Here comes the Spyware patrol!


I just read in eWeek about yet another technique to find suspicious sites. The principle is surprisingly simple:
1) Take N virtual machines, running Windows XP with various degrees of un-patched security holes. These machines will serve as a honeypots for potential spyware.
2) Each machine (called a monkey) will randomly visit a random site from the internet.
3) Use automatic software to detect any infections and report them.
4) Repeat as needed.


More technical details are in this PDF on the Microsoft Research site.


P.S. I guess that the next step for spyware site maintainers would be to “detect” when the patrol is coming, and resume to an unsuspicious activity. Assuming that you know a way to identify the patrol, as for example, any IP addresses that are bought by these Microsoft researches. But then the researches will switch to unsuspicious IP addresses, and so on and so forth…

Comments (2)

  1. Travis Owens says:

    Well then all the Spyware Patrol needs to do is to use various anonymous proxies which will make creating a "list of spyware cops" much harder. Or a more contraversal method would be to setup some kind of P2P setup where they piggyback on some app that sends requests out to the end users and their PC checks a website using a sandboxed browser session (to prevent local infection) and send the results back to the main server. But then if you take the definition of spyware literally, then this P@P app woudl be spyware itself.

    Anyways, I could point out that you seem to be spending more time thinking about how to foil spyware cops when you should be spending time thinking how to foil spyware.

  2. AdiOltean says:

    >> Anyways, I could point out that you seem to be spending more time thinking about how to foil spyware cops when you should be spending time thinking how to foil spyware.

    I guess that we have to do this "devil advocate" plays otehrwise we wouldn’t be able to come up with efficient anti-spyware techniques. (Similarly, spyware writers need to understand as much as possible about the existing antivirus/antispyware community. It’s an interesting battle)