has announced a new security programme that uses automated HoneyMonkeys
to patrol the Web and seek sites that automatically install malicious code on
Windows XP systems.
In its first month, the companys project, named Strider HoneyMonkey
research project, located 752 Web addresses linking to 287 sites that
could automatically infect unpatched machines. The project also discovered an
attack that could penetrate a fully updated Windows XP Service Pack 2 system
using a previously unknown vulnerability. Microsoft first discussed the HoneyMonkey
programme in May and published a research paper discussing the details.
The system uses a chain of HoneyMonkeys, a name derived from honeypots,
which refers to passive security research server systems set up to wait for
attacks. Each HoneyMonkey is a Windows XP system with a different level of patching
running on a virtual machine. An initial wave of unpatched HoneyMonkeys scours
the Web seeking potentially malicious sites. When a site is found that installs
potentially malicious code, the virtual machine is scrapped and another takes
The target URL is then passed to a virtual machine with a greater level of patching
to see which systems are vulnerable to the sites exploit. At the end of
the chain is a fully patched Windows XP system, Microsoft said. The system builds
a topology graph based on traffic redirection, which has led to the identification
of a few major players who are responsible for a large number of exploit pages.
The project is relatively limited in scope. It only looks for code that can
be installed with no user interaction, leaving out the more sophisticated and
increasingly successful attacks relying on social engineeringattacks such
as phishing. However, Microsoft believes the automated approach could become
a valuable tool for detecting new types of attacks before they become widespread.