Monday, August 08, 2005

MSRC Strider HoneyMonkey Project

I ran across the MS Security Response Center's (MSRC blog) Strider HoneyMonkey project this morning...very interesting stuff. From the web site:

The Strider HoneyMonkey Exploit Detection System, as the research project is code-named, was created to help detect attacks that use Web servers to exploit unpatched browser vulnerabilities and install malware on the PCs of unsuspecting users. Such attacks have become one of the most vexing issues confronting Internet security experts.

Sounds like it's kind of a client-based honeypot, with the system automating the actions of a user to have the browser go out and visit suspect web sites. This would be done by automating IE, and analyzing the system after it was infected. Wanna see how easy it is to automate IE? Check out Dave Roth's Perl on Win32 web site. Go to the Scripts archive and check out his IEEvents.pl script. This shows you how to use the Win32::OLE module to automate IE (which is a COM server) and have it do things for you.

And yet, like the GhostBuster thingy, this won't be a product that's released for use by anyone outside of MS.

Addendum [9 Aug]: It seems that others have (had??) picked up on the ol' honeymonkey. Rob Lemos has a SecurityFocus article on the honeymonkey, which points to a paper that MS just released this month. The paper even mentions that the honeymonkey detected a zero-day exploit, specifically the javaprxy.dll vulnerability (1, 2) that was known, but did not have an available patch. At the time it was detected (ie, early July 2005) it was not known whether it was being publicly exploited or not.

No comments: