"If any Web sites exploits a recently found vulnerability, we would talk to our patch team and security response teams to tell our the customers to apply the latest patch," he said. "If we ever identify a fully patched machine that got exploited, we got a big problem. We would involve the IE team and show them the threat."
Honeymonkey, a name coined by Microsoft, modify the concept of honeypots--computers that are placed online and monitored to detect attacks.
"The honeymonkey client goes (to malicious Web sites) and gets exploited rather than waiting to get attacked," said Yi-Min Wang, manager of Microsoft's Cybersecurity and Systems Management Research Group. "This technique is useful for basically any company that wants to find out whether their software is being exploited this way by Web sites on the Internet."
So far, Wang has set up a half dozen computers running various patch levels of Microsoft's consumer operating system, Windows XP, within virtual machines. Soon, his research group will have about three dozen machines running the software. The computers run an application known as Strider, also created by the research teams, which looks out for registry and other configuration changes as a way to detect surreptitious installations of malicious programs.
The technique is not totally new:
The Honeynet Project, a group of researchers that focus on creating tools and monitoring Internet threats using networks of honeypots, is also looking into actively crawling the Web with specially configured computers, which the group calls client honeypots.
The group has made a name for itself by creating networks of heavily monitored computers and waiting for attackers to exploit the systems. With the new researcher, the group intends to go out and seek sites that are installing malicious programs.
"As the bad guys are constantly adapting their tools and tactics, so too must we," Lance Spitzner, founder and president of the Honeynet Project, stated in an e-mail. "Client honeypots represent just one such application of that."
The tactics has become a staple of some anti-spyware firms as well.
Webroot Software, for example, uses computers to scan Web pages on the Internet, looking for those sites that automatically try to install spyware applications.
While Microsoft seeks to find sites that exploit previously unknown flaws, Webroot instead seeks previously unknown spyware, even if it requires users interaction to be installed.
"Our system finds all the sources for all the bad stuff, then we turn the list over to a automated system," said Richard Stiennon, vicepresident of threat research for Webroot. "I think that is the only effective way to stay on top of the spyware menace."
Where the Honeynet Project focuses on fake servers to lure in attackers,
Microsoft has called honeymonkeys his client-side honeypots based on Windows XP operation system.
The experimental system of Microsoft, which SecurityFocus first reported on in May 2005, is one of the software giant's many initiatives to make the Web safer for users of the Windows operating system. Online fraudsters have become more savvy about fooling users, from more convincing phishing attacks to targeting individuals who likely have access to high-value data.
Some statistical evidence has suggested that financial markets are holding software makers such as Microsoft responsible for such problems.