HoneyMonkey: Difference between revisions

HoneyMonkey, short for Strider HoneyMonkey Exploit Detection System is a Microsoft Research implementation of Honeypots. Honeypots are a network of computers which crawl websites looking for which web sites are using browser vulnerabilities to install malware onto the system. The basic idea of honeypots is to take a snapshot of the memory, the executables and the registry before crawling a site. After visting the site, the state of memory, executables, and registry is compared to the previous snapshot. The changes are analyzed to find out whether the site installed malware onto the system or not.

HoneyMonkey is based on the honeypots concept, with the difference that it actively seeks websites that try to exploit it. The term was coined by Microsoft Research in 2005. With honeymonkeys it is possible to find open security holes that aren't yet publicly known but are exploited by attackers.

A single HoneyMonkey is a automated program, that tries to mimic the action of a user surfing the net. A series of HoneyMonkeys are run on Virtual Machines running Windows XP, at various levels of patching — some are fully patched, some fully vulnerable, and others in between these two extremes. The HoneyMonkey program records every read or write of the files and registry, thus keeping a log what data was collected by the web-site and what software was installed by it. Once the program leaves a site, this log is analyzed to see if any malware has been loaded. In such case, the log of actions which led to the installaion of malware is sent for further manual analysis to an external controller program, which logs the exploit data and restarts the Virtual Machine to allow it to crawl other sites in an uninfected state.

Out of the 10 billion plus web pages, there are many legitimate sites that do not use exploit browser vulnerabilities, and to start crawling from most of these sites would be a waste of resources. An initial list was therefore manually created that listed sites known to use browser vulnerabilities to compromise visiting systems with malware. The HoneyMonkey system then follows links from exploit sites, as they had hgher probability of leading to other exploit sites. The HoneyMonkey system also records how many links point to an exploit site thereby giving a statistical indication of how easily an exploit site be reached.

HoneyMonkey uses a black box system to detect exploits, i.e., it doesn't use a signature of browser exploits to detect exploits. A Monkey Program, which is a single instance of the HoneyMonkey project, launches Internet Explorer to visit a site. In addition, it also records all registry and file read or write operations. The monkey does not allow any pop-ups, nor does it allow installation of any software. So, any read or write that happens out of Internet Explorer's temporary folder must have used browser exploits. These are then further analyzed by malware detection programs, and are sent for manual analysis. The monkey program then restarts the vurtual machine to crawl another site in a fresh state.

• MSR article
• MSR Technical Paper

• Kathy Wang's Honeyclient Development Project

• eWeek [1], [2]

This software article is a stub. You can help Wikipedia by expanding it.

• v
• t
• e