A honey monkey is a program that imitates a human user to lure, detect and identify malicious activity on the Internet.
According to Microsoft, who developed the concept, a honey monkey is an active client honey pot. The honey monkey behaves like a highly active and extremely unwary human Internet user, logging onto many suspect websites. The programs detect harmful coding that could jeopardize the security of human visitors.
Certain types of websites are more likely to contain malicious coding, whether by design or as a result of hacking. Favored targets include the home pages of celebrities, sites that offer downloadable music and videos (particularly those that operate in violation of copyright law), pornographic sites and gaming cheater sites. Sophisticated hackers operate according to the principle of "minimizing the effort and maximizing the results." Effective honey monkeys take advantage of the same paradigm, scanning the Web for URLs most likely to be compromised. In some cases, individual hackers can be personally identified.
Microsoft developed a Web patrol system called Strider HoneyMonkeys to detect Web sites that frequently install spyware, Trojans and viruses on the computers of Internet users. Microsoft's system consists of multiple monkey programs running on virtual machines (VMs). Host systems have a range of patch levels to detect specific types of exploits.
In addition to identifying and isolating uniform resource locators (URLs) that propagate malware, a program called Strider Tracer can detect configuration and file changes that occur following an exploit. Using this method, interconnected communities of Web sites have been discovered that use targeted URLs to exploit client-side vulnerabilities on unpatched computers. Once such a site and the nature of its activity has been identified, a patch is generated to counter the threat.
In the first month of activity, the HoneyMonkey project detected malicious coding on 752 unique URLs, hosted on 287 sites. Researchers were able to identify several "major players," each of whom is responsible for many exploit pages.