Microsoft's HoneyMonkeys Show Patching Windows Works

The technical report outlines the concept of cruising the Web with multiple automated Windows XP clients -- some unpatched, some partially patched, some patched completely -- to hunt for Web sites that exploit browser vulnerabilities.

The HoneyMonkey concept, said Yi-Min Wang, the manager of the Cybersecurity and Systems Management Research Group, is completely different from the better-known honeypot approach to searching for malicious exploits. "Honeypots are looking for server-based vulnerabilities, where the bad guys act like the client. Honeymonkeys are the other way around, where the client is the vulnerable one."

Using 12 to 25 machines as the "active client honeypots," Wang's group instructed a PC to surf to one of the 5,000 URLs it had identified as potentially malicious; that PC ran unpatched Windows XP SP1. If it caught the site downloading software without any user action, it passed it on to a Windows XP SP2 honeymonkey, which in turn would pass it up the food chain if necessary to a partially-patched SP2 system, then to a nearly-fully patched SP2 PC (all but the most recent patch), and finally to a fully-patched SP2 computer.

In the first month, the honeymonkeys found 752 unique URLs operated by 287 Web sites that can successfully deliver exploit code against unpatched Windows XP PCs.

That chain of monkeys gives Microsoft a good idea of the seriousness of the exploit being used by a site, as well as the size of the potential victim pool. And if what Wang called the "end-of-the-pipeline monkey," the fully-patched SP2 system, reports a URL as an exploit, Microsoft knows it has a zero-day browser exploit on its hands, one for which no patch is currently available.

"Once we detect a zero day exploit, we contact Microsoft's Internet Safety Enforcement Team and the Microsoft Security Response Center," said Wang.

In effect, the Strider HoneyMonkey project act as a "lead generator" for both the security and legal enforcement arms of Microsoft.

"If it's a bad site, we want to take the site down permanently," said Scott Stein, a senior attorney with Microsoft. To do that, Microsoft may turn to the site's hosting vendor or ISP to shut down the exploiter, or if that doesn't work, law enforcement.

"One of the most important things is getting this information into the hands of our customers," said Stephen Toulouse, program manager for Microsoft Security Response Center. "We can do that with a security advisory, or in a bulletin, to tell customers not only that 'here's the vulnerability,' but that this is actively being exploited and perhaps should be given priority for patching."

During the initial run of the project, the honeymonkeys demonstrated the value of keeping Windows XP up to date, said Toulouse. "One thing I'd stress out of this is the importance of keeping software up to date."

An unpatched XP SP1 PC, for instance, would be vulnerable to 688 URLs and 270 sites, 91 and 94 percent, respectively, of all those uncovered by the honeymonkeys. But update to SP2, and those numbers fall to 204 and 115 (27 and 43 percent). Better yet, a partially-patched SP box -- one updated to those fixes released through early 2005 -- is vulnerable to only 17 malicious URLs and 10 sites (2 and 3 percent of all those found).

Wang's honeymonkeys -- the "monkey" name comes from the idea that the automated clients mimic a human's actions, as in 'monkey see, monkey do' -- found its first zero-day browser exploit in early July, when it identified a page using the Javaprxy.dll exploit that already publicly known, but not yet patched.

(The July 12 patch batch included one that employed a work-around fix for the Javaprxy.dll bug.)

The page found by the honeymonkeys was the first URL reported to the Microsoft Security Response Center. Within two weeks, however, the honeymonkeys detected that over 40 of the 752 exploit URLs had started to "upgrade" to the exploit; the three Web sites responsible for all the pages were reported to the center.

While Wang or Toulouse wouldn't comment on whether the honeymonkey concept would be used to provide Internet Explorer 7 users with information about malicious sites in the future, Want did say that the project was already being expanded.

"We do expect to grow the network into the hundreds of machines so that we can scan millions of pages," he said. Already, the team is sending honeypots to a list of the most popular Web sites -- determined by the popularity of those sites in common search engines -- in an attempt to find out if exploiters have infiltrated the "good neighborhoods" of the Internet. Later, Wang intends to sic the honeymonkeys on URLs embedded in spam and phishing e-mails.

"We know that the exploiters won't try to host malicious software on the largest Web sites, because that's just too obvious," said Want. "But what if they exploit the five-thousandth most-popular site?"