Automated Web Patrol with Strider HoneyMonkeys: Finding Web Sites That Exploit Browser Vulnerabilities

Internet attacks that use Web servers to exploit browser vulnerabilities to install malware programs are on the rise [D04,R04,B04,S05]. Several recent reports suggested that some companies may actually be building a business model around such attacks [IF05,R05]. Expensive, manual analyses for individually discovered malicious Web sites have recently emerged [F04,G05]. In this paper, we introduce the concept of Automated Web Patrol, which aims at significantly reducing the cost for monitoring malicious Web sites to protect Internet users. We describe the design and implementation of the Strider HoneyMonkey Exploit Detection System [L05,N05], which consists of a network of monkey programs running on virtual machines with different patch levels and constantly patrolling the Web to hunt for Web sites that exploit browser vulnerabilities. Within the first month of utilizing this new system, we identified 752 unique URLs that are operated by 287 Web sites and that can successfully exploit unpatched WinXP machines. The system automatically constructs topology graphs that capture the connections between the exploit sites based on traffic redirection, which leads to the identification of several major players who are responsible for a large number of exploit pages.