Microsoft's "monkeys" find first zero-day exploit

[.Kompressor]

did a search and didn't find this in news... found this real cool technology.

Microsoft Strider Honey Monkey Project:

http://research.microsoft.com/HoneyMonkey/

-------------------------------------------------------------------------------------

Microsoft's "monkeys" find first zero-day exploit

Robert Lemos, SecurityFocus 2005-08-08

Microsoft 's experimental Honeymonkey project has found almost 750 Web pages that attempt to load malicious code onto visitors' computers and detected an attack using a vulnerability that had not been publicly disclosed, the software giant said in a paper released this month.

Known more formerly as the Strider Honeymonkey Exploit Detection System, the project uses automated Windows XP clients to surf questionable parts of the Web looking for sites that compromise the systems without any user interaction. In the latest experiments, Microsoft has identified 752 specific addresses owned by 287 Web sites that contain programs able to install themselves on a completely unpatched Windows XP system.

Honeymonkeys, a name coined by Microsoft, modify the concept of honeypots--computers that are placed online and monitored to detect attacks.

"The honeymonkey client goes (to malicious Web sites) and gets exploited rather than waiting to get attacked," said Yi-Min Wang, manager of Microsoft's Cybersecurity and Systems Management Research Group. "This technique is useful for basically any company that wants to find out whether their software is being exploited this way by Web sites on the Internet."

The experimental system, which SecurityFocus first reported on in May, is one of the software giant's many initiatives to make the Web safer for users of the Windows operating system. Online fraudsters have become more savvy about fooling users, from more convincing phishing attacks to targeting individuals who likely have access to high-value data. Some statistical evidence has suggested that financial markets are holding software makers such as Microsoft responsible for such problems.

The software giant has not focused on any single strategy to secure its customers. A year ago, the company released a major update, known as Service Pack 2, to its Windows XP operating system--an update that focused almost exclusively on security. The company has also started working closer with the independent security researchers and hackers that find the flaws in its operating system and offering rewards for information on the virus writers that have historically attacked its software.

The honeymonkey project, first discussed at the Institute of Electrical and Electronics Engineers' Symposium on Security and Privacy in Oakland, California in May, is the latest attempt by the software giant to detect threats to its customers before the threats become widespread. The honeymonkeys consist of virtual machines running different patch levels of Windows. The "monkey" programs browse a variety of Web sites looking for sites that attempt to exploit browser vulnerabilities.

Security researchers have given the initiative high marks.

"In terms of detection capabilities, it's a really elegant hack," said Dan Kaminsky, principal security researcher for Doxpara Research. "The antivirus model -- scan for dangerous patterns -- can't find previously unknown attacks. ... No, the best way to find out if a web page, if executed, would attack the browser is to spawn a browser and let it execute potentially hostile code."

New tactics like honeymonkeys will be a useful way to stave off the dangers of the Internet, said Lance Spitzner, president of the Honeynet Project, which creates software and tools for administering false networks of systems that appear to be vulnerable targets.

More info:

http://www.securityfocus.com/news/11273

------------------------------------------------------------------------------------------

Want to learn more about the MS Honey Monkey Project:

Leo Laporte and Security Analyst Steve Gibson go into detail on how MS HoneyMonkeys work in last weeks pod cast

" HoneyMonkeys "

How Microsoft's "HoneyMonkey" system works, how it finds malicious web sites before they find you, and what Microsoft is doing (and NOT doing) with this valuable security information it is now collecting.

Podcast Homepage: http://www.grc.com/securitynow.htm

Podcast stream: http://aolradio.podcast.aol.com/sn/SN-002.mp3

[.Kompressor]

exactly my thoughts. They are taking the PROACTIVE initiative instead of being REACTIVE to exploits. :D

[Andareed]

In the latest experiments, Microsoft has identified 752 specific addresses owned by 287 Web sites that contain programs able to install themselves on a completely unpatched Windows XP system.

Should be patched I think.

[Dazzla Veteran]

Very cool concept, nice proactive work from MS as well.

[uniacidz]

Great idea

Thumbs up to em

[BigCheese]

Should be patched I think.

586453580[/snapback]

Not really. Because there are lots of users who don't know about updates and never patch their PC's. So it would be better for microsoft to find all websites that have malicious code rather than only the ones that target patched SP2 PCs.

[Chadwick]

its not htat they dont know, its that they dont want to fix whats broken. Many firefox users have virus-free computers and no incentive upgrade. All IE users must upgrade to SP2 remain as secure. I never ugpraded to sp2 on my machine, there was no incentive because I never had an issue.

[TheLittleKid]

they should make a blacklist system so that you cant visit these servers. I mean if they can index a good portion of the net they can surely black list all the bad hosts that have exploits on them.

I also mean it should be done on the isp level, so it doesnt matter what version of windows you have.

[Orange Battery]

What i don't think is helpful though is that have removed all the bad web sites from MSN search but have not shared their findings with anyone else in the security community so are gonna be profiting from this. I don't think Microsoft have started to sort things out for the good of their users, they have done it because their is a market for profit. I listened to the security now pod cast last week and agreed with a lot of things they said about it.