What is Strider “HoneyMonkey”?

The Strider HoneyMonkey Exploit Detection System, as the research project is code-named, was created to help detect attacks that use Web servers to exploit unpatched browser vulnerabilities and install malware on the PCs of unsuspecting users. Such attacks have become one of the most vexing issues confronting Internet security experts.

A traditional method of inspecting attacks against computers has been to provide a “honeypot” server on the Internet. Such servers are intended to provide information about attackers by presenting themselves as targets.

Manual analyses of exploit sites often provide useful, detailed information about which vulnerabilities are exploited and which malware programs are installed. But such analyses do not provide a big-picture view of the problem.

The Strider HoneyMonkey project takes the static concept of a honeypot in a new direction. A “honeymonkey” is a computer or a virtual PC that actively mimics the actions of a user surfing the Web. A series of “monkey programs”, which drive a browser in a manner similar to that of a human user, run on virtual machines in order to detect exploit sites. The browsers can be configured to run with fully updated software, or without specific updates in order to look for exploit sites that target specific vulnerabilities. In this manner, the attacks more likely to impact customers can be analyzed and detected.

At each Web site identified by Strider HoneyMonkey, however, follow-up work is required to identify what kind of exploit exists and how it operates. And much more work is needed to verify and understand the exploit vector. Click here for more information.