New Microsoft security system scours Web
It uses 'HoneyMonkeys' to seek out malicious code online
TechWorld.com - Microsoft Corp. has taken the wraps off a new security program that uses automated "HoneyMonkeys" to patrol the Web, seeking out sites that automatically install malicious code on Windows XP systems.
In its first month, the Strider HoneyMonkey research project located 752 Web addresses linking to 287 sites that could automatically infect unpatched machines, Microsoft said. The project also discovered an attack that could penetrate a fully up-to-date Windows XP Service Pack 2 system using a previously unknown vulnerability.
Microsoft first discussed the HoneyMonkey program in May and last week published a research paper discussing the details.
The project is relatively limited in scope; It only looks for code that can be installed with no user interaction, leaving out the more sophisticated and increasingly successful attacks relying on social engineering -- attacks such as phishing.
However, Microsoft believes the automated approach could become a valuable tool for detecting new types of attacks before they become widespread. Attackers appear to share new exploits among themselves, quickly distributing them to numerous sites, according to Yi-Min Wang, manager of Microsoft's Cybersecurity and Systems Management Research Group and author of the paper.
"Although [manual analyses] often provide very useful and detailed information about which vulnerabilities are exploited and which malware programs are installed, such analysis efforts are not scalable and do not provide a comprehensive picture of the problem," Wang said in the paper.
For example, Microsoft's HoneyMonkeys came across a Windows XP SP2 exploit at the beginning of July, before many other sites were using it. Two weeks later, 40 of the 287 sites were using the exploit, Microsoft said.
That exploit relied on a previously undiscovered bug in the JView Profiler COM object (javaprxy.dll) and was patched late last month.
The system uses a chain of HoneyMonkeys, a name derived from "honeypots," which refers to passive security research server systems set up to wait for attacks. Each HoneyMonkey is a Windows XP system with a different level of patching, running in a virtual machine. An initial wave of unpatched HoneyMonkeys scours the Web seeking potentially malicious sites. When a site is found that installs potentially malicious code, the virtual machine is scrapped and another takes its place.
The target URL is then passed to a virtual machine with a greater level of patching, to see which systems are vulnerable to the site's exploit. At the end of the chain is a fully patched Windows XP system, Microsoft said.
The system builds up a topology graph based on traffic redirection, which has led to the identification of a few major players who areresponsible for a large number of exploit pages, according to Wang.
The HoneyMonkey systems run a variety of tools to monitor the malicious sites, including Strider GhostBuster, Microsoft's rootkit detection and removal program.
Microsoft said it plans to eventually deploy several geographically distributed networks of hundreds of HoneyMonkeys to patrol various sites.
- Silicon Valley's 19 Coolest Places to Work
- Is Windows 8 Development Worth the Trouble?
- 8 Books Every IT Leader Should Read This Year
- 10 Hot Hadoop Startups to Watch
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- Neustar 2014 DDoS Attacks and Impact Report For the third consecutive year, Neustar surveyed hundreds of companies on distributed denial of service (DDoS) attacks. The survey reveals evidence that the...
- Acxiom Case Study This case study, which focuses on Acxiom, explores how the company was able to secure employee data, reduce migration costs and boost productivity...
- Windows® XP Migration: Protect and Secure Critical Data With the end of the Microsoft Windows XP operating system's lifecycle on April 8, 2014, businesses are faced with the decision to migrate...
- Enhancing Application Protection and Recovery with a Modern Approach to Snapshot Management This CommVault Business Value and Technology White Paper explains how Simpana IntelliSnap® Recovery Manager can make your application recovery fast and reliable.
- Live Webcast LIVE EVENT: 5/7, The End of Data Protection As We Know It. Introducing a Next Generation Data Protection Architecture. Traditional backup is going away, but where does this leave end-users?
- LIVE EVENT: 5/7, The End of Data Protection As We Know It. Introducing a Next Generation Data Protection Architecture. Traditional backup is going away, but where does this leave end-users?
- On-demand webinar: "Mobility Mayhem: Balancing BYOD with Enterprise Security" Check out this on-demand webinar to hear Sophos senior security expert John Shier deep dive into how BYOD impacts your enterprise security strategy... All Security White Papers | Webcasts