Microsoft has officially lifted the wraps off its Strider HoneyMonkey research project, designed to trawl the dark side of the Internet looking for Web sites hosting malicious code.
Microsoft Corp. released a technical report, available here as a PDF, to introduce the concept of an Automated Web Patrol that uses multiple Windows XP machines, some unpatched and some fully updated, to streamline the process of finding zero-day Web-based exploits. Yi-Min Wang, group manager of the Cybersecurity and Systems Management group in Microsoft Research, said a total of 752 unique URLs, hosted on 287 sites, were identified within the first month of launching the HoneyMonkey project.
From those URLs, the system was able to confirm that active exploits were infecting Windows XP machines, including one for a fully patched system running the company's newly hardened XP SP2 (Service Pack 2).
In an interview with Ziff Davis Internet News, Wang said his researchers were able to capture the connections between the exploit sites based on traffic redirection and pinpoint "several major players" who are responsible for a large number of exploit pages.
In the initial phase, Wang's unit used between 12 and 25 virtual machines serving as "active client honeypots" to perform the automated patrols across the Web.
The entire system consists of a "pipeline of monkey programs" running on VMs (Virtual Machines) with different patch levels in order to detect exploit sites with different capabilities, he explained.
In Wang's technical report, he describes the use of a "black-box approach" to lower the cost of patrolling billions of Web pages. "[We] run a monkey program with the Strider Flight Data Recorder to efficiently record every single file and Registry read/write," he said, referring to another research project within his unit. Source