A Microsoft research effort to detect and analyse websites that host malicious code could allow the company to one day offer enterprises the same capabilities vendors of URL filtering products have been pitching for sometime now.
But for now, at least, it remains unclear if this is the direction Microsoft is headed with its research effort, users and analysts say.
This month Microsoft released a report summarising the first month of testing of its Strider HoneyMonkey Exploit Detection System. The system was launched as part of a bid by Microsoft to identify and head off attacks that use web servers to exploit unpatched browser vulnerabilities and install malware on compromised PCs, says Yi-Min Wang, group manager of the Microsoft Cybersecurity and Systems Management Research Group.
The system uses an automated network of "HoneyMonkey" systems to patrol the web for sites that exploit browser vulnerabilities. Each HoneyMonkey on the network is a computer or a virtual PC that actively mimics the actions of a user surfing the web, according to a Microsoft description of the system. Some of the systems on the network run fully-patched browsers. Others run partially-patched browsers, and the rest use browsers that have not been patched at all.
In its first month of testing, the Strider project located 752 URLs for websites that automatically infect unpatched Windows XP systems when users visit them, Wang says. A majority of the URLs belong to porn sites, although a few also belong to internet advertising companies, shopping sites and search engine companies, Wang says.
Such information allows Microsoft to stay on top of new and emerging internet threats, says Stephen Toulouse, programme manager of Microsoft's Security Response Centre. "We are working with ISPs, law enforcement, customers, etcetera, to provide data about the threats out there," he says.
Toulouse did not elaborate on Microsoft plans for using the HoneyMonkey network going forward.
"At first glance it looks like they are wanting to get into the content filtering space" like other vendors, says Eric Beasley, senior network manager at Baker Hill, an application services provider.
The information gathered by the HoneyMonkey network will allow Microsoft to build lists of malicious URLs that companies can block employees from accessing, he says.
Vendors such as Websense, Secure Computing and Surf Control USA, for example, already sell such URL filtering products based on similar lists.
The question is whether Microsoft plans to use its research to sue malicious website operations "out of existence, or whether they plan to get into the content filtering business," Beasley says.
For the moment, HoneyMonkey appears to be a pure research effort by Microsoft, says John Pescatore, an analyst at Gartner. But don't be surprised to see the information used to "feed future products" from the company, Pescatore says. For example, the information gathered by the HoneyMonkey network could allow the company to build better defences in its growing suite of antispyware and antivirus products, he says.
"For now, it's just more research and data to sift through to try and figure out how to overcome the failings of the Microsoft programming groups," says Russ Cooper, editor of the NTBugtraq mailing list and a senior scientist at Cybertrust. "I'd be happier if Microsoft were making IP addresses and DNS names available now for every site they identify, with the caveat that the site may actually not be malicious."