The development of an important new research technology permitting investigators to detect and analyze Web sites hosting malicious code—in particular, code that exploits browser vulnerabilities—was presented this week by Microsoft Research in a technical report and a subsequent presentation during the USENIX Security Symposium.
The Strider HoneyMonkey Exploit Detection System, as the research project is code-named, was created to help detect attacks that use Web servers to exploit unpatched browser vulnerabilities and install malware on the PCs of unsuspecting users. Such attacks have become one of the most vexing issues confronting Internet security experts.
Through their work, Strider HoneyMonkey’s creators, Yi-Min Wang, Doug Beck, Xuxian Jiang, and Roussi Roussev, have introduced the concept of an Automated Web Patrol, designed to streamline the process of monitoring malicious Web sites to protect Internet users.
A traditional method of inspecting attacks against computers has been to provide a “honeypot” server on the Internet. Such servers are intended to provide information about attackers by presenting themselves as targets.
Manual analyses of exploit sites often provide useful, detailed information about which vulnerabilities are exploited and which malware programs are installed. But such analyses do not provide a big-picture view of the problem.
The Strider HoneyMonkey project takes the static concept of a honeypot in a new direction. A “honeymonkey” is a computer or a virtual PC that actively mimics the actions of a user surfing the Web. A series of “monkey programs,” which drive a browser in a manner similar to that of a human user, run on virtual machines in order to detect exploit sites. The browsers can be configured to run with fully updated software, or without specific updates in order to look for exploit sites that target specific vulnerabilities. In this manner, the attacks more likely to impact customers can be analyzed and detected.
At each Web site identified by Strider HoneyMonkey, however, follow-up work is required to identify what kind of exploit exists and how it operates. And much more work is needed to verify and understand the exploit vector.
(For more detailed technical information, please see the Microsoft Research technical report “Automated Web Patrol with Strider HoneyMonkeys.”)
Microsoft’s Internet Safety Enforcement (ISE) Team, which investigates and pursues cybercriminals such as spammers and phishers across the globe, has begun to work with the Strider HoneyMonkey tool and is evaluating the resulting data for potential enforcement use. This includes ISE Team members using Strider HoneyMonkey data to assist in identifying persons responsible for distributing spyware in contravention of various laws.
The Strider HoneyMonkey project can provide the Microsoft Security Response Center (MSRC) with information should exploitation of a new vulnerability occur. Such information already has enabled the MSRC to provide customers with a security advisory and a follow-up security bulletin.
Because Strider HoneyMonkey is a Microsoft Research project designed to help provide Microsoft with information about attacks and the general ecosystem of the Internet, there are no current plans to provide this technology as a product, Instead, the project provides the MSRC with another technology in its ongoing work to protect customers.
Microsoft considers the security of customers’ computers and networks a top priority and remains committed to building software and services that will protect customers and the industry. Microsoft’s efforts to address security are focused on innovation, prescriptive guidance, and industry partnership, and the company is investing in new solutions to security issues.
Microsoft Research is actively exploring such new approaches, and the Strider HoneyMonkey project is just one example of the kind of innovative thinking that will help protect Microsoft customers.