Free Republic
Browse · Search
Bloggers & Personal
Topics · Post Article

Skip to comments.

Microsoft's "monkeys" find first zero-day exploit
Security Focus ^ | 8 August 2005 | Robert Lemos

Posted on 08/09/2005 9:11:18 AM PDT by theBuckwheat

Microsoft's "monkeys" find first zero-day exploit Robert Lemos, SecurityFocus 2005-08-08

Microsoft 's experimental Honeymonkey project has found almost 750 Web pages that attempt to load malicious code onto visitors' computers and detected an attack using a vulnerability that had not been publicly disclosed, the software giant said in a paper released this month.

Known more formerly as the Strider Honeymonkey Exploit Detection System, the project uses automated Windows XP clients to surf questionable parts of the Web looking for sites that compromise the systems without any user interaction. In the latest experiments, Microsoft has identified 752 specific addresses owned by 287 Web sites that contain programs able to install themselves on a completely unpatched Windows XP system.

Honeymonkeys, a name coined by Microsoft, modify the concept of honeypots--computers that are placed online and monitored to detect attacks.

"The honeymonkey client goes (to malicious Web sites) and gets exploited rather than waiting to get attacked," said Yi-Min Wang, manager of Microsoft's Cybersecurity and Systems Management Research Group. "This technique is useful for basically any company that wants to find out whether their software is being exploited this way by Web sites on the Internet."

...

The honeymonkey project, first discussed at the Institute of Electrical and Electronics Engineers' Symposium on Security and Privacy in Oakland, California in May, is the latest attempt by the software giant to detect threats to its customers before the threats become widespread. The honeymonkeys consist of virtual machines running different patch levels of Windows. The "monkey" programs browse a variety of Web sites looking for sites that attempt to exploit browser vulnerabilities.

(Excerpt) Read more at security-focus.com ...


TOPICS:
KEYWORDS: hack; microsoft; security; slothfuldesign; vulnerable; worm
Instead of focusing on how "elegant" their approach to discovering malicious web sites is, it would advance security far more to focus on how shamefully careless company has been in the design and coding of the Internet Exploder browser. It should also not pass notice that the firm has had more than ample opportunity over several years to repair or rewrite IE.
1 posted on 08/09/2005 9:11:23 AM PDT by theBuckwheat
[ Post Reply | Private Reply | View Replies]

To: theBuckwheat
Known more formerly

'Known more FORMALLY'

Geez.

2 posted on 08/09/2005 9:16:40 AM PDT by atomicpossum (Replies should be as pedantic as possible. I love that so much.)
[ Post Reply | Private Reply | To 1 | View Replies]

To: theBuckwheat

But Microsoft's expertise has long been in fixing mistakes and explaining obtuse problems, not preventing them. Stick with what you're best at!


3 posted on 08/09/2005 9:17:02 AM PDT by JohnnyZ ("I believe abortion should be safe and legal in this country." -- Mitt Romney)
[ Post Reply | Private Reply | To 1 | View Replies]

To: theBuckwheat

Why not auto block these sites?


4 posted on 08/09/2005 9:17:03 AM PDT by LesbianThespianGymnasticMidget (If con is the opposite of pro, is Congress the opposite of progress?)
[ Post Reply | Private Reply | To 1 | View Replies]

To: theBuckwheat

I might just interject that UNIX is the only OS whose vulnerabilities led to the complete shutsdown of the internet.

Has it been patched? Yes.

So what is the problem with a company that offers free patches for a minimum of seven years after the last sale of an OS version?

Are you saying that every distributor of software is forever responsible for exploits, despite offering free fixes.


5 posted on 08/09/2005 9:17:31 AM PDT by js1138 (Science has it all: the fun of being still, paying attention, writing down numbers...)
[ Post Reply | Private Reply | To 1 | View Replies]

To: LesbianThespianGymnasticMidget
Why not auto block these sites?

Microsoft would be more interested in plugging the vulnerability itself, since the sites could just relocate.

6 posted on 08/09/2005 9:20:21 AM PDT by atomicpossum (Replies should be as pedantic as possible. I love that so much.)
[ Post Reply | Private Reply | To 4 | View Replies]

To: theBuckwheat
It should also not pass notice that the firm has had more than ample opportunity over several years to repair or rewrite IE.

IE 7 will be released soon (rewrite), and Microsoft has been very responsive in issuing patches for (repairing) IE 6. All one needs to do is enable automatic updates, or visit the Windows Update web site once in a while.

I think it's more appropriate to place the blame where it really belongs - on the hacker, not the victim.

7 posted on 08/09/2005 9:20:43 AM PDT by vrwc1
[ Post Reply | Private Reply | To 1 | View Replies]

To: theBuckwheat
In related news, during her weekend radio talk show, Kim Komando said something about how MS has expanded its automated Windows Update service to scan PCs for unlicensed or unregistered software.

Also, she said some unscrupulous employees of large corporations sell their companies' surplus XP license keys to unsuspecting buyers on eBay. I suppose everyone's happy until MS discovers the key is part of a corporate license and it's not running on that corporation's PC.

8 posted on 08/09/2005 9:24:03 AM PDT by newgeezer (Just my opinion, of course. Your mileage may vary.)
[ Post Reply | Private Reply | To 1 | View Replies]

To: vrwc1
I think it's more appropriate to place the blame where it really belongs - on the hacker, not the victim.

Bump!

9 posted on 08/09/2005 9:24:25 AM PDT by FourtySeven (47)
[ Post Reply | Private Reply | To 7 | View Replies]

To: atomicpossum

Sure, fix the exploit, but in the mean time, have something that mods the hosts file to send these sites to 127.0.0.1


10 posted on 08/09/2005 9:24:47 AM PDT by LesbianThespianGymnasticMidget (If con is the opposite of pro, is Congress the opposite of progress?)
[ Post Reply | Private Reply | To 6 | View Replies]

To: LesbianThespianGymnasticMidget
Why not auto block these sites?

Well... there are a few reasons they (M$) probably wont do it themselves... but you can do it yourself. Just read http://www.mvps.org/winhelp2002/hosts.htm - this method works great! I do it to every machine I build/touch.

11 posted on 08/09/2005 9:27:16 AM PDT by visagoth (If you think education is expensive - try ignorance)
[ Post Reply | Private Reply | To 4 | View Replies]

To: vrwc1
I think it's more appropriate to place the blame where it really belongs - on the hacker, not the victim.

Unless hatred of Microsoft happens to be a religious thing, as it is for some....

12 posted on 08/09/2005 9:27:34 AM PDT by r9etb
[ Post Reply | Private Reply | To 7 | View Replies]

To: js1138
I might just interject that UNIX is the only OS whose vulnerabilities led to the complete shutsdown of the internet. Has it been patched? Yes.

That was nearly 20 years ago, when the entire internet was UNIX machines. (BTW, the bug was in a program (sendmail), not the OS.) The failure of Microsoft to learn from the mistakes of UNIX, which had a 20-year head start, is an embarassment.

13 posted on 08/09/2005 9:27:47 AM PDT by kevkrom (WARNING: If you're not sure whether or not it's sarcasm, it probably is.)
[ Post Reply | Private Reply | To 5 | View Replies]

To: js1138
I might just interject that UNIX is the only OS whose vulnerabilities led to the complete shutsdown of the internet.

Shhhh ... this is a fact which the Anti-Microsoft zealots don't want anyone to know.

14 posted on 08/09/2005 9:35:49 AM PDT by softwarecreator (Facts are to liberals as holy water is to vampires)
[ Post Reply | Private Reply | To 5 | View Replies]

To: vrwc1
I think it's more appropriate to place the blame where it really belongs - on the hacker, not the victim.

They would blame mugging victims too if they applied the same logic.

Jealousy makes people act in strange ways.

BTW: I am NOT talking about anyone whoi dislikes Microsoft, that's their choice.  I am talking about the ones who go to every thread where MS is mentioned and immediately begin the same old tired put downs.  Examples:  "Micro$oft", "Bill Gate is Satan", "MS is crapware".  You know, the usual.

15 posted on 08/09/2005 9:40:47 AM PDT by softwarecreator (Facts are to liberals as holy water is to vampires)
[ Post Reply | Private Reply | To 7 | View Replies]

To: atomicpossum
Microsoft would be more interested in plugging the vulnerability itself, since the sites could just relocate.

Unfortunately, this is just too easy a thing to do.  A site can relocate easily and begin their attacks again.

16 posted on 08/09/2005 9:43:39 AM PDT by softwarecreator (Facts are to liberals as holy water is to vampires)
[ Post Reply | Private Reply | To 6 | View Replies]

To: kevkrom; js1138
BTW, the bug was in a program (sendmail), not the OS.

If a bug in a program takes down the entire OS, which is what happened with the sendmail worm, then your OS has a problem. All the machines that crashed as a result of the worm crashed because they fell victim to what was effectively a fork bomb, and that's not a sendmail problem.

17 posted on 08/09/2005 9:44:50 AM PDT by general_re ("Frantic orthodoxy is never rooted in faith, but in doubt." - Reinhold Niebuhr)
[ Post Reply | Private Reply | To 13 | View Replies]

To: theBuckwheat

I agree, computing for the masses is a painful effort. MS hasn't really done a whole lot IMO to make it any easier or less painful in regards to vulnerability.

I'm not that computer literate, but know enough to use an anti-virus program and spyware killer. Even then though, I find that some sites are still able to get malicious crap through.

Informative article though. Thanks for posting.

Cheers!


18 posted on 08/09/2005 9:45:54 AM PDT by SZonian (Tagline???? I don't need no stinkin' tagline!)
[ Post Reply | Private Reply | To 1 | View Replies]

To: theBuckwheat

It's impossible to create Maginot Lines of code. The malicious will always find a way to exploit code. A vulnerability isn't a vulnerability until it's exploited....


19 posted on 08/09/2005 9:49:36 AM PDT by freebilly (Go Manitowoc Bandits!)
[ Post Reply | Private Reply | To 1 | View Replies]

To: visagoth

Thanks for this! I'll be trying it out this weekend at home.

Cheers!


20 posted on 08/09/2005 9:51:27 AM PDT by SZonian (Tagline???? I don't need no stinkin' tagline!)
[ Post Reply | Private Reply | To 11 | View Replies]

To: r9etb; softwarecreator
You can almost detect a kind of maniacal anti-Microsoft jihadi mindset from some people. It's a completely illogical hate, hate, hate thing, and I just don't get it. What did Microsoft ever do to cause these people to act that way?

Then again, I guess asking that question makes about as much sense as seeking after the "root cause of terrorism". There is no rational explanation for it.

21 posted on 08/09/2005 9:51:43 AM PDT by vrwc1
[ Post Reply | Private Reply | To 12 | View Replies]

To: general_re

Are we talking about the same bug? In my recollection, the sendmail bug allowed arbitrary execution of code, which was compounded because sendmail was improperly configured (by default) to run as "root" (system admisitrator). Then again, it was a long time ago...


22 posted on 08/09/2005 9:52:53 AM PDT by kevkrom (WARNING: If you're not sure whether or not it's sarcasm, it probably is.)
[ Post Reply | Private Reply | To 17 | View Replies]

To: vrwc1
What did Microsoft ever do to cause these people to act that way?

They became immensely successful and then had the nerve to not {gasp} share their source code with those who demanded it ... for FREE.

Coke has had their secret "Formula X" for how many years and yet no one DEMANDS they share it.  Same with KFC, Dr. Pepper, etc.  Do you hear outrage about these companies?  Nope.  Only Microsoft.

23 posted on 08/09/2005 9:56:45 AM PDT by softwarecreator (Facts are to liberals as holy water is to vampires)
[ Post Reply | Private Reply | To 21 | View Replies]

To: visagoth

Thanks!!!!!


24 posted on 08/09/2005 9:57:46 AM PDT by softwarecreator (Facts are to liberals as holy water is to vampires)
[ Post Reply | Private Reply | To 11 | View Replies]

To: kevkrom
The failure of Microsoft to learn from the mistakes of UNIX, which had a 20-year head start, is an embarassment.

If 1988 was over 20 years ago, you are a genuine futurist.

I will not defend Microsoft against the charge that they did not anticipate the rise of the internet as a consumer appliance. I happen to remember 1995, when I first started using the internet at home. At the time the computer magazines were full of articles asking what the next killer app would be. No one mentioned the browser. So duh.

Microsoft concentrated its efforts on making networking easy for non-technical people, ath the expense of security. As a result, Windows has a 90 percent market share, and Unix in its various forms has less than ten percent. I wonder if Bill Gates and his stockholders would have it the other way round.

25 posted on 08/09/2005 9:59:07 AM PDT by js1138 (Science has it all: the fun of being still, paying attention, writing down numbers...)
[ Post Reply | Private Reply | To 13 | View Replies]

To: js1138
If 1988 was over 20 years ago, you are a genuine futurist.

I said the sendmail bug was nearly 20 years ago. Also, UNIX does have a 20+ year head start on Microsoft, especially in regards to networking (ARPAnet debuted in 1968, though UNIX didn't begin to appear until the following year).

Microsoft concentrated its efforts on making networking easy for non-technical people, ath the expense of security.

Which meant ignoring decades worth of networking experience from the UNIX and VMS worlds. It was a business/marketing decision, but in the long run, a bad one because it has put them, as a company, always in a trailing mode of operation with regards to security.

26 posted on 08/09/2005 10:06:37 AM PDT by kevkrom (WARNING: If you're not sure whether or not it's sarcasm, it probably is.)
[ Post Reply | Private Reply | To 25 | View Replies]

To: kevkrom
I went and tried to google up some details - the worm had most of its success by attacking fingerd. It never ran as root, but rather as daemon as far as I can tell. Anyway, the problem was that it didn't always die the way it was (apparently) supposed to, resulting in the load very rapidly increasing on infected machines to the point of unresponsiveness in some cases. Story time here, if you're bored ;)
27 posted on 08/09/2005 11:05:16 AM PDT by general_re ("Frantic orthodoxy is never rooted in faith, but in doubt." - Reinhold Niebuhr)
[ Post Reply | Private Reply | To 22 | View Replies]

To: theBuckwheat
"The honeymonkey client goes (to malicious Web sites) and gets exploited rather than waiting to get attacked," said Yi-Min Wang, manager of Microsoft's Cybersecurity and Systems Management Research Group.

All Windows computers are honeymonkey clients.

28 posted on 08/09/2005 11:30:24 AM PDT by HAL9000 (Get a Mac - The Ultimate FReeping Machine)
[ Post Reply | Private Reply | To 1 | View Replies]

To: general_re

I don't think this thread is going the way it was planned.

It's really difficult to make fun of a company for taking proactive steps towards security, even if they have been negligent in the past.

Particularly when they have never had a disaster of the magnitude of their competitor's.


29 posted on 08/09/2005 12:33:07 PM PDT by js1138 (Science has it all: the fun of being still, paying attention, writing down numbers...)
[ Post Reply | Private Reply | To 27 | View Replies]

To: js1138

Eh, cheap shots are easier. Anyway, it looks to me like a fairly clever approach that should yield tangible benefits to end users. If it was the Mozilla Foundation doing this, we'd be hearing how clever it is, but it's not, so there ;)


30 posted on 08/09/2005 12:39:05 PM PDT by general_re ("Frantic orthodoxy is never rooted in faith, but in doubt." - Reinhold Niebuhr)
[ Post Reply | Private Reply | To 29 | View Replies]

Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.

Free Republic
Browse · Search
Bloggers & Personal
Topics · Post Article

FreeRepublic, LLC, PO BOX 9771, FRESNO, CA 93794
FreeRepublic.com is powered by software copyright 2000-2008 John Robinson