Internet attacks that use Web servers to install malware programs by exploiting browser vulnerabilities are a serious emerging threat. In this paper, we introduce the concept of Automated Web Patrol, which protects Internet users by significantly reducing the cost of monitoring malicious Web sites. We describe the design and implementation of the Strider HoneyMonkey Exploit Detection System, which consists of a pipeline of monkey programs running on virtual machines with different patch levels patrolling the Web to seek out Web sites that exploit browser vulnerabilities. Within the first month of utilizing this system, we identified 752 unique URLs hosted on 288 Web sites that can successfully exploit unpatched Windows XP machines. The system automatically constructs topology graphs based on traffic redirection, which capture the relationship between the exploit sites and lead to the identification of several major players who are responsible for a large number of exploit pages. By monitoring the 752 exploit-URLs on a daily basis, we discovered a malicious Web site that was performing zero-day exploits of the unpatched javaprxy.dll vulnerability and was operating behind 25 exploit-URLs. It was confirmed as the first in-the-wild, zero-day exploit of this vulnerability reported to the Microsoft Security Response Center. Finally, by scanning the most popular one million Web pages according to a popular search engine, we found 1,036 exploit-URLs hosted by 470 sites, many of which serve popular content related to celebrities, song lyrics, wallpapers, video game cheats, and wrestling.
Yi-Min Wang manages the Cybersecurity and Systems Management Research Group and leads the Strider project at Microsoft Research, Redmond. He received his Ph.D. in Electrical and Computer Engineering from University of Illinois at Urbana-Champaign in 1993, worked at AT&T Bell Labs from 1993 to 1997, and joined Microsoft in 1998. His research interests include security, systems management, dependability, home networking, and distributed systems.