"HoneyMonkey" effort could presage filtering bid

11.08.2005
Von 
Jaikumar Vijayan schreibt unter anderem für unsere US-Schwesterpublikation CSO Online.

A Microsoft Corp. research effort to detect and analyze Web sites that host malicious code could allow the company to one day offer enterprises the same capabilities vendors of URL filtering products have been pitching for sometime now.

But for now at least, it remains unclear if this is the direction Microsoft is headed with its research effort, users and analysts said this week.

Microsoft last week released a report summarizing the first month of testing of its Strider HoneyMonkey Exploit Detection System. The system was launched as part of a bid by Microsoft to identify and head off attacks that use Web servers to exploit unpatched browser vulnerabilities and install malware on compromised PCs, said Yi-Min Wang, group manager of the Microsoft Cybersecurity and Systems Management Research Group.

The system uses an automated network of "HoneyMonkey" systems to patrol the Web for sites that exploit browser vulnerabilities. Each HoneyMonkey on the network is a computer or a virtual PC that actively mimics the actions of a user surfing the Web, according to a Microsoft description of the system. Some of the systems on the network run fully patched browsers. Others run partially patched browsers, and the rest use browsers that have not been patched at all.

In its first month of testing, the Strider project located 752 URLs for Web sites that automatically infect unpatched Windows XP systems when users visit them, Wang said. A majority of the URLs belong to porn sites, although a few also belong to Internet advertising companies, shopping sites and search engine companies, Wang said.

Such information allows Microsoft to stay on top of new and emerging Internet threats, said Stephen Toulouse, program manager of Microsoft"s Security Response Center. "We are working with ISPs, law enforcement, customers, etc., to provide data about the threats out there," he said.

Toulouse did not elaborate on Microsoft plans for using the HoneyMonkey network going forward.

"At first glance it looks like they are wanting to get into the content filtering space" like other vendors, said Eric Beasley, senior network manager at Baker Hill Corp., a Carmel, Ind.-based application services provider.

The information gathered by the HoneyMonkey network will allow Microsoft to build lists of malicious URLs that companies can block employees from accessing, he said.

Vendors such as Websense Inc., Secure Computing Corp. and Surf Control USA, for instance, already sell such URL filtering products based on similar lists.

The question is whether Microsoft plans to use its research to sue malicious Web site operations "out of existence, or whether they plan to get into the content filtering business," Beasley said.

For the moment, HoneyMonkey appears to be a pure research effort by Microsoft, said John Pescatore, an analyst at Gartner Inc. But don"t be surprised to see the information used to "feed future products" from the company, Pescatore said. For instance, the information gathered by the HoneyMonkey network could allow the company to build better defenses in its growing suite of antispyware and antivirus products, he said.

"For now, it"s just more research and data to sift through to try and figure out how to overcome the failings of the Microsoft programming groups," said Russ Cooper, editor of the NTBugtraq mailing list and a senior scientist at Cybertrust Inc. in Herndon, Va. "I"d be happier if Microsoft were making IP addresses and DNS names available now for every site they identify, with the caveat that the site may actually not be malicious."