HoneyMonkey
Encyclopedia
HoneyMonkey, short for Strider HoneyMonkey Exploit Detection System, is a Microsoft Research
honeypot
. The implementation uses a network of computers to crawl
the World Wide Web
searching for website
s that use browser exploit
s to install malware
on the HoneyMonkey computer. A snapshot of the memory, executables and registry of the honeypot computer is recorded before crawling a site. After visiting the site, the state of memory, executables, and registry is compared to the previous snapshot. The changes are analyzed to determine whether the visited site installed malware onto the honeypot computer.
HoneyMonkey is based on the honeypot concept, with the difference that it actively seeks websites that try to exploit it. The term was coined by Microsoft Research in 2005. With honeymonkeys it is possible to find open security holes that aren't yet publicly known but are exploited by attackers.
s running Windows XP
, at various levels of patching — some are fully patched, some fully vulnerable, and others in between these two extremes. The HoneyMonkey program records every read or write of the file system and registry, thus keeping a log of what data was collected by the web-site and what software was installed by it. Once the program leaves a site, this log is analyzed to determine if any malware has been loaded. In such cases, the log of actions is sent for further manual analysis to an external controller program, which logs the exploit data and restarts the virtual machine to allow it to crawl other sites starting in a known uninfected state.
to visit a site. In addition, it also records all registry and file read or write operations. The monkey does not allow pop-ups, nor does it allow installation of software. Any read or write that happens out of Internet Explorer's temporary folder therefore must have used browser exploits. These are then analyzed by malware detection programs and then manually analyzed. The monkey program then restarts the virtual machine to crawl another site in a fresh state.
Microsoft Research
Microsoft Research is the research division of Microsoft created in 1991 for developing various computer science ideas and integrating them into Microsoft products. It currently employs Turing Award winners C.A.R. Hoare, Butler Lampson, and Charles P...
honeypot
Honeypot (computing)
In computer terminology, a honeypot is a trap set to detect, deflect, or in some manner counteract attempts at unauthorized use of information systems...
. The implementation uses a network of computers to crawl
Web crawler
A Web crawler is a computer program that browses the World Wide Web in a methodical, automated manner or in an orderly fashion. Other terms for Web crawlers are ants, automatic indexers, bots, Web spiders, Web robots, or—especially in the FOAF community—Web scutters.This process is called Web...
the World Wide Web
World Wide Web
The World Wide Web is a system of interlinked hypertext documents accessed via the Internet...
searching for website
Website
A website, also written as Web site, web site, or simply site, is a collection of related web pages containing images, videos or other digital assets. A website is hosted on at least one web server, accessible via a network such as the Internet or a private local area network through an Internet...
s that use browser exploit
Browser exploit
A browser exploit is a form of malicious code that takes advantage of a flaw or vulnerability in an operating system or piece of software with the intent to alter a user's browser settings without their knowledge...
s to install malware
Malware
Malware, short for malicious software, consists of programming that is designed to disrupt or deny operation, gather information that leads to loss of privacy or exploitation, or gain unauthorized access to system resources, or that otherwise exhibits abusive behavior...
on the HoneyMonkey computer. A snapshot of the memory, executables and registry of the honeypot computer is recorded before crawling a site. After visiting the site, the state of memory, executables, and registry is compared to the previous snapshot. The changes are analyzed to determine whether the visited site installed malware onto the honeypot computer.
HoneyMonkey is based on the honeypot concept, with the difference that it actively seeks websites that try to exploit it. The term was coined by Microsoft Research in 2005. With honeymonkeys it is possible to find open security holes that aren't yet publicly known but are exploited by attackers.
Technology
A single HoneyMonkey is an automated program, that tries to mimic the action of a user surfing the net. A series of HoneyMonkeys are run on virtual machineVirtual machine
A virtual machine is a "completely isolated guest operating system installation within a normal host operating system". Modern virtual machines are implemented with either software emulation or hardware virtualization or both together.-VM Definitions:A virtual machine is a software...
s running Windows XP
Windows XP
Windows XP is an operating system produced by Microsoft for use on personal computers, including home and business desktops, laptops and media centers. First released to computer manufacturers on August 24, 2001, it is the second most popular version of Windows, based on installed user base...
, at various levels of patching — some are fully patched, some fully vulnerable, and others in between these two extremes. The HoneyMonkey program records every read or write of the file system and registry, thus keeping a log of what data was collected by the web-site and what software was installed by it. Once the program leaves a site, this log is analyzed to determine if any malware has been loaded. In such cases, the log of actions is sent for further manual analysis to an external controller program, which logs the exploit data and restarts the virtual machine to allow it to crawl other sites starting in a known uninfected state.
Initiating crawling
Out of the 10 billion plus web pages, there are many legitimate sites that do not use exploit browser vulnerabilities, and to start crawling from most of these sites would be a waste of resources. An initial list was therefore manually created that listed sites known to use browser vulnerabilities to compromise visiting systems with malware. The HoneyMonkey system then follows links from exploit sites, as they had higher probability of leading to other exploit sites. The HoneyMonkey system also records how many links point to an exploit site thereby giving a statistical indication of how easily an exploit site is reached.Exploit detection
HoneyMonkey uses a black box system to detect exploits, i.e., it doesn't use a signature of browser exploits to detect exploits. A Monkey Program, a single instance of the HoneyMonkey project, launches Internet ExplorerInternet Explorer
Windows Internet Explorer is a series of graphical web browsers developed by Microsoft and included as part of the Microsoft Windows line of operating systems, starting in 1995. It was first released as part of the add-on package Plus! for Windows 95 that year...
to visit a site. In addition, it also records all registry and file read or write operations. The monkey does not allow pop-ups, nor does it allow installation of software. Any read or write that happens out of Internet Explorer's temporary folder therefore must have used browser exploits. These are then analyzed by malware detection programs and then manually analyzed. The monkey program then restarts the virtual machine to crawl another site in a fresh state.
External links
- Security Now! PodCast - Episode #2: "HoneyMonkeys" http://www.grc.com/securitynow.htm
- eWeekEWeekeWeek is a weekly computing business magazine published by Ziff Davis Enterprise.The magazine consists of a print publication and web site covering enterprise topics and is targeted at IT professionals rather than hobbyists.-Audience:The eWeek audience is actively involved in buying enterprise...
articles: 1, 2 - Honeyclient - An open source client honeypot that drives IE similar to HoneyMonkeyhttp://www.honeyclient.org
- HoneyC - A low interaction client honeypot framework https://www.client-honeynet.org/