[ISN] Microsoft's HoneyMonkeys Show Patching Windows Works

InfoSec News isn at c4i.org
Wed Aug 10 02:37:13 EDT 2005


By Gregg Keizer 
TechWeb News 
Aug. 8, 2005 

Microsoft unveiled details of its Strider HoneyMonkey research, a 
project that sniffs out sites hosting malicious code, and hands the 
information to other parts of the company for patching or legal 

The technical report outlines the concept of cruising the Web with 
multiple automated Windows XP clients -- some unpatched, some 
partially patched, some patched completely -- to hunt for Web sites 
that exploit browser vulnerabilities. 

The HoneyMonkey concept, said Yi-Min Wang, the manager of the 
Cybersecurity and Systems Management Research Group, is completely 
different from the better-known honeypot approach to searching for 
malicious exploits. "Honeypots are looking for server-based 
vulnerabilities, where the bad guys act like the client. Honeymonkeys 
are the other way around, where the client is the vulnerable one." 

Using 12 to 25 machines as the "active client honeypots," Wang's group 
instructed a PC to surf to one of the 5,000 URLs it had identified as 
potentially malicious; that PC ran unpatched Windows XP SP1. If it 
caught the site downloading software without any user action, it 
passed it on to a Windows XP SP2 honeymonkey, which in turn would pass 
it up the food chain if necessary to a partially-patched SP2 system, 
then to a nearly-fully patched SP2 PC (all but the most recent patch), 
and finally to a fully-patched SP2 computer. 

In the first month, the honeymonkeys found 752 unique URLs operated by 
287 Web sites that can successfully deliver exploit code against 
unpatched Windows XP PCs. 

That chain of monkeys gives Microsoft a good idea of the seriousness 
of the exploit being used by a site, as well as the size of the 
potential victim pool. And if what Wang called the 
"end-of-the-pipeline monkey," the fully-patched SP2 system, reports a 
URL as an exploit, Microsoft knows it has a zero-day browser exploit 
on its hands, one for which no patch is currently available. 

"Once we detect a zero day exploit, we contact Microsoft's Internet 
Safety Enforcement Team and the Microsoft Security Response Center," 
said Wang. 

In effect, the Strider HoneyMonkey project act as a "lead generator" 
for both the security and legal enforcement arms of Microsoft. 

"If it's a bad site, we want to take the site down permanently," said 
Scott Stein, a senior attorney with Microsoft. To do that, Microsoft 
may turn to the site's hosting vendor or ISP to shut down the 
exploiter, or if that doesn't work, law enforcement. 

"One of the most important things is getting this information into the 
hands of our customers," said Stephen Toulouse, program manager for 
Microsoft Security Response Center. "We can do that with a security 
advisory, or in a bulletin, to tell customers not only that 'here's 
the vulnerability,' but that this is actively being exploited and 
perhaps should be given priority for patching." 

During the initial run of the project, the honeymonkeys demonstrated 
the value of keeping Windows XP up to date, said Toulouse. "One thing 
I'd stress out of this is the importance of keeping software up to 

An unpatched XP SP1 PC, for instance, would be vulnerable to 688 URLs 
and 270 sites, 91 and 94 percent, respectively, of all those uncovered 
by the honeymonkeys. But update to SP2, and those numbers fall to 204 
and 115 (27 and 43 percent). Better yet, a partially-patched SP box -- 
one updated to those fixes released through early 2005 -- is 
vulnerable to only 17 malicious URLs and 10 sites (2 and 3 percent of 
all those found). 

Wang's honeymonkeys -- the "monkey" name comes from the idea that the 
automated clients mimic a human's actions, as in 'monkey see, monkey 
do' -- found its first zero-day browser exploit in early July, when it 
identified a page using the Javaprxy.dll exploit that already publicly 
known, but not yet patched. 

(The July 12 patch batch included one that employed a work-around fix 
for the Javaprxy.dll bug.) 

The page found by the honeymonkeys was the first URL reported to the 
Microsoft Security Response Center. Within two weeks, however, the 
honeymonkeys detected that over 40 of the 752 exploit URLs had started 
to "upgrade" to the exploit; the three Web sites responsible for all 
the pages were reported to the center. 

While Wang or Toulouse wouldn't comment on whether the honeymonkey 
concept would be used to provide Internet Explorer 7 users with 
information about malicious sites in the future, Want did say that the 
project was already being expanded. 

"We do expect to grow the network into the hundreds of machines so 
that we can scan millions of pages," he said. Already, the team is 
sending honeypots to a list of the most popular Web sites -- 
determined by the popularity of those sites in common search engines 
-- in an attempt to find out if exploiters have infiltrated the "good 
neighborhoods" of the Internet. Later, Wang intends to sic the 
honeymonkeys on URLs embedded in spam and phishing e-mails. 

"We know that the exploiters won't try to host malicious software on 
the largest Web sites, because that's just too obvious," said Want. 
"But what if they exploit the five-thousandth most-popular site?" 

More information about the ISN mailing list