Strider HoneyMonkeys: Active Client-Side Honeypots for Finding Web Sites That Exploit Browser Vulnerabilities

Internet attacks that use Web servers to exploit browser vulnerabilities to install spyware programs are a serious emerging threat. In this paper, we introduce the concept of Automated Web Patrol, which aims at significantly reducing the cost for monitoring malicious Web sites to protect Internet users. We describe the implementation of the Strider HoneyMonkey Exploit Detection System, which consists of a network of monkey programs running on virtual machines with different patch levels and constantly patrolling the Web to hunt for Web sites that exploit browser vulnerabilities.

Within the first month of utilizing this new system, we identified 752 unique URLs hosted on 287 Web sites that can successfully exploit unpatched WinXP machines. The system automatically constructs topology graphs that capture the connections between the exploit sites based on traffic redirection, which leads to the identification of several major players who are responsible for a large number of exploit pages and appear to be building a business model based on such attacks. By monitoring the 752 exploit URLs on a daily basis, we were able to find a malicious Web site that was performing zero-day exploits of the unpatched javaprxy.dll vulnerability at that time. It was confirmed to be the first in-the-wild, zero-day exploit URL of the vulnerability reported to the Microsoft Security Response Center