"Once we detect a zero day exploit, we contact Microsoft's Internet Safety Enforcement Team and the Microsoft Security Response Center," said Wang.

In effect, the Strider HoneyMonkey project act as a "lead generator" for both the security and legal enforcement arms of Microsoft.

"If it's a bad site, we want to take the site down permanently," said Scott Stein, a senior attorney with Microsoft. To do that, Microsoft may turn to the site's hosting vendor or ISP to shut down the exploiter, or if that doesn't work, law enforcement.

"One of the most important things is getting this information into the hands of our customers," said Stephen Toulouse, program manager for Microsoft Security Response Center. "We can do that with a security advisory, or in a bulletin, to tell customers not only that 'here's the vulnerability,' but that this is actively being exploited and perhaps should be given priority for patching."

During the initial run of the project, the honeymonkeys demonstrated the value of keeping Windows XP up to date, said Toulouse. "One thing I'd stress out of this is the importance of keeping software up to date."

An unpatched XP SP1 PC, for instance, would be vulnerable to 688 URLs and 270 sites, 91 and 94 percent, respectively, of all those uncovered by the honeymonkeys. But update to SP2, and those numbers fall to 204 and 115 (27 and 43 percent). Better yet, a partially-patched SP box -- one updated to those fixes released through early 2005 -- is vulnerable to only 17 malicious URLs and 10 sites (2 and 3 percent of all those found).

Wang's honeymonkeys -- the "monkey" name comes from the idea that the automated clients mimic a human's actions, as in 'monkey see, monkey do' -- found its first zero-day browser exploit in early July, when it identified a page using the Javaprxy.dll exploit that already publicly known, but not yet patched.

(The July 12 patch batch included one that employed a work-around fix for the Javaprxy.dll bug.)

The page found by the honeymonkeys was the first URL reported to the Microsoft Security Response Center. Within two weeks, however, the honeymonkeys detected that over 40 of the 752 exploit URLs had started to "upgrade" to the exploit; the three Web sites responsible for all the pages were reported to the center.

While Wang or Toulouse wouldn't comment on whether the honeymonkey concept would be used to provide Internet Explorer 7 users with information about malicious sites in the future, Want did say that the project was already being expanded.

"We do expect to grow the network into the hundreds of machines so that we can scan millions of pages," he said. Already, the team is sending honeypots to a list of the most popular Web sites -- determined by the popularity of those sites in common search engines -- in an attempt to find out if exploiters have infiltrated the "good neighborhoods" of the Internet. Later, Wang intends to sic the honeymonkeys on URLs embedded in spam and phishing e-mails.

"We know that the exploiters won't try to host malicious software on the largest Web sites, because that's just too obvious," said Want. "But what if they exploit the five-thousandth most-popular site?"

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Comment  | 
Print  | 
More Insights
State of the Cloud
State of the Cloud
Cloud has drastically changed how IT organizations consume and deploy services in the digital age. This research report will delve into public, private and hybrid cloud adoption trends, with a special focus on infrastructure as a service and its role in the enterprise. Find out the challenges organizations are experiencing, and the technologies and strategies they are using to manage and mitigate those challenges today.
What Digital Transformation Is (And Isn't)
Cynthia Harvey, Freelance Journalist, InformationWeek,  12/4/2019
Watch Out for New Barriers to Faster Software Development
Lisa Morgan, Freelance Writer,  12/3/2019
If DevOps Is So Awesome, Why Is Your Initiative Failing?
Guest Commentary, Guest Commentary,  12/2/2019
Register for InformationWeek Newsletters
Current Issue
Getting Started With Emerging Technologies
Looking to help your enterprise IT team ease the stress of putting new/emerging technologies such as AI, machine learning and IoT to work for their organizations? There are a few ways to get off on the right foot. In this report we share some expert advice on how to approach some of these seemingly daunting tech challenges.
White Papers
Twitter Feed
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.
Sponsored Video
Flash Poll