HoneyMonkey
The topic of this article may not meet Wikipedia's notability guidelines for products and services. (August 2014) |
HoneyMonkey, short for Strider HoneyMonkey Exploit Detection System, is a
HoneyMonkey is based on the honeypot concept, with the difference that it actively seeks websites that try to exploit it. The term was coined by Microsoft Research in 2005. With honeymonkeys it is possible to find open
Technology
A single HoneyMonkey is an automated program that tries to mimic the action of a user surfing the net. A series of HoneyMonkeys are run on virtual machines running Windows XP, at various levels of patching — some are fully patched, some fully vulnerable, and others in between these two extremes. The HoneyMonkey program records every read or write of the file system and registry, thus keeping a log of what data was collected by the web-site and what software was installed by it. Once the program leaves a site, this log is analyzed to determine if any malware has been loaded. In such cases, the log of actions is sent for further manual analysis to an external controller program, which logs the exploit data and restarts the virtual machine to allow it to crawl other sites starting in a known uninfected state.
Initiating crawling
Out of the 10 billion plus web pages, there are many legitimate sites that do not use exploit browser vulnerabilities, and to start crawling from most of these sites would be a waste of resources. An initial list was therefore manually created that listed sites known to use browser vulnerabilities to compromise visiting systems with malware. The HoneyMonkey system then follows links from exploit sites, as they had higher probability of leading to other exploit sites. The HoneyMonkey system also records how many links point to an exploit site thereby giving a statistical indication of how easily an exploit site is reached.
Exploit detection
HoneyMonkey uses a
See also
- Client honeypot / honeyclient
References
- ^ Naraine, Ryan (19 May 2005). "Strider HoneyMonkey: Trawling for Windows Exploits". eWeek.
- ^ Lemos, Robert (9 August 2005). "Flies swarm around MS Honeymonkey. Project sniffs out malicious code". The Register UK.
External links
- Security Now! PodCast - Episode #2: "HoneyMonkeys" [1]
- eWeek articles: 1, 2
- Honeyclient - An open source client honeypot that drives IE similar to HoneyMonkey [2]
- HoneyC - A low interaction client honeypot framework [3]
- MSR article
- MSR Technical Paper[permanent dead link]