'Honeymonkeys' Find Web Threats

It's well known that hackers target Microsoft products. The software company has responded with an initiative that sniffs out Web sites hosting malicious code and hands the information to other parts of the company to develop patches or to launch legal action. The effort is called the Strider HoneyMonkey Exploit Detection System and was outlined in a paper released last week.

The honeymonkey concept is different from the better-known honeypot approach to searching for malicious exploits, says Yi-Min Wang, manager of the Cybersecurity and Systems Management Research Group. "Honeypots are looking for server-based vulnerabilities, where the bad guys act like the client. Honeymonkeys are the other way around, where the client is the vulnerable one."

To find where malicious code is coming from, the company cruises the Web with multiple automated Windows XP clients--some unpatched, some partially patched, some patched completely--to hunt for Web sites that try to exploit browser vulnerabilities.

Using 12 to 25 machines as the "active client honeypots," Wang's group instructed a PC running unpatched Windows XP SP1 to surf to one of the 5,000 URLs it had identified as potentially malicious. If it caught the site downloading software without any user action, it passed it on to a Windows XP SP2 honeymonkey, which in turn passed it up the food chain if necessary to a partially patched SP2 system, then to an almost fully patched SP2 PC (all but the most recent patch), and finally to a fully patched SP2 computer.

In the first month, the group found 752 unique URLs operated by 287 Web sites that can successfully deliver exploit code against unpatched Windows XP PCs.

That chain of monkeys gives Microsoft a good idea of the seriousness of an exploit as well as the size of the potential victim pool. And if what Wang called the "end-of-the-pipeline monkey," the fully patched SP2 system, reports a URL as an exploit, Microsoft knows it has a zero-day browser exploit on its hands--that is, one for which no patch is currently available. "Once we detect a zero-day exploit, we contact Microsoft's Internet Safety Enforcement Team and the Microsoft Security Response Center," Wang says.

"If it's a bad site, we want to take the site down permanently," says Scott Stein, a senior attorney with Microsoft. To do that, Microsoft may turn to the site's hosting vendor or Internet service provider to shut down the exploiter or, if that doesn't work, law enforcement.

"One of the most important things is getting this information into the hands of our customers," says Stephen Toulouse, program manager for the Microsoft Security Response Center. "One thing I'd stress out of this is the importance of keeping software up to date."

An unpatched XP SP1 PC would be vulnerable to 688 URLs and 270 sites, 91% and 94%, respectively, of all those uncovered by the honeymonkeys. But update to SP2, and those numbers fall to 204 and 115 (27% and 43%). Better yet, a partially patched SP box--one updated with fixes released through early 2005--is vulnerable to only 17 malicious URLs and 10 sites (2% and 3%).

Wang's honeymonkeys--the monkey name comes from the idea that the automated clients mimic a human's actions, as in "monkey see, monkey do"--found its first zero-day browser exploit in early July, when it identified a page using the Javaprxy.dll exploit that already was known but not yet patched. The July 12 patch batch included a work-around fix for the Javaprxy.dll bug.

Image courtesy of Steven Hunt/Photographers Choice