By Gregg Keizer
Aug. 8, 2005
Microsoft unveiled details of its Strider HoneyMonkey research, a
project that sniffs out sites hosting malicious code, and hands the
information to other parts of the company for patching or legal
The technical report outlines the concept of cruising the Web with
multiple automated Windows XP clients -- some unpatched, some
partially patched, some patched completely -- to hunt for Web sites
that exploit browser vulnerabilities.
The HoneyMonkey concept, said Yi-Min Wang, the manager of the
Cybersecurity and Systems Management Research Group, is completely
different from the better-known honeypot approach to searching for
malicious exploits. "Honeypots are looking for server-based
vulnerabilities, where the bad guys act like the client. Honeymonkeys
are the other way around, where the client is the vulnerable one."
Using 12 to 25 machines as the "active client honeypots," Wang's group
instructed a PC to surf to one of the 5,000 URLs it had identified as
potentially malicious; that PC ran unpatched Windows XP SP1. If it
caught the site downloading software without any user action, it
passed it on to a Windows XP SP2 honeymonkey, which in turn would pass
it up the food chain if necessary to a partially-patched SP2 system,
then to a nearly-fully patched SP2 PC (all but the most recent patch),
and finally to a fully-patched SP2 computer.
In the first month, the honeymonkeys found 752 unique URLs operated by
287 Web sites that can successfully deliver exploit code against
unpatched Windows XP PCs.
That chain of monkeys gives Microsoft a good idea of the seriousness
of the exploit being used by a site, as well as the size of the
potential victim pool. And if what Wang called the
"end-of-the-pipeline monkey," the fully-patched SP2 system, reports a
URL as an exploit, Microsoft knows it has a zero-day browser exploit
on its hands, one for which no patch is currently available.
"Once we detect a zero day exploit, we contact Microsoft's Internet
Safety Enforcement Team and the Microsoft Security Response Center,"
In effect, the Strider HoneyMonkey project act as a "lead generator"
for both the security and legal enforcement arms of Microsoft.
"If it's a bad site, we want to take the site down permanently," said
Scott Stein, a senior attorney with Microsoft. To do that, Microsoft
may turn to the site's hosting vendor or ISP to shut down the
exploiter, or if that doesn't work, law enforcement.
"One of the most important things is getting this information into the
hands of our customers," said Stephen Toulouse, program manager for
Microsoft Security Response Center. "We can do that with a security
advisory, or in a bulletin, to tell customers not only that 'here's
the vulnerability,' but that this is actively being exploited and
perhaps should be given priority for patching."
During the initial run of the project, the honeymonkeys demonstrated
the value of keeping Windows XP up to date, said Toulouse. "One thing
I'd stress out of this is the importance of keeping software up to
An unpatched XP SP1 PC, for instance, would be vulnerable to 688 URLs
and 270 sites, 91 and 94 percent, respectively, of all those uncovered
by the honeymonkeys. But update to SP2, and those numbers fall to 204
and 115 (27 and 43 percent). Better yet, a partially-patched SP box --
one updated to those fixes released through early 2005 -- is
vulnerable to only 17 malicious URLs and 10 sites (2 and 3 percent of
all those found).
Wang's honeymonkeys -- the "monkey" name comes from the idea that the
automated clients mimic a human's actions, as in 'monkey see, monkey
do' -- found its first zero-day browser exploit in early July, when it
identified a page using the Javaprxy.dll exploit that already publicly
known, but not yet patched.
(The July 12 patch batch included one that employed a work-around fix
for the Javaprxy.dll bug.)
The page found by the honeymonkeys was the first URL reported to the
Microsoft Security Response Center. Within two weeks, however, the
honeymonkeys detected that over 40 of the 752 exploit URLs had started
to "upgrade" to the exploit; the three Web sites responsible for all
the pages were reported to the center.
While Wang or Toulouse wouldn't comment on whether the honeymonkey
concept would be used to provide Internet Explorer 7 users with
information about malicious sites in the future, Want did say that the
project was already being expanded.
"We do expect to grow the network into the hundreds of machines so
that we can scan millions of pages," he said. Already, the team is
sending honeypots to a list of the most popular Web sites --
determined by the popularity of those sites in common search engines
-- in an attempt to find out if exploiters have infiltrated the "good
neighborhoods" of the Internet. Later, Wang intends to sic the
honeymonkeys on URLs embedded in spam and phishing e-mails.
"We know that the exploiters won't try to host malicious software on
the largest Web sites, because that's just too obvious," said Want.
"But what if they exploit the five-thousandth most-popular site?"
Sept 16-18th, 2005
San Diego, California