This article can also be found in the Premium Editorial Download "Information Security magazine: Comparing seven top integrated endpoint security suites."
Download it now to read this article plus other related content.
Redmond's Worker Bees|
Microsoft began a honeyclient project, HoneyMonkey (www.research.microsoft.com/HoneyMonkey/), in
| 2005 as part of its overall program to improve Windows and Internet security. It consists of the Flight Data Recorder, which tracks OS configuration changes caused by malicious sites, a URL collection and a search page link scanning component.
The project started with a more general effort to better document Windows crashes and "blue screens of death" and track down their causes, building what became the Flight Data Recorder, which "tracks everything that updates the file system and Windows registry," says Yi-Min Wang, director of the Cyber-Intelligence Lab in Microsoft's Internet Services Research Center.
Wang wanted to expand the project focus beyond just finding bad Web sites and examine the entire ecosystem a hacker operates to drive traffic to these sites.
"We now have a much broader understanding of how malicious sites fit into the bigger picture," he says. "People use these Internet scams by getting placed in search places, getting lots of traffic to visit their sites, and exploiting the browsers of these visitors by placing malicious software and charging the authors of that software for these placements."
The project now runs 2,000 PCs and 1,000 production servers. Each PC runs Virtual PC along with some custom code to drive Internet Explorer to visit a series of Web sites and then record any changes to the operating system and browser configuration.
The PCs compile a list of malicious URLs, which is used to seed a second network of 10 fully patched PCs, which revisit the sites to see if a hacker can still get through to the PC. "If they can," Wang says, "that is a very serious exploit."
Finding malicious Web sites is just the first step. The bad sites have to be removed from search results pages so unsuspecting visitors won't visit them. And, the newly discovered malware needs to be sent to security specialists, who can write the antidotes or protection signatures.
"Every time we detect a new malicious site, our legal department sends a takedown notice to the site's ISP," says Wang.
This was first published in November 2007