'Honeymonkeys' Find Web Threats

It's well known that hackers target Microsoft products. The software company has responded with an initiative that sniffs out Web sites hosting malicious code and hands the information to other parts of the company to develop patches or to launch legal action. The effort is called the Strider HoneyMonkey Exploit Detection System and was outlined in a paper released last week.

The honeymonkey concept is different from the better-known honeypot approach to searching for malicious exploits, says Yi-Min Wang, manager of the Cybersecurity and Systems Management Research Group. "Honeypots are looking for server-based vulnerabilities, where the bad guys act like the client. Honeymonkeys are the other way around, where the client is the vulnerable one."

To find where malicious code is coming from, the company cruises the Web with multiple automated Windows XP clients--some unpatched, some partially patched, some patched completely--to hunt for Web sites that try to exploit browser vulnerabilities.

Using 12 to 25 machines as the "active client honeypots," Wang's group instructed a PC running unpatched Windows XP SP1 to surf to one of the 5,000 URLs it had identified as potentially malicious. If it caught the site downloading software without any user action, it passed it on to a Windows XP SP2 honeymonkey, which in turn passed it up the food chain if necessary to a partially patched SP2 system, then to an almost fully patched SP2 PC (all but the most recent patch), and finally to a fully patched SP2 computer.

In the first month, the group found 752 unique URLs operated by 287 Web sites that can successfully deliver exploit code against unpatched Windows XP PCs.