Internet Security update 0638
Internet Security update 0638
Proactive HoneypotsHoneypots sit on a server and wait for intrusion attempts. When one
occurs, they can perform a variety of actions. But what if a honeypot
did the inverseheaded out on the Web to look for intruders? Microsoft
has developed a new tool, Strider HoneyMonkey Exploit Detection System,
that runs as a Web client by using "monkeys" to surf the Web for
malicious Web-based content.
HoneyMonkey's monkeys are programs that automate Web surfing and
exploit detection. Instead of relying on databases of known exploits
and malware, the monkeys launch a browser, connect to a site via its
URL, and then wait for something to happen. The programs also monitor
all file and registry access. Because the monkeys aren't designed to
click links or dialog boxes on sites, it can be reasonably assumed that
any executable file downloads or registry changes during monkey Web
sessions might be hostile in one way or another.
Microsoft says that HoneyMonkey also works in conjunction with Strider
GhostBuster and Strider Gatekeeper to detect hidden processes and hooks
that might use autostart features of the OS. HoneyMonkey runs inside a
virtual machine (VM), which makes cleaning up after any potential
exploit or infection much easier. When exploits are detected,
HoneyMonkey alerts a controller, which destroys the VM, launches a new,
fully patched VM, and passes the URL to another monkey. If an exploit
is still detected, HoneyMonkey concludes that it's found a new (or
zero-day, if you prefer) exploit and passes it on to Microsoft's
Security Response Center for further research.
HoneyMonkey works sort of like a search engine spider. It follows links
and redirects at a detected exploit site to find more suspect sites.
According to Microsoft, such sites often link to each other; if one
site's exploit doesn't work, another site's might.
Microsoft said that after a month of use, HoneyMonkey discovered 752
URLs at 287 sites that can infiltrate an unpatched system running
Windows XP. Of that lot, 204 URLs at 115 sites can infiltrate a system
running XP with Service Pack 2 (SP2) and no additional patches.
Microsoft said that the first new exploit was detected in July. It used
known vulnerabilities in javaprxy.dll, for which no patch was
available. Microsoft then created a patch, which was released in
conjunction with Microsoft Security Bulletin MS05-037, "Vulnerability
in JView Profiler Could Allow Remote Code Execution (903235)."
Here's some interesting information: Of those 752 URLs, 102 of them
were available via search results at Google and 100 of them were
available at Yahoo!. As of June 1, 49 of them were available at MSN
Search, but by June 10, Microsoft had removed all 49. The company
didn't say whether it shared its information with other search engine
operators so that they could remove the URLs from their respective
engines.
If you're interested in learning more about HoneyMonkey, visit the
Microsoft Research Web site and click the link "Full research technical
report on Strider HoneyMonkey" for a paper that contains a lot more
detail.
Security News
Recent Security Vulnerabilities
If you subscribe to this newsletter, you also receive Security
Alerts, which inform you about recently discovered security
vulnerabilities.
Recent Microsoft Security Bulletins: Exploits Already on the Loose
Just 48 hours after Microsoft issued its monthly security bulletins
last week, three proof-of-concept exploits were released that take
advantage of critical problems. On August 9, Microsoft issued six
bulletins that explain numerous problems in Microsoft Internet Explorer
(IE) and Windows Plug and Play and several other problemsmany of
these problems are considered critical. Are worms built on these
exploits only a matter of time?
Identity Theft Ring Used a Powerful Keyboard Logger
Last week, we reported that Sunbelt Software uncovered an identity
theft ring. This week, we learned how that ring managed to gather so
much sensitive information: by using a powerful keystroke logger.
Resources and Events
Reduce Downtime with Continuous Data Protection
Continuous or real-time backup systems help avoid the danger of
losing data if your system fails after the point of backup by providing
real-time protection. In this free Web seminar, learn how to integrate
them with your existing backup infrastructure, how to apply continuous
protection technologies to your Windows-based servers, and more.
Identify the Key Security Considerations for Wireless Mobility
Wireless and mobile technologies are enabling enterprises to gain
competitive advantage through accelerated responsiveness and increased
productivity. In this free Web seminar, you'll receive a checklist of
risks to factor in when considering your wireless mobility technology
evaluations and design. Sign up today and learn all you need to know
about Firewall security, Transmission security, OTA management,
management of third-party security applications and more!
SQL Server 2005 Roadshow is Coming to a City Near You
Get the facts about migrating to SQL Server 2005. SQL Server experts
will present real-world information about administration, development,
and business intelligence to help you implement a best-practices
migration to SQL Server 2005 and improve your database computing
environment. Attend and receive a 1-year membership to PASS and 1-year
subscription to SQL Server Magazine.
Avoid the 5 Major Compliance Pitfalls
Based on real-world examples, this Web seminar will help C-level
executives, as well as IT directors and managers, avoid common mistakes
and give their organization a head start in ensuring a successful
compliance implementation. Register today and find out how you can
avoid the mistakes of others, improve IT security, and reduce the cost
of continually maintaining and demonstrating compliance.
New and Improved
Filter Web and Email Content
Aladdin Knowledge Systems offers eSafe 5.0, a gateway that checks
Web content for spyware and blocks any malicious content. eSafe
prevents downloads that use HTML vulnerability exploits and social
engineering and downloads from known spyware sites, it uses signature
and heuristic detection to identify and block spyware, and it prevents
installed spyware from transmitting to its vendors and helps
administrators identify infected PCs. eSafe also offers spam tagging,
spam blocking, remote quarantine, and user-managed quarantine and
reports, and its spam database is updated eight times a day. You can
purchase eSafe pre-installed on a variety of hardware.
