News

Microsoft unveils HoneyMonkey project

By admin
Spread the love

Two months ago, Microsoft started a project, codename Strider HoneyMonkey, to detect security vulnerabilities and exploits written for them at an early stage. There is now a detail about this report published that extensively discusses the techniques used to discover the exploits. The security vulnerabilities investigated were those exploited to install spyware on computers with minimal user intervention. In the first month that the project went online, 752 URLs were found pointing to websites that managed to install spyware on an unpatched Windows XP machine. In early July, an exploit was discovered that managed to infect a fully patched machine with unwanted software.

Project design

As a system setup, computers were installed with Microsoft Virtual PC and an image of different Windows XP installations, which had an increasing amount of applied security patches relative to each other. To search for leaks, the researchers have developed a step-by-step plan to make finding and tracking the right websites simple and efficient. First, the computers had to have a starting point. For this purpose, a search engine was used to search for variants of the hostsWindows XP file used to hide advertising and spyware sites to block. This, along with a list of already known malicious sites, were fed into the so-called ‘monkey’ software. This software behaves like a normal browsing user going through the list of websites and clicking on hyperlinks within the sites. Spyware pages are often constructed in such a way that a browser is redirected to other sites that also contain malicious pieces of code in order to exploit as many different vulnerabilities as possible. By letting the browsers go along with these forwarding techniques, the researchers can expose the VMs to as many leaks as possible.

To detect the attacks, the researchers used the ‘black box’ approach, in which a monitor program monitors the registry and hard disk activity. Once a change is detected, it will be reported and marked as a potential exploit. The information found is passed on to a next virtual machine with a better patched version of Windows XP, which then checks whether the vulnerability is still present. If so, the URL is passed to an even better system. The original VM session is destroyed and then goes through the rest of the URLs with a fresh clean install. If the most secure installation is also vulnerable to the exploit, the research team is called in.

Results

After a month of surfing, the results were evaluated. These are sorted by VM in the table below.

Type of installation Exploit URLs
Implemented 752
Windows XP SP1 (Unpatched) 688
Windows XP SP2 (Unpatched) 204
Windows XP SP2 (Partially Patched) 17
Windows XP SP2 (Fully Patched) 0

According to the researchers, the most logical conclusion that can be drawn directly from the results is that a computer that is not up to date has an unnecessarily high risk of spyware. The fully patched SP2 installation was unaffected by the web browser attacks in the first month. Analysis of URL forwarding paths shows that while there are quite a few major spyware hosts, they are distributed among a few individuals who often own sites around the world. Most often pornography is used as a lure for the websites. It is also quite common for developers of anti-spyware software to use exploits themselves to convince surfers of the usefulness of their tools. Another method through which users can get in touch is through search engines. At the time of writing the report, Google and Yahoo respectively presented 13.6% and 13.3% of the URLs examined in their search results. MSN Search contained only 6.5% of the originally entered list, but these URLs have also been removed from the cache so that MSN Search no longer returned any hits.

Outlook

Microsoft plans to keep the machines up and running to continue detecting vulnerabilities. Based on the statistics generated, the developers determine how urgent it is to patch a particular vulnerability. In addition, the findings are passed on to the legal department to investigate whether the websites in question are in violation and whether litigation is desirable. Search engines are also scrutinized; the websites that receive the most hits are examined for spyware to ensure that the popular sites do not contain malicious code. The list of exploit sites will continue to be expanded with links that come along with spam and phishing emails. Finally, the researchers want to increase the number of networks with HoneyMonkeys and spread them around the world so that spyware sites cannot block the networks.

You might also like
News

Android 14 beta brings support for a desktop mode

News

Good news for TSMC: its 3nm node will take flight in 2024 thanks to the push of these…

News

The most boring technology of the 21st century: Intel has only grown 5% since 2000

News

Google Password Manager can start sharing passwords with partners or children

News

PlayStation 5 beta update improves audio from DualSense controller

News

Rumor: Android 15 puts apps in ‘edge-to-edge’ mode by default