Microsoft Unwraps HoneyMonkey Detection Project
http://www.eweek.com/article2/0,189...687,00.asp
Microsoft has officially lifted the wraps off its Strider HoneyMonkey
research project, designed to trawl the dark side of the Internet
looking for Web sites hosting malicious code.
Microsoft Corp. released a technical report, available here as a PDF,
to introduce the concept of an Automated Web Patrol that uses multiple
Windows XP machines, some unpatched and some fully updated, to
streamline the process of finding zero-day Web-based exploits.
ADVERTISEMENT
Yi-Min Wang, group manager of the Cybersecurity and Systems Management
group in Microsoft Research, said a total of 752 unique URLs, hosted
on 287 sites, were identified within the first month of launching the
HoneyMonkey project.
From those URLs, the system was able to confirm that active exploits
were infecting Windows XP machines, including one for a fully patched
system running the company's newly hardened XP SP2 (Service Pack 2).
In an interview with Ziff Davis Internet News, Wang said his
researchers were able to capture the connections between the exploit
sites based on traffic redirection and pinpoint "several major
players" who are responsible for a large number of exploit pages.
In the initial phase, Wang's unit used between 12 and 25 virtual
machines serving as "active client honeypots" to perform the automated
patrols across the Web.
eWEEK Special Report: Securing Windows
The entire system consists of a "pipeline of monkey programs" running
on VMs (Virtual Machines) with different patch levels in order to
detect exploit sites with different capabilities, he explained.
In Wang's technical report, he describes the use of a "black-box
approach" to lower the cost of patrolling billions of Web pages. "[We]
run a monkey program with the Strider Flight Data Recorder to
efficiently record every single file and Registry read/write," he
said, referring to another research project within his unit.
PointerRead more here about Microsoft's Strider HoneyMonkey project.
"The monkey launches a browser instance for each suspect URL and waits
for a few minutes. The monkey is not set up to click on any dialog box
to permit installation of any software; consequently, any executable
files that get created outside the browser's temporary folder are
detected by the [data recorder] and signal an exploit," Wang said.
eWEEK.com Special Report: Browser Security
With the black box approach, Wang said, Strider HoneyMonkey gains an
important advantage, because it allows the detection of
known-vulnerability exploits and zero-day exploits in a uniform way,
through virtual systems with different patch levels.
He said each monkey within the network also runs with the Strider
Gatekeeper to detect any hooking of ASEPs (Auto-Start Extensibility
Points) that may not involve creation of executables. The systems also
run the Strider GhostBuster anti-rootkit tool to detect stealth
malware programs that hide processes and ASEP hooks.
Once a monkey surfs to a malware site and gets infected, Wang said,
the data is processed and sent to a "Monkey Controller" that destroys
the infected virtual machine before restarting a new one.
PointerClick here to read more about Strider GhostBuster, a prototype
rootkit detection tool from Microsoft.
The restarted VM automatically launches the monkey, which then
continues to visit the remaining URL list. The Monkey Controller also
passes the detected exploit URL to the next monkey in the pipeline to
continue investigating the strength of the exploit.
"When the end-of-the-pipeline monkey, running on a fully patched VM,
reports a URL as an exploit, the URL is upgraded to a zero-day exploit
and the malware programs that it installed are immediately
investigated and passed on to the Microsoft Security Response Center,"
Wang said.
Wang said the project has proven that fully patched Windows XP systems
are less likely to be infected by drive-by downloads that do not
require any user action.
Wang plans to expand the HoneyMonkey network to "hundreds of virtual
machines" to beef up the automation framework. "Once that's done,
we'll be completely automated with monkeys running 24 hours a day to
collect data and output that data feed to different teams within the
company," he said.
PointerTo read about how patches are made at the Microsoft Security
Response Center, click here.
Going forward, the researchers will also start monitoring the top
million click-through links from popular search engines to determine
whether exploit sites have penetrated the "good neighborhoods" of
popular sites.
"Preliminary results reveal that contaminated Web pages that
unknowingly serve ads that exploit browser vulnerabilities may be a
serious concern. We are beginning to monitor links contained in spam
and phishing emails, because that is another way for the exploiters to
lure Web users to the bad neighborhoods," Wang said.
In the long run, Wang said, the unit may launch multiple networks of
HoneyMonkeys patrolling the Web from different corners of the world,
so that it is not possible for the exploiters to blacklist HoneyMonkey
network IP addresses and deliberately skip detection.
Microsoft plans to use the HoneyMonkey project data to assess the
urgency of patch deployment and help with law enforcement.
Wang said the results will also be provided to Microsoft's Enforcement
Team to further investigate and possibly pursue legal action.
Últimos mensajes - Powered by IBM
Palabras claves
Hacer una pregunta
Siga el debate
Tengo una respuesta
Busqueda sugerida
Viernes 26 de abril - 21:34
Registrar
Leer las respuestas