This article can also be found in the Premium Editorial Download "Information Security magazine: Comparing seven top integrated endpoint security suites."
Download it now to read this article plus other related content.
Testing different XP versions is critical to mimic user experiences, she says. "This is because machines running pirated versions of XP aren't going to be able to obtain SP2 patches. We also are planning to look at more than browser exploits. This includes peer-to-peer applications and Domain Name System clients."
Like HoneyMonkey, the open-source honeyclients look for changes to the Windows operating system, such as modified registry keys, new or deleted files in system folders, as well as processes that have been changed or created. The main difference is the project has no legal firepower, and relies on publicity and cooperation from security vendors and ISPs to block malicious sites. The researchers say that all of the major antimalware vendors have implemented signature changes as a result of what they have found.
Mitre started the project in 2005 with seven machines; the New Zealand group at Victoria Uni-versity has another dozen. There certainly are more systems scattered all over the world, but the exact number is unknown because anyone can download and install their code.
So far, the group at Mitre has found at least 10 new malware variants. "All of these are ones that the major antivirus products weren't able to initially detect," says Kathy Wang.
Meanwhile, the Germany/New Zealand group of researchers found 306 malicious URLs earlier this year,
| from 194 hosts, trolling through an initial population of more than 300,000 URLs. That team has developed tests (www.nz-honeynet.org/cwebservice.php) that anyone can run on a suspected Web server: Enter a suspect URL and the service tells you whether it suspects the site of running malware.
Next, the project teams want to coordinate how all their downloaded tracking systems scan the overall Internet, similar to how SETI@home coordinates the scanning of radio signals from outer space. They are working on extensions to the honeyclient project that will enable wide-scale distribution of their software.
"It is time to start learning by winning this war. We need to find the attackers and stop them before they compromise our machines," Kathy Wang declares. "Most of us are far too reactive in defending our systems. Once we get a lot more players, we can share information on trends and attack vectors. Then you don't have to be defenseless from zero-day attacks."
This was first published in November 2007