'Honeymonkeys' Find Web Threats - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Software // Enterprise Applications
05:10 PM

'Honeymonkeys' Find Web Threats

Microsoft sends unprotected browsers out on the Web to find sites that download malicious code so it can develop patches or start legal action.

It's well known that hackers target Microsoft products. The software company has responded with an initiative that sniffs out Web sites hosting malicious code and hands the information to other parts of the company to develop patches or to launch legal action. The effort is called the Strider HoneyMonkey Exploit Detection System and was outlined in a paper released last week.

The honeymonkey concept is different from the better-known honeypot approach to searching for malicious exploits, says Yi-Min Wang, manager of the Cybersecurity and Systems Management Research Group. "Honeypots are looking for server-based vulnerabilities, where the bad guys act like the client. Honeymonkeys are the other way around, where the client is the vulnerable one."

To find where malicious code is coming from, the company cruises the Web with multiple automated Windows XP clients--some unpatched, some partially patched, some patched completely--to hunt for Web sites that try to exploit browser vulnerabilities.

Using 12 to 25 machines as the "active client honeypots," Wang's group instructed a PC running unpatched Windows XP SP1 to surf to one of the 5,000 URLs it had identified as potentially malicious. If it caught the site downloading software without any user action, it passed it on to a Windows XP SP2 honeymonkey, which in turn passed it up the food chain if necessary to a partially patched SP2 system, then to an almost fully patched SP2 PC (all but the most recent patch), and finally to a fully patched SP2 computer.

In the first month, the group found 752 unique URLs operated by 287 Web sites that can successfully deliver exploit code against unpatched Windows XP PCs.

That chain of monkeys gives Microsoft a good idea of the seriousness of an exploit as well as the size of the potential victim pool. And if what Wang called the "end-of-the-pipeline monkey," the fully patched SP2 system, reports a URL as an exploit, Microsoft knows it has a zero-day browser exploit on its hands--that is, one for which no patch is currently available. "Once we detect a zero-day exploit, we contact Microsoft's Internet Safety Enforcement Team and the Microsoft Security Response Center," Wang says.

"If it's a bad site, we want to take the site down permanently," says Scott Stein, a senior attorney with Microsoft. To do that, Microsoft may turn to the site's hosting vendor or Internet service provider to shut down the exploiter or, if that doesn't work, law enforcement.

"One of the most important things is getting this information into the hands of our customers," says Stephen Toulouse, program manager for the Microsoft Security Response Center. "One thing I'd stress out of this is the importance of keeping software up to date."

An unpatched XP SP1 PC would be vulnerable to 688 URLs and 270 sites, 91% and 94%, respectively, of all those uncovered by the honeymonkeys. But update to SP2, and those numbers fall to 204 and 115 (27% and 43%). Better yet, a partially patched SP box--one updated with fixes released through early 2005--is vulnerable to only 17 malicious URLs and 10 sites (2% and 3%).

Wang's honeymonkeys--the monkey name comes from the idea that the automated clients mimic a human's actions, as in "monkey see, monkey do"--found its first zero-day browser exploit in early July, when it identified a page using the Javaprxy.dll exploit that already was known but not yet patched. The July 12 patch batch included a work-around fix for the Javaprxy.dll bug.

Image courtesy of Steven Hunt/Photographers Choice

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Comment  | 
Print  | 
More Insights
InformationWeek Is Getting an Upgrade!

Find out more about our plans to improve the look, functionality, and performance of the InformationWeek site in the coming months.

10 Things Your Artificial Intelligence Initiative Needs to Succeed
Lisa Morgan, Freelance Writer,  4/20/2021
Tech Spending Climbs as Digital Business Initiatives Grow
Jessica Davis, Senior Editor, Enterprise Apps,  4/22/2021
Optimizing the CIO and CFO Relationship
Mary E. Shacklett, Technology commentator and President of Transworld Data,  4/13/2021
White Papers
Register for InformationWeek Newsletters
Current Issue
Planning Your Digital Transformation Roadmap
Download this report to learn about the latest technologies and best practices or ensuring a successful transition from outdated business transformation tactics.
Flash Poll