RE: [WEB SECURITY] Re: Microsoft's 'Honeymonkey' project finds 0day

["Aiken, Dan" <AikenD () HSS EDU>]

If I understood the HoneyMonkey project correctly, Microsoft begins visiting suspect web sites with an unpatched WinXP 
machine. If it is compromised after visiting a site, Microsoft begins increasing the patch level and revisiting the 
site until the PC is not compromised again or until they reach WinXP SP2. As of the date of the article I read, no 
WinXP SP2 PC had been compromised by any of the sites.
 
After the analysis is complete, Microsoft reports the offending sites to law enforcement for further action.
 
I think this is a very useful approach to identifying and hopefully prosecuting the offending web sites.
 
Dan Aiken, GSEC, GSNA
Corporate Compliance Director
Ofc: (212) 774-2569
Fax: (212) 606-1930
aikend () hss edu
"If you think technology can solve your security problems, then you don't understand the problems and you don't 
understand the technology." Bruce Schneier
 
-----Original Message-----
From: Christopher Carpenter [mailto:ccarpenter () dswa net] 
Sent: Friday, August 12, 2005 11:33 AM
To: websecurity () webappsec org; webappsec () securityfocus com
Subject: RE: [WEB SECURITY] Re: Microsoft's 'Honeymonkey' project finds 0day
 
I don't think URL filtering is the goal;  instead, Microsoft performs an analysis of each compromised machine to 
determine if unpublished exploits are being actively utilized.  Then the patches for these vulnerabilities can be 
released in a future update.

 
So the list of suspect sites isn't a comprehensive list of the "bad" places out there, but an educated guess as to 
where exploits will be published/used.
 
Chris
 

From: Kaura, Vikram [mailto:vkaura () unterberg com] 
Sent: Thursday, August 11, 2005 8:09 PM
To: bauger () spidynamics com; websecurity () webappsec org; webappsec () securityfocus com
Subject: [WEB SECURITY] Re: Microsoft's 'Honeymonkey' project finds 0day
 
Any thoughts on the honeymonkey project? Is this headed towards URL filtering market. 750 web pages after a month of 
work - from a suspect list of about 5000 sites seems small.

-Vik

--------------------------
Sent from Vikram Kaura's Wireless Handheld


-----Original Message-----
From: Bob Auger <bauger () spidynamics com>
To: websecurity () webappsec org <websecurity () webappsec org>; webappsec () securityfocus com <webappsec () 
securityfocus com>
Sent: Tue Aug 09 14:29:53 2005
Subject: Microsoft's 'Honeymonkey' project finds 0day

"Microsoft 's experimental Honeymonkey project has found almost 750 web
pages that attempt to load malicious code onto visitors' computers and
detected an attack using a vulnerability that had not been publicly
disclosed, the software giant said in a paper released this month" -
Robert Lemos

http://www.theregister.co.uk/2005/08/09/ms_honeymonkey/


Regards,

Robert Auger
SPI Labs
rauger () spidynamics com
Start Secure. Stay Secure.
Security Assurance Throughout the Application Lifecycle
 
Pursuant to Securities and Exchange Commission and National Association Of Securities Dealers requirements, all 
incoming and outgoing e-mail of C.E. Unterberg, Towbin is subject to review by the Compliance Department. Please note 
that C.E. Unterberg, Towbin does not allow the use of e-mail to request, authorize, or effect the purchase or sale of 
any security, to send fund transfer instructions, or to effect any other transactions. Any such request, orders, or 
instructions that you send will not be accepted and will not be processed.