Sign in with
Sign up | Sign in
Your question

Microsoft Unwraps HoneyMonkey Detection Project

Last response: in Windows XP
Share
Anonymous
August 9, 2005 1:35:36 AM

Archived from groups: microsoft.public.es.windowsxp,microsoft.public.windowsxp.general (More info?)

Microsoft Unwraps HoneyMonkey Detection Project
http://www.eweek.com/article2/0,1895,1844687,00.asp


Microsoft has officially lifted the wraps off its Strider HoneyMonkey
research project, designed to trawl the dark side of the Internet
looking for Web sites hosting malicious code.

Microsoft Corp. released a technical report, available here as a PDF,
to introduce the concept of an Automated Web Patrol that uses multiple
Windows XP machines, some unpatched and some fully updated, to
streamline the process of finding zero-day Web-based exploits.
ADVERTISEMENT

Yi-Min Wang, group manager of the Cybersecurity and Systems Management
group in Microsoft Research, said a total of 752 unique URLs, hosted
on 287 sites, were identified within the first month of launching the
HoneyMonkey project.

From those URLs, the system was able to confirm that active exploits
were infecting Windows XP machines, including one for a fully patched
system running the company's newly hardened XP SP2 (Service Pack 2).

In an interview with Ziff Davis Internet News, Wang said his
researchers were able to capture the connections between the exploit
sites based on traffic redirection and pinpoint "several major
players" who are responsible for a large number of exploit pages.

In the initial phase, Wang's unit used between 12 and 25 virtual
machines serving as "active client honeypots" to perform the automated
patrols across the Web.

eWEEK Special Report: Securing Windows

The entire system consists of a "pipeline of monkey programs" running
on VMs (Virtual Machines) with different patch levels in order to
detect exploit sites with different capabilities, he explained.

In Wang's technical report, he describes the use of a "black-box
approach" to lower the cost of patrolling billions of Web pages. "[We]
run a monkey program with the Strider Flight Data Recorder to
efficiently record every single file and Registry read/write," he
said, referring to another research project within his unit.

PointerRead more here about Microsoft's Strider HoneyMonkey project.

"The monkey launches a browser instance for each suspect URL and waits
for a few minutes. The monkey is not set up to click on any dialog box
to permit installation of any software; consequently, any executable
files that get created outside the browser's temporary folder are
detected by the [data recorder] and signal an exploit," Wang said.
eWEEK.com Special Report: Browser Security

With the black box approach, Wang said, Strider HoneyMonkey gains an
important advantage, because it allows the detection of
known-vulnerability exploits and zero-day exploits in a uniform way,
through virtual systems with different patch levels.

He said each monkey within the network also runs with the Strider
Gatekeeper to detect any hooking of ASEPs (Auto-Start Extensibility
Points) that may not involve creation of executables. The systems also
run the Strider GhostBuster anti-rootkit tool to detect stealth
malware programs that hide processes and ASEP hooks.

Once a monkey surfs to a malware site and gets infected, Wang said,
the data is processed and sent to a "Monkey Controller" that destroys
the infected virtual machine before restarting a new one.

PointerClick here to read more about Strider GhostBuster, a prototype
rootkit detection tool from Microsoft.

The restarted VM automatically launches the monkey, which then
continues to visit the remaining URL list. The Monkey Controller also
passes the detected exploit URL to the next monkey in the pipeline to
continue investigating the strength of the exploit.

"When the end-of-the-pipeline monkey, running on a fully patched VM,
reports a URL as an exploit, the URL is upgraded to a zero-day exploit
and the malware programs that it installed are immediately
investigated and passed on to the Microsoft Security Response Center,"
Wang said.

Wang said the project has proven that fully patched Windows XP systems
are less likely to be infected by drive-by downloads that do not
require any user action.

Wang plans to expand the HoneyMonkey network to "hundreds of virtual
machines" to beef up the automation framework. "Once that's done,
we'll be completely automated with monkeys running 24 hours a day to
collect data and output that data feed to different teams within the
company," he said.

PointerTo read about how patches are made at the Microsoft Security
Response Center, click here.

Going forward, the researchers will also start monitoring the top
million click-through links from popular search engines to determine
whether exploit sites have penetrated the "good neighborhoods" of
popular sites.

"Preliminary results reveal that contaminated Web pages that
unknowingly serve ads that exploit browser vulnerabilities may be a
serious concern. We are beginning to monitor links contained in spam
and phishing emails, because that is another way for the exploiters to
lure Web users to the bad neighborhoods," Wang said.

In the long run, Wang said, the unit may launch multiple networks of
HoneyMonkeys patrolling the Web from different corners of the world,
so that it is not possible for the exploiters to blacklist HoneyMonkey
network IP addresses and deliberately skip detection.

Microsoft plans to use the HoneyMonkey project data to assess the
urgency of patch deployment and help with law enforcement.

Wang said the results will also be provided to Microsoft's Enforcement
Team to further investigate and possibly pursue legal action.
Anonymous
August 9, 2005 9:28:10 PM

Archived from groups: microsoft.public.es.windowsxp,microsoft.public.windowsxp.general (More info?)

I hate it when people provide a link, then copy the web page for that link,
and paste the whole article under the link...

- Winux P

"XDDD" <xddd@xddd.xddd> wrote in message
news:42f7b43a$0$18650$14726298@news.sunsite.dk...
> Microsoft Unwraps HoneyMonkey Detection Project
> http://www.eweek.com/article2/0,1895,1844687,00.asp
>
>
> Microsoft has officially lifted the wraps off its Strider HoneyMonkey
> research project, designed to trawl the dark side of the Internet
> looking for Web sites hosting malicious code.
>
> Microsoft Corp. released a technical report, available here as a PDF,
> to introduce the concept of an Automated Web Patrol that uses multiple
> Windows XP machines, some unpatched and some fully updated, to
> streamline the process of finding zero-day Web-based exploits.
> ADVERTISEMENT
>
> Yi-Min Wang, group manager of the Cybersecurity and Systems Management
> group in Microsoft Research, said a total of 752 unique URLs, hosted
> on 287 sites, were identified within the first month of launching the
> HoneyMonkey project.
>
> From those URLs, the system was able to confirm that active exploits
> were infecting Windows XP machines, including one for a fully patched
> system running the company's newly hardened XP SP2 (Service Pack 2).
>
> In an interview with Ziff Davis Internet News, Wang said his
> researchers were able to capture the connections between the exploit
> sites based on traffic redirection and pinpoint "several major
> players" who are responsible for a large number of exploit pages.
>
> In the initial phase, Wang's unit used between 12 and 25 virtual
> machines serving as "active client honeypots" to perform the automated
> patrols across the Web.
>
> eWEEK Special Report: Securing Windows
>
> The entire system consists of a "pipeline of monkey programs" running
> on VMs (Virtual Machines) with different patch levels in order to
> detect exploit sites with different capabilities, he explained.
>
> In Wang's technical report, he describes the use of a "black-box
> approach" to lower the cost of patrolling billions of Web pages. "[We]
> run a monkey program with the Strider Flight Data Recorder to
> efficiently record every single file and Registry read/write," he
> said, referring to another research project within his unit.
>
> PointerRead more here about Microsoft's Strider HoneyMonkey project.
>
> "The monkey launches a browser instance for each suspect URL and waits
> for a few minutes. The monkey is not set up to click on any dialog box
> to permit installation of any software; consequently, any executable
> files that get created outside the browser's temporary folder are
> detected by the [data recorder] and signal an exploit," Wang said.
> eWEEK.com Special Report: Browser Security
>
> With the black box approach, Wang said, Strider HoneyMonkey gains an
> important advantage, because it allows the detection of
> known-vulnerability exploits and zero-day exploits in a uniform way,
> through virtual systems with different patch levels.
>
> He said each monkey within the network also runs with the Strider
> Gatekeeper to detect any hooking of ASEPs (Auto-Start Extensibility
> Points) that may not involve creation of executables. The systems also
> run the Strider GhostBuster anti-rootkit tool to detect stealth
> malware programs that hide processes and ASEP hooks.
>
> Once a monkey surfs to a malware site and gets infected, Wang said,
> the data is processed and sent to a "Monkey Controller" that destroys
> the infected virtual machine before restarting a new one.
>
> PointerClick here to read more about Strider GhostBuster, a prototype
> rootkit detection tool from Microsoft.
>
> The restarted VM automatically launches the monkey, which then
> continues to visit the remaining URL list. The Monkey Controller also
> passes the detected exploit URL to the next monkey in the pipeline to
> continue investigating the strength of the exploit.
>
> "When the end-of-the-pipeline monkey, running on a fully patched VM,
> reports a URL as an exploit, the URL is upgraded to a zero-day exploit
> and the malware programs that it installed are immediately
> investigated and passed on to the Microsoft Security Response Center,"
> Wang said.
>
> Wang said the project has proven that fully patched Windows XP systems
> are less likely to be infected by drive-by downloads that do not
> require any user action.
>
> Wang plans to expand the HoneyMonkey network to "hundreds of virtual
> machines" to beef up the automation framework. "Once that's done,
> we'll be completely automated with monkeys running 24 hours a day to
> collect data and output that data feed to different teams within the
> company," he said.
>
> PointerTo read about how patches are made at the Microsoft Security
> Response Center, click here.
>
> Going forward, the researchers will also start monitoring the top
> million click-through links from popular search engines to determine
> whether exploit sites have penetrated the "good neighborhoods" of
> popular sites.
>
> "Preliminary results reveal that contaminated Web pages that
> unknowingly serve ads that exploit browser vulnerabilities may be a
> serious concern. We are beginning to monitor links contained in spam
> and phishing emails, because that is another way for the exploiters to
> lure Web users to the bad neighborhoods," Wang said.
>
> In the long run, Wang said, the unit may launch multiple networks of
> HoneyMonkeys patrolling the Web from different corners of the world,
> so that it is not possible for the exploiters to blacklist HoneyMonkey
> network IP addresses and deliberately skip detection.
>
> Microsoft plans to use the HoneyMonkey project data to assess the
> urgency of patch deployment and help with law enforcement.
>
> Wang said the results will also be provided to Microsoft's Enforcement
> Team to further investigate and possibly pursue legal action.
Anonymous
August 9, 2005 9:28:11 PM

Archived from groups: microsoft.public.es.windowsxp,microsoft.public.windowsxp.general (More info?)

I hate it when people reply to the post and leave the link and the copy of
the web page for the link pasted under the link.

Tom
"Winux P" <winuxp@msnews.grp> wrote in message
news:%23tKnzPLnFHA.3304@tk2msftngp13.phx.gbl...
|
| I hate it when people provide a link, then copy the web page for that
link,
| and paste the whole article under the link...
|
Anonymous
August 10, 2005 10:56:52 AM

Archived from groups: microsoft.public.es.windowsxp,microsoft.public.windowsxp.general (More info?)

Yes. Why believe in a world where such things don't happen Tom? It's OK I
know.

- Winux P

"Tom Pepper Willett" <tompepper@mvps.invalid> wrote in message
news:uiML1iNnFHA.1468@TK2MSFTNGP12.phx.gbl...
>I hate it when people reply to the post and leave the link and the copy of
> the web page for the link pasted under the link.
>
> Tom
> "Winux P" <winuxp@msnews.grp> wrote in message
> news:%23tKnzPLnFHA.3304@tk2msftngp13.phx.gbl...
> |
> | I hate it when people provide a link, then copy the web page for that
> link,
> | and paste the whole article under the link...
> |
>
>
!