HoneyMonkey
   HOME

TheInfoList



Click Here for Items Related To - HoneyMonkey
OR:
HoneyMonkey on:   [Wikipedia]   [Google]   [Amazon]

HoneyMonkey, short for Strider HoneyMonkey Exploit Detection System, is a Microsoft Research honeypot. The implementation uses a network of computers to
crawl Crawl, The Crawl, or crawling may refer to: Biology * Crawling (human), any of several types of human quadrupedal gait * Limbless locomotion, the movement of limbless animals over the ground * Undulatory locomotion, a type of motion characteriz ...
the
World Wide Web The World Wide Web (WWW), commonly known as the Web, is an information system enabling documents and other web resources to be accessed over the Internet. Documents and downloadable media are made available to the network through web ...
searching for
website A website (also written as a web site) is a collection of web pages and related content that is identified by a common domain name and published on at least one web server. Examples of notable websites are Google, Facebook, Amazon, and Wi ...
s that use
browser exploit A browser exploit is a form of malicious code that takes advantage of a flaw or vulnerability in an operating system or piece of software with the intent to breach browser security to alter a user's browser settings without their knowledge. Malici ...
s to install malware on the HoneyMonkey computer. A snapshot of the memory, executables and registry of the honeypot computer is recorded before crawling a site. After visiting the site, the state of memory, executables, and registry is recorded and compared to the previous snapshot. The changes are analyzed to determine if the visited site installed any malware onto the client honeypot computer. HoneyMonkey is based on the honeypot concept, with the difference that it actively seeks websites that try to exploit it. The term was coined by Microsoft Research in 2005. With honeymonkeys it is possible to find open
security hole Vulnerabilities are flaws in a computer system that weaken the overall security of the device/system. Vulnerabilities can be weaknesses in either the hardware itself, or the software that runs on the hardware. Vulnerabilities can be exploited by ...
s that are not yet publicly known but are being exploited by attackers.


Technology

A single HoneyMonkey is an automated program that tries to mimic the action of a user surfing the net. A series of HoneyMonkeys are run on
virtual machine In computing, a virtual machine (VM) is the virtualization/ emulation of a computer system. Virtual machines are based on computer architectures and provide functionality of a physical computer. Their implementations may involve specialized h ...
s running
Windows XP Windows XP is a major release of Microsoft's Windows NT operating system. It was released to manufacturing on August 24, 2001, and later to retail on October 25, 2001. It is a direct upgrade to its predecessors, Windows 2000 for high-end and ...
, at various levels of patching — some are fully patched, some fully vulnerable, and others in between these two extremes. The HoneyMonkey program records every read or write of the file system and registry, thus keeping a log of what data was collected by the web-site and what software was installed by it. Once the program leaves a site, this log is analyzed to determine if any malware has been loaded. In such cases, the log of actions is sent for further manual analysis to an external controller program, which logs the exploit data and restarts the virtual machine to allow it to crawl other sites starting in a known uninfected state.


Initiating crawling

Out of the 10 billion plus web pages, there are many legitimate sites that do not use exploit browser vulnerabilities, and to start crawling from most of these sites would be a waste of resources. An initial list was therefore manually created that listed sites known to use browser vulnerabilities to compromise visiting systems with malware. The HoneyMonkey system then follows links from exploit sites, as they had higher probability of leading to other exploit sites. The HoneyMonkey system also records how many links point to an exploit site thereby giving a statistical indication of how easily an exploit site is reached.


Exploit detection

HoneyMonkey uses a
black box In science, computing, and engineering, a black box is a system which can be viewed in terms of its inputs and outputs (or transfer characteristics), without any knowledge of its internal workings. Its implementation is "opaque" (black). The te ...
system to detect exploits, i.e., it does not use a signature of browser exploits to detect exploits. A Monkey Program, a single instance of the HoneyMonkey project, launches
Internet Explorer Internet Explorer (formerly Microsoft Internet Explorer and Windows Internet Explorer, commonly abbreviated IE or MSIE) is a series of graphical web browsers developed by Microsoft which was used in the Windows line of operating systems ( ...
to visit a site. It also records all registry and file read or write operations. The monkey does not allow pop-ups, nor does it allow installation of software. Any read or write that happens out of Internet Explorer's temporary folder therefore must have used browser exploits. These are then analyzed by malware detection programs and then manually analyzed. The monkey program then restarts the virtual machine to crawl another site in a fresh state.


See also

* Client honeypot / honeyclient


References


External links

*
Security Now! ''Security Now!'' is a weekly podcast hosted by Steve Gibson and Leo Laporte. It was the second show to premiere on the TWiT Network, launching in summer 2005. The first episode, “As the Worm Turns”, was released on August 19, 2005. ''Se ...
PodCast - Episode #2: "HoneyMonkeys

*
eWeek ''eWeek'' (''Enterprise Newsweekly'', stylized as ''eWEEK''), formerly PCWeek, is a technology and business magazine. Previously owned by QuinStreet; Nashville, Tennessee marketing company TechnologyAdvice acquired eWeek in 2020. The print edi ...
articles
12
*Honeyclient - An open source client honeypot that drives IE similar to HoneyMonke

*HoneyC - A low interaction client honeypot framewor
MSR article
* tp://ftp.research.microsoft.com/pub/tr/TR-2005-72.pdf MSR Technical Paper {{Microsoft Research Computer network security Microsoft Research