Tuesday, September 12, 2006

Microsoft's Shield: Strider HoneyMonkey


I remember the first day I came back to Pano Cap Canada after surgery. My hope was that I could start back working part-time and then gradually increase my hours on-site or working remotely until I was back to full-time hours.

In the 18 months since we installed a new Windows Server 2003 network, we had encountered not a single virus or worm attack on our network. But that day I returned, I found our network consultant working on our servers to find and remove a worm. It was the first exploit that had cracked our system, despite a multi-layer defense and reasonably up-to-date patches on our server operating systems. Since then, we have had one other worm attack, likely a recurrence of the same worm.

Unfortunately, we were unable to isolate the source of the attack, but my suspicions were centred around malicious web sites visited by unsuspecting staff, perhaps even someone logged in as an administrator (I know, web surfing shouldn't be done under administrator privileges).

Recently eWeek magazine featured an article about initiatives Microsoft is taking to help LAN administrators like myself in protecting their companies against such threats. Microsoft Research's Cybersecurity and Systems Management group has a number of projects underway that may help. One such initiative is Strider HoneyMonkey (what a great moniker!).

The project is aimed at detecting and analyzing Web sites that host malicious code. The Strider HoneyMonkey Exploit Detection System detects attacks that use Web servers to exploit unpatched browser vulnerabilities and then install malware on PCs. Users typically have no idea that an exploit has occurred on their system.

The details of how the project detects malicious code is available online at Microsoft Research. There is no product associated withthe initiative, but Microsoft's Internet Safety Enforcement (ISE) Team has already used data generated from HoneyMonkey for enforcement purposes to help identify persons distributing spyware.

I'll review other Microsoft security initiatives in subsequent blog entries including the following:

  • Search Defender
  • GhostBuster
  • URL Tracer
  • BrowserShield

No comments: