Tarpits for Microsoft Worms

Digital_Quartz writes: "Wired News is reporting on a clever little tool by Tom Liston called LaBrea which uses unused IP addresses on a network to create virtual computers for worms and hackers to attack. LaBrea responds to requests in such a way as to keep the connection open forever, creating a "tarpit" in which worms like Code Red will get "stuck"."

temporary measure!

[Pooh22]

Ok, so the next version will close the connection in 1 minute. I don't see this helping in the future...

Re:temporary measure!

[garcia]

it doesn't really help. People w/a lot of extra IP space are ones w/a decent connection (at least in theory). For me as a two IP DSL user it isn't going to do much for me.

The god damn worm is still hitting my machine every 15s from a new IP and the god damn thing isn't stopping.

Unless someone finds a way to stop the whole thing altogether w/o having to have the person run it manually patch it I am not terribly interested.

Re:temporary measure!

Not to mention the fact that CRII, IIRC, had 300 simultaneous threads. Wahoo, 1 down and 299 to go. Way to go. Not! This will never work unless HUGE portions of the net are covered with this thing, even then, it is only until the next worm has a timeout threshold.

Re:temporary measure!

[interiot]

From observation, it seems to me that it takes quite a while for obvious improvements to be included in new worms.

For instance, it's somewhat obvious to me that it'd be good (for a virus) to leave open backdoors, so that your future viruses can springboard off your installed user base. If an old virus can spread from one computer to 20,000 in a week, then a virus that piggybacks on another virus could go from 20,000 infections to 40,000,000 in a week. AFAIK, CodeRed + Nimda was the first to do this.

Re:temporary measure!

[Diclophis]

What i did is copy a 4 meg porno movie to /default.ida ... that will keep there connection used up for a minute or so...

Re:temporary measure!

[asland]

Hopefully the next versions will be multi-threaded.

Re:temporary measure!

[Phil+Gregory]

Well, LaBrea operates below the level of most Windows network programs. From the program's point of view, it establishes a TCP connection to the server and issues the necessary HTTP commands. More things happen "on the wire" though. Here's a simplified timeline:

1. Program calls connect() to reach the other host.
2. OS's TCP/IP stack sends a SYN packet to the other host.
3. One of several things happens:
   • The host does not respond and the connection eventually times out. Result: failed connection attempt after a short timeout.
   • The host is reachable but isn't listening on that port. It sends a RST packet. Result: The connection fails almost immediately.
   • Some other network error. At most, the connection will time out in a relatively short period of time.
   • The host is listening on the port and sends back a packet with both the SYN and ACK bits set
4. Presuming the TCP/IP stack got a SYN ACK, it sends its own ACK and considers the connection established.
5. The TCP/IP stack reports to the calling program the result of the connection attempt. If the three-way handshake went as normal (SYN, SYN ACK, ACK), it considers the connection open.
6. If the connection was successful, the program starts sending data.
7. The TCP/IP stack accepts the data, breaks it into packets to be sent, and doesn't return to the program until it's done.
8. For each packet of data the TCP/IP stack sends out, it waits for an ACK of that packet, retransmitting the packet if it doesn't receive the ACK with a certain period of time. It will wait longer and longer after each transmission before eventually giving up on the connection altogether. The ultimate timeout on an established TCP session is relatively large (and possibly implementation-dependent; I don't remember exactly that part of the spec).

Most firewalls only deal with the first SYN used to set up the connection. Either they reject it (send a RST) or drop it, leaving the connection to time out. La Brea responds to the initial SYN, then ignores everything else, leaving the TCP session to time out. That timing out usually takes a while (the author estimates about 15 minutes for Windows machines), and the program is unable to do anything while it's waiting for the TCP/IP stack to finish sending its data.

Ok, enough background. The point is that, with standard programming practices, the program doesn't get to pick how long it waits before giving up. That is dependent on the OS's TCP/IP stack. The ways around it are harder. One workaround is to use raw TCP sockets (and this may not even work; I'd have to check my copies of Unix Network Programming, and they're at home). (Anyway, Windows XP will be the first WIndows to support raw TCP sockets.) The other is to use nonblocking I/O, which requires a lot more state keeping in the program. (But it would allow the program to fire off connections to a number of hosts and wait to deal with the responses as they come in.) I suspect most work writers would just count on very few people running things like LaBrea and write the simpler code.

So, in summary: LaBrea is pretty nifty and a program can't just shorten its timeout period to get around the delay. The only workaround I can think of at the moment is nonblocking I/O, but that has its own drawbacks (and, depending on the program design, could still be slowed down by LaBrea).

--Phil (Crazy network programmer.)

Re:temporary measure!

[gweihir]

And it is really easy to do. I suspect that as long as a tarpit does not simulate a host with a high level of credibility this will only be effective against old stuff.

Re:temporary measure!

[thrig]

Ban Microsoft OS from your network. Easier said than done-- especially when the central administration at your workplace goes about replacing the universally accessible mainframe (via terminal interface) with a snazzy new website that only IE 5+ on Windows with JavaScript and ActiveX enabled can use.

Not that I'm bitter, mind you.

Re:temporary measure!

[bbqdeath]

Sounds like IPv6 and its massive address space may be something we want after all, huh?

And on another note, DoS works because it's really cheap for the client to make someone else do something expensive. Anything that increases the client's expense will at least help reduce DoS pain. Sure, maybe not by much at first, but that seems to be the right direction.

Re:temporary measure!

Threads are for people too stupid to understand state machines.

Re:temporary measure!

One thing, the connection may want an ACK sent after every packet but it also may not... maybe this program can set its own windowing size to a huge numer like 5000 or higher.. that would give it an extremely long time to emulate

Re:temporary measure!

State machines are for people who are to 1337 to try using threads.

Re:temporary measure!

ls -s /dev/random default.ida

hehehehe

Re:temporary measure!

ln -s /dev/random default.ida

that is... :)

Re:temporary measure!

Anyway, Windows XP will be the first WIndows to support raw TCP sockets.

Just a point of clarification . . . Windows XP is the first consumer version of Windows to support raw TCP sockets. Microsoft originally implemented raw TCP sockets in Windows 2000.

Re:temporary measure!

[Purificator]

i imagine windows has an implementation of alarm(). you can handle timeouts that way and stay with simpler blocking i/o (granted you need to set up a SIGALRM handler, but that's only a few lines of code).

still, i think labrea is a good idea. at worst it's better than whining in forums about "why can't those windows lusers patch their systems," and at best it's the beginning of a more active way to hurt viruses. i'd probably run it if i had a pool of unused addresses.

Interesting utility

[skroz]

I've been looking into this for about a day... looks like it might have a chance, though it wouldn't be difficult to circumvent this kind of "tarpit" in future generations of viruses. By using multiple scanning threads, monitoring existing threads that might be getting stuck, and keeping an internal log of tarpits, a virus could learn which IPs to avoid. Handy in the short term, though, if enough people implement it.

Re:Interesting utility

[pylonious]

Yes and at least it keeps them working on it. They tie up our time fixing it, we tie up their time making them rewrite it. Not the best solution but for now it is better than nothing.

Maybe a few will get tired of having to work at it and do something useful.

Re:Interesting utility

[carlos_benj]

And the script kiddies could call the fix "Briar Patch".

"Oh, please br'er Bear, whatever you do, don't throw me in the Briar Patch!" - Br'er Rabbit.

Re:Interesting utility

[trefoil]

An addenum to this utility suggestion of yours would be an interesting research project to see which ip's are generally used and for what purpose, and what others are usually kept vacant by networks. Could help in the protection of networks and also help hackers :/

Re:Interesting utility

[webcrafter]

Well I don't mind worms avoiding my IP's :)

Re:Interesting utility

[gregor_b_dramkin]

"By [...] keeping an internal log of tarpits, a virus could learn which IPs to avoid"

This makes no sense to me. Why would a worm ever revisit a previously attempted IP? Either the scan/exploit was successful or the tarpit trapped the connection. Either way, there is no reason to return.

Re:Interesting utility

[skroz]

*shrug* Of the thousands of Code Red and Nimda attempts on my boxes, only a handful of IPs have attacked. They just keep on trying. Remember, these both function as DoS, as well. By avoiding tarpits, the virus can avoid having the DoS component of its functionality slowed or stopped.

Re:Breaking news, Bin Laden Captured !!!!!!

[frknfrk]

do NOT click on the cleverly hidden goatse.cx link.

especially if you are in a cubicle environment...

-sam

Won't last long

[nahdude812]

How long do you think it'll take till a new release of one of these worms just spawns a new process for each attack? Now it might eventually bring your machine down, but the attacks keep going on till it does. The parent process could even kill the children after ten minutes just to help keep the machine viably attacking hosts.

Waste of IP's

[yendor]

I think this is a great tool for catching worms but mostly worms come from the outside where you _don't_ have IP's to spare but you will probably run it on the inside where it won't be that much use.

There are no good way in blocking worms, the solution is a easy way to check if you've patched your servers against a central patch library..... like windowsupdate where supposted to work.

// yendor

A very sweet trap..

[TheHawke]

Its the equavalent of the Honeypot Project and it shows promise. But the main problem is with these kind of projects, one has to wonder where the funding comes from to provide for the bandwidth..
Honey usually doesn't come without a few stings you know...

Re:A very sweet trap..

this has nothing to do with honey pots. you idiot. those are set up to learn the ways of the black hat. this is to stop the spread of virii. damn fool.

Re:A very sweet trap..

[dslbrian]

one has to wonder where the funding comes from to provide for the bandwidth..

Irrelevant, the worm will use bandwidth whether its funded or not. At least with this you gain some degree of control.

Re:A very sweet trap..

People reading the article might notice that it said it required only 100 bytes/second to trap 1300 threads. For my internet connection, that would literally work out to 2 cents a month -- I'd say that the funding for this bandwidth could come from loose change found on the ground. Better yet, check phone change returns, and you could get a year's worth of bandwidth for this!

Hoax?

[dapozza-]

Looks like a hoax

Honeynet

[Erasei]

For a more detailed version of this same type, see the Honeynet Project. Knowledge is power, as the saying goes.

Re:Honeynet

[Joe+Decker]

No, tarpits are not honeynets. Honeynets attempt to catch infections and analyze them, tarpits attempt to immobilize them by keeping connections stuck to them. Entirely different things.

Viruses Preserved...

[GreenJeepMan]

This way 10,000 years into the future, the viruses will be magically rediscovered in prestine condition.

Re:Viruses Preserved...

Mankind in 10,000 years time will be able to genetically engineer these perfectly preserved virii from just single strands of source code.

Re:Viruses Preserved...

[Glothar]

... by filling in the gaps of missing code with code from Frogger.

Re:Viruses Preserved...

[don_carnage]

Yeah and we can get genetic engineers and an island and make a theme park around it! That would be COOL!

First the viruses, then the white blood cells...

[mblase]

Verily, the PC is developing into an organism in its own right. How long until hackers develop the first "immunodeficiency", anti-LaBrea attacks, I wonder?

NOT A TARPIT

[Uttles]

The fundamental problem with this is that yes you may trap an instance of the worm with your fake IP address on your local network, but it's only one in a million instances all over the internet. Yes you will preserve a copy indefinitely, but this is not a tarpit, as a tarpit implies that the worm would get trapped and not be able to escape, in reality only one copy get's trapped, the others still roam free.

Re:NOT A TARPIT

[dodald]

I doubt that his intent was to create just one tarpit. The artical says "This is just a drop in the bucket", If a lot of networks ran tarpits, they could stop a few and SLOW, not stop the spread of the viruses, maybe giving other administrators time to patch.
And it IS a tarpit because the worm that attacked the tarpit is stuck, and cannot spread. Thats like saying a real tarpit is not a tarpit because is didn't trap all animals, but only stopped a small number.

Re:NOT A TARPIT

[Erasei]

This is exactly like a tarpit. Tarpits don't instantly trap all T-Rexes everywhere in the world. A tarpit will trap the one T-Rex that got a little too close. If there are thousands of tarpits in the world, then a lot more T-Rexes will get trapped. I don't think the author of LaBrea aims to have his program stop all worms on the internet, but if it were to be run on a few thousand machines, it would certainly help.

Re:NOT A TARPIT

in reality only one copy get's trapped, the others still roam free.

Thanks for clarifying that. I now know what happened to the wooly mammoth, the dinosaurs, etc... One mammoth fell into a tarpit, and all mammoths the world over suddenly died.

Lets hope that no human ever falls into a tarpit, eh? Stop worrying about rogue asteroids, nuclear war, etc. Concrete over those tarpits to prevent the end of humanity when Bobby falls into one when out walking his dog.

Tarpits - humanities dark, unknown destroyer!

Re:NOT A TARPIT

[interiot]

Well, for one, this will immensely help corporations with large networks... once you filter incoming email for the specific .exe at the firewall, you need to start cleaning up internal IIS servers. LaBrea will slow the IIS servers down to keep them from hosing your network while you hunt them down and clean them up.

For two... (drum roll please...) What if we had a LaBrea Beowulf? If major network providers (eg. UUNet) implement this across their networks, it would save themselves bandwidth and thus cost, and would make their customers happier.

It doesn't kill worms, it just greatly reduces their impact on the network. Sounds good to me.

Re:NOT A TARPIT

[Azetedine]

Why would you need a cluster? one instance of Labrea can trap multiple IP addresses. You really should only need one, for each network segment.

Pointless

[scott1853]

It's a cool little program. It's purpose, to use up your own resources to prevent other peoples resources from being used up. There seems to be a little flaw in that logic to me. Personally, I like the scripts that connect to servers that have tried to infect them, and send those servers a bit of code to reboot the machine. I'd rather them install the patch automatically and then reboot the machine though. That seems like a much more effecient use of resources.

Why has nobody either sent out a worm to patch machines, or created a script to patch the sender of a worm? The bandwidth used would be minimal to what is being eaten by these worms, and it would SOLVE the problem. Of course, in this day and age, nobody wants to actually solve a problem, they have to create some technically incredible way of ignoring a problem, or placing blame on the common scapegoat of MS or stupid admins, or doing some trivial task just to prove they can do the same type of thing as the virii spreaders.

BTW, this article was posted on Wired yesterday afternoon, why did it take so long to get here?

Re:Pointless

BTW, this article was posted on Wired yesterday afternoon, why did it take so long to get here?

b/c someone probably submitted it and one of the editors rejected it. Remember, this happens all the time. The editors play god when they should be playing news anchor.

Re:Pointless

[Red+Weasel]

According to the article someone did make a worm that patched the infected machines. The programmer was apparently arrested for spreading a worm onto the net.

They could catch the white hat but the rest run free. That's just funny.

Re:Pointless

[mclearn]

No, the article was talking about another worm that was patched by Max Vision (or whatever the heck he's calling himself nowadays). However, the worm was infecting DoD servers, so he sent out another worm to patch them. However (and this is why he was arrested), he put a backdoor in the patched version.

Re:Pointless

So do it yourself. Don't feel like it? Then you're the problem, so quit whining.

Re:Pointless

[Mawbid]

It's been suggested many times, and a few people have even done it (cleaning the attacker, that is -- I'm not aware of a patch-worm having been released).

The problem is that it's illegal. No matter how well meaning you are, no matter how much it helps the owners of the machines cleaned by the retaliation script/worm and the Net as a whole, it's still illegal and can get you in trouble. Like entering someone's parked car to turn off their headlights for them. (Sorry to use a computer/car analoy.)

Re:Pointless

[Gleef]

scott1853 writes:

It's a cool little program. It's purpose, to use up your own resources to prevent other peoples resources from being used up. There seems to be a little flaw in that logic to me.

It's a program to use a little bit of resources on one machine to reduce large resource impacts on many other machines. In addition, it allows you to detect and contact the owner of the infected host, hastening repair of the system and speeding up recovery of the net.

If you have a large network, you might very well be helping yourself far in excess of the bandwith used by the tarpit, certainly a win in my book. Even for those with small networks, some people might well be interested in sacrificing a small, controllable amount of bandwidth to help the general health and well being of the internet as a whole.

Why has nobody either sent out a worm to patch machines, or created a script to patch the sender of a worm? The bandwidth used would be minimal to what is being eaten by these worms,

That is highly debatable.

and it would SOLVE the problem.

But the problem isn't "Code Red", that's just a symptom of the problem. The problem is a combination of low security on the internet and the fact that Microsoft's monopoly has the side effect of making many identical security holes on thousands of machines.

Of course, in this day and age, nobody wants to actually solve a problem,

Nobody particularly wants to waste a great deal of bandwith to put a band aid on other people's sites for each worm that comes out, which is what you seem to recommend.

Real solutions to the problem aren't easy, but most of them are being actively worked on:
* Increase competition in internet server platforms and applications;
* Improve the distribution of security information and patches to the end users;
* More commercial internet monitoring and response services (eg. Counterpane);
* Security-conscious internet insurance plans
* Segregate the typical broadband customer behind transparent firewalls (I'd pay extra for a premium broadband service to give me a real IP if it would get the bozos who shouldn't have a computer much less an internet server off the real IP space).

Re:Pointless

Heh, the reason he was arrested was that he bawlked at ratting out a mate (Though he had previously ratted out a few not so close mates.)and sought legal advice from an attorney.

Re:Pointless

[haizi_23]

no, the editors should be playing editor.
which sometimes means rejecting things.

-w

Re:Pointless

[PhilHibbs]

Why has nobody either sent out a worm to patch machines, or created a script to patch the sender of a worm?

Already happening. Unfortunately I think that self-destructing worms are by definition going to be less virulent than worms that take over a machine completely and keep trying to spread until they are removed.

Re:Pointless

[scott1853]

Don't give me "it's a symptom of the problem" bullshit. The PROBLEM as it is right now, is the worm itself. Stop this worm, stop the next, give the people time to make the server secure and all the idiots time to figure out what they've gotten themself into by assuming they can run w2k. So your plan would be to just wait for MS to fix ALL their security holes and make it so my grandma can setup a W2k box and never have a problem? How long will that take, 5, 10, 15 years? And the fixes will introduce new bugs. So the answer is to do what gives the biggest response NOW, not a decade from now.

I don't know what you're referring to in saying that I want everybody to waste their bandwidth. Somebody would need to release a worm that fixes the whole, spreads itself, and removes itself. I'm not saying everybody should install the script that simply reboots the machine, that does nothing but give the machine a 2 minutes break in between infections. I'm not saying the worm should scan a thousand IP addressed to see what machines are infected. Let it check log files if they exist, find any machines that tried to infect it, check and see if those are still infected, if not the worm should delete itself.

Re:Pointless

[webcrafter]

Well the car could catch fire or something like that. I don't think the owner would mind. And, I understand that this would still be illegal, but why isn't illegal for them?

Re:Pointless

Someone sent me an HTTP request for /scripts/root.exe?/c+dir. Being a nice guy, I'll reply to them with an HTTP request for /scripts/root.exe?/c+shutdown+-s. If their machine chooses to respond to this innocent HTTP request by turning itself off, then that's a problem with the remote computer.

I always appreciated the thoughtfulness of someone who would turn off my headlights for me, and I do the same for other people. (Then again, I'm from a small town in Canada, where people don't bother to lock their cars.) But believe it or not, when the line between legal and illegal differs from the line between right and wrong, it's not always legality that takes precedent. (Unless you're dealing with some ungrateful ass who would threaten to sue you for breaking into his car even if it saved him a ton of trouble... but again, I'm from a small town in Canada, and we don't have people like that.)

Re:Pointless

[Gleef]

scott1853 writes:

Don't give me "it's a symptom of the problem" bullshit. The PROBLEM as it is right now, is the worm itself. Stop this worm, stop the next, give the people time to make the server secure and all the idiots time to figure out what they've gotten themself into by assuming they can run w2k.

OK, we disagree on what the basic problem is. No big deal, we can talk about how to deal with an arbitrary worm (the worm du jour seems to be Nimda).

So your plan would be to just wait for MS to fix ALL their security holes and make it so my grandma can setup a W2k box and never have a problem? How long will that take, 5, 10, 15 years? And the fixes will introduce new bugs. So the answer is to do what gives the biggest response NOW, not a decade from now.

That wasn't my plan, although a piece of what I was discussing does involve Microsoft (and other vendors) streamlining their security patch process. There is no way that *any* vendors can fix *all* security holes. Waiting for that would be ludicrous. Regardless, I was referring to how to reduce the impact of future worms (and other internet badness), not how to deal with a worm in the wild now.

Worm in the wild now: As of this writing, the last three major worms were "Code Red", "Code Red II" and "Nimda". All three of these exploit holes in Microsoft software, and these holes were discovered and a patch written months ago. In addition, Nimda exploits holes opened up by an active Code Red II infection. Any competent administrator unfortunate enough to have to manage an IIS installation has taken their machine offline, made sure their machine is worm-free, patched NT/2000 and IIS, and put it back online. Your main concern is those admins who have not done this, and there are a disappointingly large number of them.

I don't know what you're referring to in saying that I want everybody to waste their bandwidth. Somebody would need to release a worm that fixes the whole, spreads itself, and removes itself.

Where do you think the bandwidth issue comes from? When a worm scans host machines to look for places to spread, it uses a lot of bandwidth. This is what most people here are complaining about. Your proposed worm may fix bad IIS installations, but it would have to use at least as much bandwidth as the worm it's designed to fix.

The people here (me included) won't thank you, since they care more about how these worms impact bandwidth than whether someone has an infected machine somewhere. The administrator of the machines you've "fixed" won't thank you, because now they've had two or three intrusions while they were napping, rather than one.

If the repair worm has a minor bug in it, it could potentially do more damage than the original worm, or open up a new security hole as it fixes the others. In such a case, at best you are looking at a lawsuit against you; at worst, multiple felony convictions in multiple countries.

I'm not saying everybody should install the script that simply reboots the machine, that does nothing but give the machine a 2 minutes break in between infections.

Good, because while I'm not sure what you're talking about here, it doesn't sound like a good idea.

I'm not saying the worm should scan a thousand IP addressed to see what machines are infected.

In order for a worm like you describe to work, it probably would have to scan thousands of machines for a vulnerability, infect the machine with your worm, and then detect whether or not the worm is present from the inside.

You *might* be lucky and target a worm which leaves external evidence so you can scan thousands of machines for the presense of the worm. Both Code Red II and Nimda can be detected from the outside, but the check I know of for Nimda uses a lot of bandwidth. Regardless, a worm would have to scan thousands of machines to impliment your idea, it's just a question of what it scans for.

Let it check log files if they exist, find any machines that tried to infect it, check and see if those are still infected, if not the worm should delete itself.

What log files are you talking about? None of the worms leave a log that I know of. Neither NT nor 2000 log intrusion attempts without extra software. I would wager that very few of the infected machines have IDS software installed. In order to write a worm to effectively track down and eliminate worms, you have to use scans at least as extensive as the ones the target worms are using. Unless the target worm has a buggy scanning algorhithm, any repair worm would kill at least as much bandwidth as the original worm.

This cure is worse than the disease, in my book. I'd rather focus my attention on long-term solutions that will reduce the overall problem.

Re:Pointless

[jrockway]

It's only illegal if you get caught.

Re:Pointless

[scott1853]

Ok, this is getting a little absurd, this is my last explanation:

I don't know what you're referring to in saying that I want everybody to waste their bandwidth. Somebody would need to release a worm that fixes the whole, spreads itself, and removes itself.

Where do you think the bandwidth issue comes from? When a worm scans host machines to look for places to spread, it uses a lot of bandwidth. This is what most people here are complaining about. Your proposed worm may fix bad IIS installations, but it would have to use at least as much bandwidth as the worm it's designed to fix.

It wouldn't use as much bandwidth because the corrective worm would only fix machine it knows to have the virus, by analyzing the servers log files to see what machines have infected it and then making sure those machines are no longer infected. There would be no random connections made. After all the infected servers have been hit, that's it. Code Red continually tries random address. I'm not going to figure out the math but my solution would require a lot less bandwidth overall. Not that it wouldn't require an equal amount of bandwidth at it's peak, but there would be a peak, and then a dropoff of both Code Red/Nimda and the corrective worm itself.

Re:Pointless

[Otto]

Any competent administrator unfortunate enough to have to manage an IIS installation has taken their machine offline, made sure their machine is worm-free, patched NT/2000 and IIS, and put it back online. Your main concern is those admins who have not done this, and there are a disappointingly large number of them.

No, there's a vast majority of machines running IIS because the clueless user who installed 2k on his own box saw "Web Server" check box during the install, and instantly thought "I surf the web" and thusly checked it. So he's running IIS at default security, with the default pages with their holes and all. And he has no idea he's doing it. And he doesn't understand "security patches". And so, his computer is attacking others completely without his knowledge because "he doesn't run a web site".

Those are the people whose computers you have to fix. They're certainly not going to do it.

Re:Pointless

[Kanasta]

If your script is going to go around patching everyone elses holes, why would those 'idiots' ever know they had a problem in the 1st place? Wouldn't they just think they had the most secure system in the world that never had a security problem?

Re:Pointless

[scott1853]

Why do they need to know? If they were told, would they understand? Code Red was referenced on LOCAL news channels for 2 weeks, even giving users instructions on how to fix their machines. Telling them didn't help. And if informing the users that they are stupid is required, this corrective worm has complete control of the machine just as Code Red does. Change their wallpaper to a bitmap of instructions. That's really a minor point though.

Re:Pointless

[young'in]

Why has nobody either sent out a worm to patch machines, or created a script to patch the sender of a worm?

Someone did do exactly that a few years back and instead of thanks.. he got a few years in jail. (mind you he wasn't entirely innocent in regards to other hacker like activities, but his heart was in the right place)

"The worm that sent Max to jail was programmed to close a security hole that was being exploited by another worm that was on the loose at the time."

http://www.wired.com/news/politics/0,1283,44007, 00 .html -- a wired refernece to this particular incident, because they were the ones to first mention the tarpit

Security is tricky from either side of the fence.

Re:Pointless

[Gleef]

I would still call these people admins (clueless, incompetant admins, but admins nonetheless). In my book anybody in charge of a machine (i.e has the root/admin password and doesn't have someone else to admin for them) that is directly connected to the internet is an admin, whether they know it or not. This includes anyone who plugged their new Windows ME Gateway machine into their cable modem just to play Everquest.

I call them admins because they are in a position where they need to be responsible about how their computer is configured and interacts with other computers on the internet. The fact that they haven't the faintest idea what they've gotten themselves into is very sad.

This is why, in an earlier post, I advocated having broadband services by default seting people up with fake addresses and transparent proxy servers. People (like me) who need or want direct connections would have to know enough to at least ask for them. This measure alone would reduce some of the worst stupidity on the internet (eg. huge Zombie farms).

Re:Pointless

[Gleef]

scott1853 wrote:

Ok, this is getting a little absurd, this is my last explanation:

Agreed, this is absurd, this is my last explanation too.

It wouldn't use as much bandwidth because the corrective worm would only fix machine it knows to have the virus, by analyzing the servers log files to see what machines have infected it and then making sure those machines are no longer infected.

This is not a feasable answer. Windows NT/2000 logs do not contain the information you seek. Even if you can point a specific log entry that would implicate, for example, a Code Red infection, there is no guarantee that future worms will cause log entries or even leave the log files intact. Windows has particularly bad logging, but even Linux/BSD/Unix machines cannot protect the log files from a worm with root access.

I snipped the rest of your post, since it all hinges on the assumption that your worm knows which machines are infected without scanning.

Ok, how does this really help?

[weslocke]

It seems more of a 'feel-good' measure than anything. After all, Liston's quoted as:

"I'm holding about 1,000 Nimda scanning threads and 300 Code Red scanning threads at the HackBusters site. I'm holding them hard and I'm not letting them go"

Well what about the other threads that are spawned by the virus? If I remember correctly, don't Code Red and Nimbda spawn multiple threads to infect/probe several hosts at the same time? How does this really do anything other than just hold a thread captive while the other XX threads go about their daily business?

Re:Ok, how does this really help?

[interiot]

As the author stated, many networks only use 20-30% of their IP space. The other 70-80% can be used as a tarpit. The XX threads that aren't trapped will process their real host quickly, and then likely get stuck in the tarpit on the next try.

Re:Ok, how does this really help?

[RocketScientist]

The point is that it will help protect MY network. If it has a happy side-effect of keeping any other network from being infected for a little bit, that's just gravy.

We had so many infected machines inside our corporate LAN that we had a carrier-class switch go down from excessive ARP traffic for invalid IP addresses. Our corporate firewall couldn't keep up with the outbound connection attempts, we had to disconnect it from the inside network.

If we'd had this running INSIDE our network, I think we would have been reasonably OK, or at least less screwed.

Yeah, the next virus might be better, multi-threaded, whatever. But it'll have to spawn a thread for every connection that I grab. That's going to (hopefully) use up resources on the attacking machine faster than it uses up my resources. And really, that's the goal, to turn the DOS attack back onto the attacker. If this is even 25% effective at doing that, then it pays for the minimal hardware I'm going to need to put this in place.

Re:Breaking news, Bin Laden Captured !!!!!!

[frknfrk]

great reply. it's people like you and the anonymous 'goatse.cx' poster (if indeed those are separate beings) who are ruining the web for the rest of us. not that i have a problem with any of it, and of course this place is as much your place to post 'you big fag' as it is anybody else's place to post whatever THEY want... but maybe it's time to grow up and become part of the solution, not the problem? eh? obviously you are smart enough to figure out the slashdot journal system, you could probably do about whatever you set your mind to do. so maybe instead of posting 'you big fag' you could do something worthwhile and add something of value to this planet.

but i guess 'you big fag' posts get some people off, or whatever, so they have value too. nevermind.

-sam

Simple Solution.

I don't understand why people continue to use Microsoft products (it *must* be _very important_ to do so). It seem that every few days there's another Outlook/IIS exploit. If my bank account was broken into every other week, i'd be shopping for a new bank.

Re:Simple Solution.

Most people are stupid.

And they get annoyed when you explain in pedantically great detail exactly why they are stupid and therefore do things the way you think they should.

Eventually, the semi-conscious ones will get their fingers burned enough that they'll learn not to grab things off the stove without checking whether they're hot.

Re:Simple Solution.

[markyd]

Because there's no viable alternative in the business desktop market. As for the web servers, its usually because they like ASP.

still a good idea

[binarybum]

sure sure, viruses can be rewritten to timeout to avoid a tarpit, but unless software like this becomes widespread (and I doubt it will), chances are very very few viruses would be built to consider them. Same reason viruses aren't ported for Macs or *nix. I find one of the best ways to avoid these outbreaks is simply through nonconventional software solutions. So I say kudos to this kind of development.

No Good - Better solution?

[wirefarm]

It still saps my pathetic bandwidth. (64 k)
Is there a way that I can re-direct port 80 requests using NAT (FreeSCO Linux Router) so that they go to Microsoft's website and not mine?
I suppose that it would still sap my bandwidth, but at least it would eventually land in *their* lap...

Cheers,
Jim in Tokyo

Re:No Good - Better solution?

[Zocalo]

Is there a way that I can re-direct port 80 requests using NAT (FreeSCO Linux Router) so that they go to Microsoft's website and not mine?

Maybe an ICMP redirect if your firewall / server supports it? You want "default.ida"? Maybe you should try 207.46.230.219 ... ;-)

Re:No Good - Better solution?

[reynaert]

I don't know anything about NAT, but you can put this in your Apache server config:

RedirectMatch ^.*\.(exe|dll).* http://support.microsoft.com

Re:No Good - Better solution?

[xiaix]

Assuming you have forwarding on, I believe so.

add to /etc/forward.cfg a line that reads:
t,80,207.46.230.219/80
and restart forwarding.
But if you are running any kind of server on port 80, this does not help you, since this redirects all the traffic.

Re:No Good - Better solution?

[papa248]

I'm trying to find a way of how to do it using ipchains... but I'm not sure how to distinguish the "bad" packets from the good ones. I don't want to permanently DENY people from my server, since I do run a public web site. More so, just to ban them for a while (ala K-line)

Re:No Good - Better solution?

[clifyt]

Hmmm...when did worms start following redirect commands?

Just curious :-)

clif

Re:No Good - Better solution?

[schon]

No.

ICMP redirects only work on packets on your local segment - what you propose wouldn't work. Even if the router you're connected to would accept an ICMP redirect from you (unlikely, most ISP's turn this off on their CPE), you would just create a loop, because the packet is STILL destined for your network. (So you'd just end up soaking up even more of your own bandwidth.)

Re:No Good - Better solution?

I don't know anything about NAT, but you can put this in your Apache server config:

Yes, but somehow I doubt that the virus writers are going to build a complete HTTP/1.0 client into their worm. In this case (Code Red, Nimda) that doesn't happen, the worm just attempts it's payload and moves on.

In order for a redirect to work, the client has to follow it, which (in the case of worms) is extremely unlikely.

Re:No Good - Better solution?

[wirefarm]

Not a redirect - I want to tell the router to send any port 80 request to microsft's IP.
As it is now, the router sends all requests on port 80 to 192,168.1.xxx - I know it's gonna still hit the router, but I want it to send it elsewhere from there...
I'm not talking javascript here - NAT...

Re:No Good - Better solution?

[spagma]

He means port forwarding, not redirecting.

LaBrea is not the solution

[davidu]

Tools like LaBrea are cool, but aren't more then hacks. By wasting the TCP timeout on these worms it just forces the next worm writer to create a multi-threaded worm which would instantly be immune to such a defense.

A better defense, which I admit is more costly in terms of CPU is to run border IDS systems and simply have rulesets to filter this kind of traffic out.

For Example: Here is a snort ruleset for Nimba and Codered and possibly other worm varients against Windows OS's:
alert tcp any any -> any 80 (content: "cmd.exe";msg: "cmd.exe access in HTTP!!";react: block;)
alert tcp any any -> any 80 (content: "root.exe";msg: "root.exe access in HTTP!!";react: block;)

If you're running BigIP switches:
rule block_nimda {
if (http_uri starts_with "/scripts" or http_uri contains "root.exe") {
discard
} else {
use ( server_pool)
}
}

The point is...
It's better to stop these things on border routers and on the edges of Lan's then on individual machines or IPs. LaBrea does nothing to protect other machines aside from slowing down the worm which is almost futile.

Just my $.02,
dave

Re:LaBrea is not the solution

Yeah, but all you have to do is unicode the cmd.exe string, or %u encode it, and then your filter is useless. You have to canonicalize your string before you do the compare.

Re:LaBrea is not the solution

You can also use NBAR on a cisco router, however the connection will not be dropped - but the request to the web server will be. Depending on the number of attacks to a host the open tcp sessions could slow/bring down the machine.

Re:LaBrea is not the solution

[purd]

A better defense, which I admit is more costly in terms of CPU is to run border IDS systems and simply have rulesets to filter this kind of traffic out.

No, a better defense is a solid firewall, a border ids, host based detection measures, anti-virus, and additional barriers such as honeypots and LaBrea

No security technology you mention will solve all problems. To provide good security, one must deploy many different technologies depending on their business or personal needs. LaBrea is another tool in the box to throw up in the way of attacks. It happens to be good with worms and scans, while weak in other areas. That's why a variety of barriers should be used. Even then, there is always more that could be done.

Re:LaBrea is not the solution

[BroadbandBradley]

if you deny the request, the worm knows right away, and will move on to another machine. If you acknoledge the request, but then ignore it from there on... it will have to time out before it moves on to the next IP. I'm betting you already know this, but thought it was worth clarifying for those of us who aren't script enhanced as you appear to be.

Re:LaBrea is not the solution

[LinuxHam]

If you're going to mention snort, at least mention hogwash.. it uses snort rules to sanitize packets before allowing them to come all the way into the network (if at all)..

Stop the infected servers

[wwwillem]

Looking at my Apache logfiles, I see the infected systems trying to obtain many .exe files, like cmd.exe. I was wondering if I could stop those systems, by taking a "shutdown.exe" program, renaming it to "cmd.exe" and putting it on my web-server. Than hoping that they download this "cmd.exe" and will execute it.

OK, it's only a stop-gap solution, just for this particular attack, but it could quiet things down (on my subnet). One problem is that I couldn't find a Windows "shutdown.exe" program that has no GUI and doesn't take any command-line parameters.

Willem

Re:Stop the infected servers

[The+Real+Andrew]

The .exe file gets run on your own system, so the only effect that renaming a shutdown type of app would be to shut your own machine down.

Andrew

Re:Stop the infected servers

As I understand it - the exploit tries to run cmd.exe ie a shell.
What you see in the URL is the code/data
of a buffer overflow or similar. So not only will
the exploit now chew your bandwith and slow your server - it will shut down your webserver.

I advise against trying this.

Why would the attacker try and download cmd.exe?

Re:Stop the infected servers

[Heem]

The shutdown.exe would run on YOUR computer. Thus making it bad for you. Although, if your computer is off, you HAVE succeeded in stopping them from hitting you

Re:Stop the infected servers

yes, that will work perfectly ;) D'oh!

Re:Stop the infected servers

It's doing a "GET" on cmd.exe. It's not trying to download it per se, it's using a specific set of unicode escapes in the request string that allow it to run that file via a known issue.

You are correct though, it would shut down the local server rather than the attacking one.

Re:Stop the infected servers

[wwwillem]

Yepp, you're for the biggest part right. But, a Windows shutdown.exe doesn't run well on my Linux box ;-).

Couldn't a decent firewall do the same thing?

[lar3ry]

Should be simple to write a script that would examine your HTTP error_log file for '\.exe' and insert a rule into IPCHAINS to DENY all connections from that IP. The connection will time out, of course... but it will slow down the virus.

Much better than having your system get hit 15 times a second from Nimda probes, anyway.

Re:Couldn't a decent firewall do the same thing?

[weakethics]

Not too much trouble, I guess. But those of us on dynamic IPs (including many of those IIS boxes that are causing the problems) have issues with that. I could end up blocking myself (I never know which IP PacBell is going to give me, nor which IP will be given to the worm's victims).
9800 instances of Nimda-compromised servers in httpd access.log since Tuesday.

Re:Couldn't a decent firewall do the same thing?

[prator]

You could then have a script that catches a change in your ip and removes that rule from your ruleset.

However, I have seen some discussion about this already, and this doesn't seem to do any good except for stressing ipchains/iptables with a lot of rules. I guess it will keep your httpd logs smaller.

-prator

Re:Couldn't a decent firewall do the same thing?

[wytcld]

A kind fellow posted that yesterday. It looks like:

for LUSER in `grep "winnt" /var/log/apache/error_log | awk '{print $8}' | sed -e s/]// | sort | uniq`; do
if [ ! "`/sbin/ipchains -L -n | grep $LUSER`" ]
then /sbin/ipchains -A input -s $LUSER -d 0/0 -j DENY
fi
done

Your error_log is likely in a different place, perhaps by a different name.

I've been running this from cron on several machines. I'd suggest trim your error_log first to just the last couple days. And watch not to put the cron jobs too close together, or they'll pile up once the number of attacks in the error_log gets to several thousand - trail and error on that for your system, but keep on eye on the processes.

Note that if you flush your firewall rules (say, on a reboot) you'll open up to the addresses this has been blocking until this is run again. By trimming your error_log to the last, say, 24 hours and flushing the firewall rules, you can make allowance for systems that have been fixed or taken offline.

Re:Couldn't a decent firewall do the same thing?

You'll get a huge ipchains rule full of random dynamic addresses.

Instead, I've installed my own root.exe which connects back to the offending computer and brings up a popup telling the user that their machine is infected, and could they please go and fix it. If enough people do this, those users will get so inundated with popups telling them to fix their computers that they'll have no choice but to do so if they actually want to get something done.

Re:Couldn't a decent firewall do the same thing?

[tve]

Unfortunately ipchains doesn't seem to handle thousands of deny rules very well.

Take a look at this post to the debian-security mailing list for another script and some insights.

This sounds like an MS solution.

[MongooseCN]

Instead of fixing the operating system to avoid these obvious mistakes, we have people creating solutions outside of the operating system. It's like when MS tells people that their systems are buggy, so instead of fixing their own system, they suggest people buy more licenses and more machines to run as backups.

What happened to fixing the problem where it originated from?

Re:This sounds like an MS solution.

[NineNine]

Wow. I wish I had some mod points to mod you as a troll. If you're read the article (or any of the thousands of others on the Net about this right now), you'd know that this HAS been fixed for a LONG time now. It was part of Service Pack 2.

Re:This sounds like an MS solution.

[schambon]

What happened to fixing the problem where it originated from?

Nothing. It's just that people don't necessarily (ah!) have access to Windows' source code to fix the problem where it originated. You've got to wait for the MS official patch.

Every little helps...

Re:This sounds like an MS solution.

[thrig]

Funny, the CERT advisory posted to BugTraq showed up right next to a message about a new IIS 4/5 vulnerability in my mailbox.

The old handing the torch off to the new flaws, I guess.

Is it like...

[Wolfier]

VMware?

What is the postercomment compression filter?

Re:Is it like...

What is the postercomment compression filter?

It's one of the worst pieces of "programming" ever.

Basically, Taco noticed that he had a social problem: trolls and crapflooders were posting reams of rubbish in their posts. In the inimitable Taco "style", he decided that he could implement a technological fix to his social problem (note to all aspiring developers here: you cannot have a technological fix to a social problem).

His "fix" is to run a post through a compression algorithm and see what the compression ratio is. If it falls within the range of "normal" text, the post is considered OK and passes that test. If it doesn't, it's blocked.

Of course, the trolls and crapflooders instantly learnt how to fool this "fix" (it's not difficult: copy and paste a big block of text off some website into your post; you can even hide that text by using a couple of other time-hallowed trolling tricks if you so wish), so it didn't work.

And, doubly of course, normal valuable posters found that their posts started falling to the "compression filter". Short posts and posts with code snippets in (the latter being some of the more valuable posts, nice one Rob "I'm A Fucking Idiot Who Thinks Employing Jon Katz Is A Good Idea" Malda) are particularly vulnerable. This has irritated a lot of posters, further degrading the quality of Slashdot.

The lesson to learn is: when setting up a web discussion board, don't do it like Slashdot.

The other lesson to learn is: there are no technological fixes to social problems. Copy protection can be circumvented. Identity cards can be forged. Rob "Not Very Bright" Malda claims that he knows this when the issue is Napster, or Microsoft, or any of the other idiot things he subjects us to his ill-informed blather about: why can't he learn it about Slashdot, supposedly the thing he finds most fun and fulfillment in doing? Is it because he's a retard with no coding ability?

Re:Is it like...

The postercomment compression filter is CmdrTaco's stroke of genius(not!!). His idea is that each comment is compressed with zlib(IIRC), and that if it compresses too much (past some threshold he tested, and based on a sample of only a handful of comments) then it is likely to be ascii art. My question is, has it actually stopped any ascii art? Personally, I doubt it.

Filesystem loops

[Ed+Avis]

Within my home directory I have a couple of symlinks pointing back at the root of the home directory. Because it's exported by Samba to Windows machines, and Windows (or rather, Win32) doesn't know about symlinks, the 'Find File' utility from the Windows Start button would get stuck descending forever into these links. I can't say for sure, but it's possible that a few worms like ILOVEYOU were thwarted or slowed down by this, if they do a depth-first search for files to infect.

Unfortunately, I think that in the end Samba was reconfigured not to serve symlinks :-(. It would be nice to have an option to serve the first level of symlinks but not allow recursive ones.

Re:Filesystem loops

I think Linux has a hard limit on how many times to descend recursive symlinks.

Re:Filesystem loops

[Tony-A]

As far as I can tell, samba follows symlinks very nicely. (mixture of home directories in tomcat's webapps and having available space in the "wrong" directories.)
I think it's the server that would get stuck, not the attacker. :-(

Re:Filesystem loops

[Ed+Avis]

If there is some limit on how deep symlinks can be followed, it's a very high one...

Read the article

[skroz]

Actually, there were only about 300,000 known instances of Code Red. By this gentleman's estimation, only 1000 or so Tarpits would be necessary. If put in the right places, a single tarpit could stop multiple attackers.

Incidents.org is gathering information about Nimda to determine what networks are most heavily affected, and therefore in most need of LaBrea traps. I don't know if it's going to work, but the theory is a good start.

Re:Read the article

[sfe_software]

I don't know if it's going to work, but the theory is a good start.

Yes, or people could patch their fscking boxes...

I'm not saying the tarpit idea is bad, it could help to some small degree. But it's a solution that we, Unix admins, are having to use because some Windows "admins" who double-clicked on "Install Web Server" don't know WTF they're doing...

Of course I can't think of a better solution either. People have tried emailing admins of known infected boxes, etc, and so far none of this has helped...

Re:Read the article

[eam]

I just told someone I'd pull their network connection if they didn't patch their box & it got their attention.

Nimda around since July?

[MS]

Some additions w/r to Nimda:

Strange: of the 27 hosts (IP-based) I run on a single box, the most popular got probed first, not the server with the lowest IP-number, so the worm seems not attacking the IP-numbers sequentially, but rather due to some reference somewhere else. This may also explain, why it spread so quickly: if the worm could replicate itself from a popular webserver, the chances are good for a quicker spread among many surfers... This worm is really an excellent piece of code - kudos to its author!

And here are some log-entries from another box (NT runnung Apache):

First suspect entries on July 12(!):

My Timezone is GMT+1 (That's mid-europe, one hour ahead of Great Britain)
(SR) stand for ServerRoot which I omitted here

[Thu Jul 12 03:39:40 2001] [209.3.150.130] File does not exist: (SR)/scripts/..%5c..%5cwinnt/system32/cmd.exe
[Thu Jul 12 03:39:42 2001] [209.3.150.130] File does not exist: (SR)/msadc/..%5c/..%5c/..%5c/winnt/system32/cmd.ex e
[Thu Jul 12 03:39:43 2001] [209.3.150.130] File does not exist: (SR)/_vti_bin/../../../../../../winnt/system32/cmd .exe

I had a few more interesting logs between Jul 28 and Aug 30... but the /. Lameness filter considers it a Junk character post, so I had to shorten it...

May this information be useful for someone!
ms

Re:Nimda around since July?

[dwlemon]

Who was it that invented the really fast way to propegate a worm?

Anyway, it mostly had to do with getting a huge list of vulnerable IPs before you even unleash the worm, giving each worm "process" a chunk of the list to work with. It looks like you were being probed for vulnerability as some other people stated they were, but nobody was actually infected until recently. Very efficient!

Re:Nimda around since July?

[MS]

I did a bit more research:

nslookup 209.3.150.130 gives mail.worcestercs.org, but the domain worcestercs.org is no more in use and Networksolutions tells me it is available...
ARIN on the other hand assigns the IP-address 209.3.150.130 to: Qwest Communications, WORCESTER COUNTY SCHOOL (they have a block of 128 addresses)
209.3.150.130 seems now to be a dialup address of IConNet.NET

:-)
ms

Re:Nimda around since July?

[MS]

very efficient indeed, and the author also seems to be convinced to be able to infect one of my servers first: he tried it a few more times:

Thu Jul 12 03:39 [209.3.150.130/mail.worcestercs.org] 3 probes
Thu Jul 26 23:05 [216.93.104.34/grex.cyberspace.org] 2 probes
Sat Jul 28 12:43 [200.193.215.2/?] 3 probes
Thu Aug 09 15:06 [195.223.214.3/?] 3 probes
Sat Aug 11 04:04 [200.177.196.124/dl-tnt4-C8B1C47C.sao.terra.com.br ] 4 probes
Sat Aug 11 19:45 [195.231.103.194/?] 3 probes
Thu Aug 30 15:18 [213.64.199.226/h226n2fls34o1115.telia.com] 67 probes
Wed Sep 05 15:16 [195.161.214.7/dialup7.mari-el.ru] 5 probes
Sun Sep 09 15:40 [195.22.191.60/?] 2 probes
Fri Sep 14 18:36 [202.95.156.6/semar.yogya.pesat.net.id] 1 probes

Well, the origins of those probes are quite well sparsed - it will be difficult to trace it back...

:-)
ms

Re:Nimda around since July?

[-=OmegaMan=-]

More likely than not, this is actually just some cracker trying the Directory Traversal attack on you. Since Nimda was designed to piggyback off of Code Red II, and Code Red II wasn't seen in the wild as of the 12th of July, I wouldn't think this would be Nimda at all. Since it is only your most popular box being probed, this further indicates an actual Human(TM) behind the attack.

The Directory Traversal attack, however, has been around for a while. :)

Re:Breaking news, Bin Laden Captured !!!!!!

[frknfrk]

from my post:

it's people like you and the anonymous 'goatse.cx' poster (if indeed those are separate beings) who are ruining the web for the rest of us.

from your post:

I am honored that I and the AC are single-handedly "ruining the web".

don't give yourself more credit than you are due. but like i said... 'nevermind'.

Better Solution

Instead of using complex and expensive superscalar and vector processors one can take another approach, like our company did. We chose Zilog's Z80A as our base processor. You can get them for 1c these days, so it's quite cool. Now we built a NUMA/XBAR system with 1,256,000 Z80s running a single image. Each processor has 64Kb of RAM for it's own, and runs a portion of the simulation that it pushes to the master processor, a single Intel Pentium III, that takes the data and creates the graphical representation in realtime. As the Z80 doesn't need a cache you'll never run into cache coherency problems. We developed a special kernel called Zix and developed a finetuned compiler and parallelizer to create the Solar System simulation.
If enough people is interested I can post some more info and links.

Sincerely, Mike Bouma (NASA engineer)

Virus making the rounds.

[laetus]

I just recieved an email with the subject:

Civil society has become one of- Foreign policy magazine winter 19992000

with the attachment:

Civil_society_has_become_one_of-_Foreign_policy_ma gazine_winter_19992000.doc.bat

Didn't open it, but it comes from someone I don't know. Can't be good.

Re:Virus making the rounds.

[-=OmegaMan=-]

That'd be Sircam.

I recently came across a program that'd let strip the payload off of the attachment, allowing you to read the "confidential information" therein, but I doubt an article from Foreign Policy magazine would really be that juicy.

If you really want to read it, just open it up as text. The document should still be in there somewhere.

Re:Virus making the rounds.

[starslab]

Yep, that's Nimda...

You can find a writeup on it here. One of the nastier pieces of work making the rounds.

Re:Virus making the rounds.

[maryesme]

That was the Sircam virus. The subject will be the filename of a random document from the previous victim's computer.

More info at Norton or your favorite anti-virus site.

Re:Virus making the rounds.

[4mn0t1337]

Didn't open it,

Oh, but it is *perfectly* safe to open....
I mean you *are* running a Windows-Free(tm) desktop, right?&nbsp &nbsp ;)

Re:Virus making the rounds.

[fodi]

No.. I think you'll find that's sircam...
The double-extension on the attachment gives it away...

I read your journal

You are a git. Sure you are not a blonde copying the day from your pills? Or are you on altogether more serious medication? (Still getting over that nervous breakdown I hear. Keep going, progress is slow.)

Are you helping?

[JohnCub]

When I saw this thing hit I decided to modify the 404 script I'm running on my web server to log all Nimda attempts. I made a front end script that shows their ip and creates some whois links.

I then devote a few hours of my time in the evening to click these links and let the netblock owners know that the specific IP is infected. I would hope that people would keep the ball rolling and inform their downstream or shut them off.

In the multiple hundreds of emails that I have sent out, I have received 2 replies by real people. This tells me that nobody cares. No big surprise, its been proven again and again.

what are you doing to help?

Re:Are you helping?

[ErikB5]

This is also what I've experienced when Code Red came out. I searched out the people from the different IP address blocks (ARIN, RIPE ...) only to get very cold emails back.

Launching a counter strike with a script to clean these systems, can only backfire. Therefore I believe that the Tarpit will help out. 'Their systems' are initiating the connections, and I just hold them tight and don't let go. It will slowdown the offending host. It might be a small piece in the global scheme of things, but it's easy to implement and the idea of the tarpit is so hilarious to me ;-)

Re:Are you helping?

[MavEtJu]

Been there, done that. Made a nice report of it at http://www.mavetju.org/ -> networking -> Getting contact info on the internet and Why Mail Fails.

Technically the internet works, administratively not :-/

Nope!!!

#2324685, but close. Keep trying and you might just reach it. LOsEr.

Doh!

[Troodon]

Heres what I was just about to submit:

LaBrea - The Tarpit: Keep your friends close, your enemies closer.
- -
With the recent proliferation in worms (Code Red, Sircam, Nimda, etc) beyond either switching to a more secure? webserver or keeping up to date with the patches for your own and hoping that others do the same; approaches to actively dealing the problem have been limited. One can try to either contact the administrator[s] of the machines infected or take a slight more risky proactive approach. 'LaBrea' - The Tarpit offers proof of concept? for an interesting open source approach.
Linux today, Wired and Linuxsecurity have covered this developing project, more information is available from Hackbusters here, here, here, here, here, or here.
- -
Im off to sulk. :)

i would troll...

but i'm at school

Re:Leave it to slapdash to recycle news!!

I'm going to rape your virgin ass, that is what I am going to do about it. Prepare for a few tears, though that is nothing out of the ordinary for your first anal adventure. In time it becomes pleasurable. Just let me rape your ass enough times, and you will come to love me. Hugs and Kisses. Me, your gaylord master.

Re:Haha!!!

He made you visit goatse.cx and he's the idiot?

Sounds interesting

[rabtech]

it sounds rather interesting, but might I suggest securing the server in the first place?

For any IIS admins out there, you need to download and install URLScan. It is a free tool put out by Microsoft. It scans incoming requests and only allows ones that meet its criteria of rules (with a default blank ruleset, all requests are discarded.)

<a href="http://www.microsoft.com/Downloads/Release.a sp?ReleaseID=32571">http://www.microsoft.com/Downl oads/Release.asp?Rel easeID=32571</a>

There are a variety of other methods that can be used as well, and I am currently working on a guide to security for IIS admins. It isn't that hard... take the time to do it right.

Why does anybody need this...

[mrseth]

when Apache is free and has none of the security bugs of IIS. Even if you are running winNT/2k, I don't see why anyone who had the choice would choose IIS. On my machines at home and at school, one of the first things I do is rip out wu-ftpd and replace it with NcFTPd for the same reason I'd rip out IIS and install Apache.

Re:Why does anybody need this...

[tb3]

For a lot of reasons. It's easy to install on NT/2K server, it natively supports ASP, it's mind-numbingly simple to adminster, it seemlessly hooks into other Microsoft server products, and a large number of thrid party server apps require it.

Now, if you want any good reasons.. I can't help you.

Re:Why does anybody need this...

Windoze doesn't come with Apache pre-installed.

What would MS gain by preinstalling Apache instead of IIS? Nothing.

Number of Connections...

[sfe_software]

I don't recall what the limit is on open connections on a typical *nix system, but wouldn't this tie up connections? The longer you hold each connection open, the more simultaneous connections are being wasted.

IOW, don't use this on a production machine. Perhaps you could run this on a separate box that doesn't do much, but that sounds like a lot of work (compared to, oh, say, patching the NT boxen).

Re:Number of Connections...

[Grotus]

According to the article, it doesn't keep track of state on the machine doing the tarpitting, so although the attacker is using up connections, the LaBrea machine is not.

Re:Number of Connections...

[LinuxHam]

wouldn't this tie up connections?

The other replier touched on it, but LaBrea doesn't actually pull the connections into the machine running the tarpit. It sniffs the wire for packets going by specifically looking for repeated connection attempts to IP addresses that don't appear to be responding.

After it witnesses the predetermined number of failed connection attempts, it invents a fake MAC address for this would-be victim, and puts fake packets on the wire simulating replies from that would-be victim. The router gets the faked ARP reply and allows the attacker in. LaBrea first forces the remote attacker to use extremely short packets to minimize the amount of traffic it can send, and then begins the infrequent transmissions just frequently enough to keep the connection alive.

When you use the special "trap and keep" mode, it can keep a connection stalled with as few at 1215ish bytes **per hour**. If at any time a new machine comes up on the network with the IP address that has been tarpitted, LaBrea just stops faking the connection. Of course, the new machine will inherit the connections that were stalled, and will inherit connections with extremely short MSS's too.

read the article

cuz BSD be dyin'

Which worm is this?

Code red GET's default.ida, nimda GET's cmd.exe, but what is this? I've had a ton of them in the last couple days, and still going strong.

203.133.6.69 - - [20/Sep/2001:17:28:01 +1000] "-" 408 - "-" "-"
203.200.80.45 - - [20/Sep/2001:17:32:18 +1000] "-" 408 - "-" "-"
203.199.141.83 - - [20/Sep/2001:17:38:48 +1000] "-" 408 - "-" "-"
203.236.112.161 - - [20/Sep/2001:17:44:16 +1000] "-" 408 - "-" "-"
203.237.16.73 - - [20/Sep/2001:17:46:19 +1000] "-" 408 - "-" "-"
203.94.231.131 - - [20/Sep/2001:17:53:13 +1000] "-" 408 - "-" "-"

Stop the Microsoft Bashing

[Enonu]

How biased can get you get with the title "Tarpits for Microsoft Worms"? Did the Slashdot editors think they were being cute by just associating worms with Microsoft? This kind of behavior only colors the image of the Slashdot geek in a bad way. I know the other side of the fence does it as well, e.g. associating the GNU licence with the word viral, but that doesn't justify this non-professional behavior.

While I'm here, I'd like to make the observation that bashing Microsoft has now become trendy. It's in the same category as the Starbucks and Abercrombie and Fitch. It's so profuse that it has infiltrated my computer science classes. The professors and students try to make jokes and slam Microsoft in such a miserable way that the situation becomes completely inane.

Re:Stop the Microsoft Bashing

[4iedBandit]

While I'm here, I'd like to make the observation that bashing Microsoft has now become trendy. Actually, it's been going on for quite some time. Anyone who has been an advocate for any OS beside MS' can tell you this. If /. were an "I love MS!" site I certainly would not waste my time here, and I suspect it would not get near the traffic that it does. The question I want to know is, "Have the number of MS advocates on /. actually increased?" Nah, more likely that in this day and age of political correctness they feel obliged to come out of the closet. =)

Sometimes fiction would be nice as fact

[NeMon'ess]

If only we had the power spike from Goldeneye. Anyone who didn't secure their computers properly would get the machine fried by black hat hackers. It would be an excellent mark of shame.

From the article:

[Wind_Walker]

"LaBrea is a free, open-sourced..."

What makes me think that if it were costly and closed-source, there's no chance in Hell that we'd be seeing it posted to Slashdot?

This isn't a panacea, but a great idea

[purd]

Many people are writing about how this is worthless because:
- It can be circumvented by future worms
- It does not protect your current hosts
- Other worm threads continue to scan
- etc

While all of these comments are valid, they miss the point of a solid security strategy - defense in depth. This seems to be a valuable addition to an existing security infrastructure. One thing in particular is sequential port scans. A port scan would most definitely get snagged by such a host if it were scanning ip's sequentially.

Of course virus writers can circumvent tarpits with thread timeouts, etc. but that requires much more code and skill. It would also create a larger amount of code that may be easier to detect.

This program, just like any other security product, does not prevent any sort of attack, but if installed enough places, it will raise the bar for future attacks.

Stop the Microsoft Bashing-Bashing

[ahem]

How biased can get you get with the title "Stop the Microsoft Bashing"? Did you notice that the news item in question is in fact about a software product which bogs down the processing of worm software? Did you notice that these worms only attack Microsoft operating systems? I think that the title is not so much "Microsoft bashing", but just a good summary of what the article is about.

Lighten up.

Hackbusters.net

[smooc]

But they couldnt withstand the biggest hack:

The /. Effect

-- site is unreachable

What happened to the word "Distributed?"

[bendude]

Distributed was a great buzzword for a while. Peer networks were wonderful when we were getting music for free (like all this beer everyone keeps promising). Stickin' it to the man is the thing at the moment, but come an opportunity to actually do something useful, and no one "gets it" all of a sudden.

Correct me if I'm wrong, but...

[Compulawyer]

It seems to me that on top of wasting bandwidth and other resources, this technique would serve as an immediate spur to write more sophisticated worms. For example, the term "timeout function" immediately springs to mind....

Re:Correct me if I'm wrong, but...

Read the article; the latest version has a capture mode which allows a valid connection to be established, then holds it with veeerrrrry small packets sent at very long intervals using valid TCP windowing commands directed at the NT stack, not the worm app - it traps validly-established connections forever.

Don't quit your day job

You're nothing but a cheap-ass imitation of the incomparable Bobabooey. To be blunt sir, YOU SUCK. Better luck next time.

Re:Don't quit your day job

His BSD troll was pretty good actually, it confused all those clueless moderators :)
However, our Z80 based cluster at NASA is a real project.

Sincerely, Mike Bouma (NASA engineer)

I'll try that!

[wirefarm]

Since 90% of my traffic on port 80 is Microsoft-relared poop, I can use 8080 - Most of my useful traffic comes from a site with a real IP - I use DynDNS to resolve my dynamic IP (Kickass service!) but most people hit it via mmdc.net, so it wouldn't be a problem.
Thanks!
Jim

D'Oh!

[starslab]

Just me jumping to conclusions. Previous poster was correct, that's SirCAM. Nimda would have sent you a README.EXE file with a "audio/x-wav" MIME type that'll auto-execute on non-updated Windows machines.

They ARE Microsoft worms.

[shanek]

They exploit security holes in Microsoft software on Microsoft OSes. Other software and OSes are immune (although if a user has access to the file space, they could place an infected file on the non-MS server, making it an "immune carrier"). So what should we call them?

ISPs should block M$ users..

[TheGratefulNet]

IF they detect the luser's home site (cable, dsl mostly) is causing problems for The Net, overall.

obviously so many systems are infected and going unchecked. I sent mail to postmaster@ so many times in the last few days and have gotton ZERO replies back. shit, they don't even read their own postmaster accounts - how could you expect them to be responsible enough to check their own logs and system resources?

it appears that the only way to let these turkeys know they have a local problem (one which has global implications) is to shut them down until they clean up their act.

it isn't really hard to sample traffic on an ISP's port concentrator (router, dslam, switch, etc) and if you see a customer sending out this kind of crap traffic, shut down their port and let them contact you. when they do, inform them how to fix their system and then switch their port over to a non-public lan and monitor to see if the virus has been removed. if and only if it has been removed, then you can switch them back to the common public wan.

given that M$ lusers tend to install-and-forget their boxes (at least home lusers do), I see no other way to stop this M$ menace from affecting others.

I, for one, am sick and tired of paying for other peoples' poor choice of o/s.

Re:ISPs should block M$ users..

[papa248]

obviously so many systems are infected and going unchecked. I sent mail to postmaster@ so many times in the last few days and have gotton ZERO replies back. shit, they don't even read their own postmaster accounts - how could you expect them to be responsible enough to check their own logs and system resources?

Don't forget, IIS does not come with a default emailing packing, like us with Sendmail or IMAP. In order for a 2k/NT machine to read a postmaster email account, they need to have Exchange installed.

over filtering...

[slashkitty]

Those rules of yours would have blocked your own post because it contained "root.exe"... it's not always bad to have that string in your packets.

Re:over filtering...

[prizog]

No, it checks if the http_uri, not the content contains those strings.

Re:over filtering...

[davidu]

thanks, couldn't have said it more clear myself.

-dave

Thanks.

[laetus]

Yep, this same person keeps sending me more documents. Thanks for identifying it.

Doing it now...

I've been running this for about a day now with the new bandwidth limiting feature set at 15000 bytes/s.
This is on a box sitting in a /24 with only 3 of the addresses in use, so it has a lot of chances to snag incoming worms.

It took a couple of hours, but LaBrea eventually ramped up to the limit and stayed there for most of the day. Right now it's down around 9 KB/s, suggesting that some of the boxes causing the problem have been fixed or otherwise blocked from the net.

It's a trivial amount of bandwidth for me, and I get to harass idiots who are annoying me. That's plenty of fun right there.

Your sig is diving me nuts!

[wirefarm]

What's that from?

As for IPCHAINS, I would have my standard script in a daily cron job. Block them as they come in, but then dump all the new rules each day - Add them again as they misbehave... Twice daily, if necessary.

Re:Your sig is diving me nuts!

[papa248]

From ST:TNG, during the Episode with Lwaxana Troi who is to marry the Minister of somewhere. Alexander Roshenko (Worf's son) goes into the Holodeck, and an old man, bellows out "The Higher, The Fewer!". Alexander then says it later to a bewildered Worf.

When is this going to end?

[CaptIronfist]

Next time i develop a worm, i'll put in a little timeout. ( A sort of period of time the worm has to infect a certain IP ).

Seriously, when are people going to stop thinking about stupid patch solutions! This one is even worst than the last one. What was it again ? Oh yeah! The anti-virus who acts exactly like a virus and takes as much bandwith as the one it's trying to fight.

There's only one solution, make the vulnerable software better. In other words bust microsoft's balls until they FINALLY MAKE QUALITY SOFTWARE!!

To this I'm adding a small idea, just because i like thinking also:

Why not change our laws like this:

If the software is sold as a proprietary software, then the company is responsible for any damages the use of it might incur to its users.

If the software is open, i.e. not proprietary, then no one would be responsible for any damages using it might incur. Hey! It's open who are you
going to sue anyway!

Re: When is this going to end?

[Inthewire]

If the software is sold as a proprietary software, then the company is responsible for any damages the use of it might incur to its users. If the software is open, i.e. not proprietary, then no one would be responsible for any damages using it might incur. Hey! It's open who are you going to sue anyway!

There's broken logic here, but I've got a patch for it...
Why not hold the manufacturer responsible in BOTH cases? If it's closed, sue the shop...if it's open, sue the USER. That's right, hold the one who is inflicting their software upon the world accountable. Shoot, if you want to play with the code you'd best make it harmless...notice I do believe the creator of the program is responsible. But not just the closed folks.

All that said, it's really the assholes pumping these worms, virii, etc that are the problem. If Microsoft is the environment then MS is the target. I know, *nix are more likely to be stable and secure...but if they become the predominate life forms then they will begin to suffer the majority of infections.

the best preventive measure

[john_uy]

if you are using a microsoft iis server, i suggest you do the following:

run the tool IISLockdown from Microsoft to strip of features in IIS that you do not use that might be a potential source for hacking. it can be found Here.

The better way is to use the URLscan tool option from Microsoft that strips out possible malicious URL requests coming to your site. It discards the request even before accessing your web site. The tool can be found Here.

the best way is to keep up with the patches and subscribe to security mailing lists for latest updates.

johnlaw

Re:Breaking news, Bin Laden Captured !!!!!!

[Theodore+Logan]

this is off topic even to the extremly off topic topic, but you can get your password back just by requesting it emailed to you (noticed your .sig).

Resume the Microsoft Bashing

While I'm here, I'd like to make the observation that bashing Microsoft has now become trendy.

So what? Real People don't worry about whether or not what they've been doing all along, has also been adopted by the mainstream. The fact is, Microsoft sucks. Anyone who studies computers, is enthusiastic about computers, uses computers, or plays with computers, knows this. So since the 80s we have bitched about Microsoft, as atrocity after atrocity piles up. Are we supposed to watch other people and pay attention to whether or not they bash Microsoft too? And then are we supposed to stop doing it, ince everyone else is doing it too? No, that would be trend-following. That would be letting other people control what you say and do.

Microsoft sucks! They have retarded the developement of personal computer technology and damaged the industry. They are anti-technology. They are anti-common sense. They are anti-passion and anti-hope. They are anti-intellect. They suck, suck, suck. Die, Microsoft, die!

Great tool for DoS?

[Blorgo]

Great, now the virus writers will have another tool for Dos attacks. And it's so bandwidth-efficient, even a modem connection can be used. I could be wrong. (I hope I am.)

How long would it use these techniques to make a tool to grab every connection on slashdot? (I'm not a TCP/IP jockey, that's a real question.)

(The email addr doesn't work anymore and slashcode won't let me change it.)

it should go into the kernel

[S.+Allen]

I'm just waiting for this make it in as a kernel option (iptables) so that I can trap all inbound connections to ports that aren't listening.

I'd agree with you if you were mature

[Dog+and+Pony]

Using "M$" and "luser" only makes you look 15, and a PHP or VB script kiddie at that. Not impressed.

On the other hand, I do agree that people that for instance run IIS on a home network and then get infected like this, and don't care either, should be shut off until they've learned, for instance, to run apache.

I'm probably running the most hacksafe webserver possible at home, for fun (not hosting anything really) - an Apache on a Windows 2000. Tell me when you find a virus or a hacker targetting That combination... :)

Re:I'd agree with you if you were mature

[TheGratefulNet]

running a webserver carries a responsibility (as does any open network port).

most people would agree that the problem is made worse by the fact that so many people don't even REALIZE they're running a webserver. if you don't know you have a process running, why would you even bother to check or manage it?

but I'm very serious about shutting down ports on irresponsible servers. we used to say that as a joke (in a previous I/S life of mine): if we don't know who'se "green light" this is (talking about switch or repeater ports), we'd joke about shutting it down and wait 5 minutes to see who comes running ;-)

Re:I'd agree with you if you were mature

[Dog+and+Pony]

Yes, absolutely.

I am not sure as to how many are actually running web servers totally unaware though... I've yet to see even a Windows version that actually installs and runs IIS (or what is it called, PWS?) without you knowing. Those I have seen made you do thing smanually before you wer up and running.

Which actually makes things worse. I am very serious about that too - if you don't know what you are doing, don't.

:)

Re:I'd agree with you if you were mature

[TheGratefulNet]

Those I have seen made you do thing smanually before you wer up and running.

but since the windows crowd is conditioned to 'hit enter till you see clouds', I really don't think you can fully blame the users. M$ should NOT bundle a webserver with an o/s - but hasn't the courts been saying things like this for well over 2 yrs now?

and labelling a cd "professional edition" isn't escaping blame; how many people buy 'pro' editions just cause - well - they can - and they feel its somehow better than the non-pro version.

if you had to go out and BUY a webserver (from M$) and install it, I think almost none of these web worms would exist. therefore I still mostly blame M$ for all the noise that we now have to live with on the net.

Re:Breaking news, Bin Laden Captured !!!!!!

[frknfrk]

i actually remembered that old password. but all my comments since 1999 are on THIS account... and i am pretty psychotic about checking for replies to my posts :)

thanks though!

-sam

DCHP

[lavaforge]

Does anyone know how LaBrea works on a DHCP network? I'd rather not have it screw around with my networkd when a system tries to renew its lease and finds that no IP addresses are available.

Re:DCHP

[StealthBadger]

Just have the range of IPs that the DHCP server has available to it for use excluded from LaBrea's scanning and you'll be fine. He explains in detail how to do set up ranges of IPs that will be ignored.

Re:DCHP

[cloudmaster]

Or, don't worry about it, because LaBrea doesn't actually request the IP from the DHCP server, so the IPs aren't listed in the dhcp.leases file as taken, so the DHCP server will still give them out. LaBrea tries very hard to recover nicely when a machine whose IP it's using comes up, so you shouldn't need to list the DHCP range at all unless it actually causes problems on your network. Do read the *whole* doc page before implementing the program, it's pretty informative. :)

Re:DCHP

[StealthBadger]

I did read the whole doc page, and it said it would TRY to recover nicely, but explicitly did not guarantee that it will be able to do so.

Since most people only are on networks which are a served by DHCP when they're in a production environment, it's better to be safe than sorry. ;P

Do try not to be condescending when it's unwarranted.

Re:DCHP

[cloudmaster]

Do try not to be condescending when it's unwarranted

While my post was a response to yours, Mr. Badger, the comment regarding "reading the documentation" was directed at the person who posted a question which was answered in the documentation.

Anyway, my apologies for coming across as condescending. 'Twas not my intent...

Re:DCHP

[StealthBadger]

Ah, apologies.

*reminds self never to post before having coffee....*

Have they heard of non-blocking sockets ?

[apankrat]

".. that grabs their computer's connection -- and doesn't release it". Ha ha ha .. very funny, belongs to the tabloid cover.

Wait, wait, here is a good part - ".. they are then forced to shut down their hacking program or computer to escape". Oh my, I guess their VB ActiveX object is not that good after all.

Here is how to stop the infected servers

[Krelnik]

Here's a better way. THIS WORKS. It takes advantage of the fact that NIMDA (1) enables the Guest account, (2) blanks its password and (3) puts Guest into the Administrators group.

Use whatever tool you use to detect incoming NIMDA attacks toward your servers. A simple way is to just put a dummy port 80 listener on a box that nobody has any reason to connect to, and assume all incoming port 80 connects are from worms or other attackers.

Whenever you get an attack, launch the following script:

net use \\%1 /user:guest

psshutdown -t 5 -m "This system is infected with NIMDA! Shutting down..." -f \\%1

net use \\%1 /d

%1 in the above should be the attacking IP.

This uses PSSHUTDOWN.EXE which you can download from System Internals. It could easily be adapted to use SHUTDOWN.EXE from the resource kit.

Yes, I realize this is probably illegal in most jurisdictions. Save your flames.

Re:Here is how to stop the infected servers

I like this! It works!! Well, about 1/2 of the nimda computers will take it and apparently shut down; I had one who hit me 5 times in a hour; I did this and they haven't been back. :-)

A better plan

[tif]

We need a better plan. I've heard the arguments
(legal, ethical, etc) against retaliation,
auto-patching worms, etc., but the same old
passive way of dealing with this aint working!

Here's a plan: How hard is it to set up
collaborative filtering? If .1% of us setup
some software to report infected (and attacking)
machines to a central location. Then when we
get several reports on an IP we just need to
find the closest router to him that is
cooperating with us and black hole him. Okay,
maybe just for a few hours at a time.

For the time being, I'm sending URLs back to
the originator that might disable him, might
fix him, or might just notify him. Then I
black-hole him on my server. This seems to
be helpful because it's frequently a repeated
attack.

--tif

How does this help?

[SCHecklerX]

I admit, I didn't read the article, but...

By the time the thing hits, me, it has come from some idiot whose machine is infected. This doesn't stop their machine, nor does it tarpit that machine.

My own machine is not vulnerable, so it's already not spreading the crap. So what good would installing this thing really do?

Ok..I'll go read the article now... :)

Re:How does this help?

WTF is this doing with a score:2?!@?!? "I admit I haven't read the article, but I'll make stupid comments about it anyway."

Exactly

[lseltzer]

To avoid Nimda you didn't even have to be close to up-to-date on patches. People just don't try. The vulnerability that made Code Red possible had been patched over a month before the first outbreak and Microsoft heavily publicised both the bug and the patch, it got press coverage, and still people didn't apply it. To this day there are people running Outlook 98 and 2000 without the more than year old Outlook Security Update that stops all the mass-mailers and other problems.

Too many people out there are just too lazy or stupid.

Re:Exactly

[M-G]

The only problem is that the Outlook security updates aren't very flexible. They prevent any access to any potentially dangerous attachments. Making it so you can't just blindly double-click on an attachment is fine, but the security update prevents you from even getting the attachment. There are plenty of legitimate reasons why I might be sending or receiving attachments of these types, and the wholesale blocking of them creates a real PITA.

Details of what this update does here.

Worm, Virii, and Tarpits, Oh my

[spagma]

You know, pretty soon, 99% of the internet traffic will be Worms and Virii trying to propagate to different machines. The other 1% will be a combination of Slashdotters and people looking for porn.

a new addition to IP addressing plans....

x.x.x.1 and/or x.x.x.254 as default addresses
x.x.x.2 and x.x.x.253 will now bet set aside for a tarpit.

I don't know of *any* kiddies/worms that start their scans in the middle of address space.

Of course, the next step is to extend the tarpit to unused ports across *all* IP address space using a security policy map... this would change the fundamental way in which this particular tarpit works, but I'm sure it could be done with the right switch in place.

I'm kind of courious how the tarpit's gratuitous arping will affect switch that have questionalbe code. There are plenty of utilities out there (one of the utilities in the dsniff suite and many others) to molest swtiches at various levels of the protocol stack.

Nimda Catcher

[3ryon]

It's in Alpha, but I am using a program to catch IP address inside our firewall that infected with Nimda. See below:

-----Original Message-----
From: John Thornton [mailto:jthornton@HACKERSDIGEST.COM]
Sent: Wednesday, September 19, 2001 4:43 AM
Subject: Worm Watch

I am releasing a tool that I have written that monitors port 80 loging
servers infected by Nimda. However the point of the tool is not just to log
infected servers but to look for variants. As we have seen in the past worms
being released in the wild then rereleased with new logic, Worm Watcher will
log changes made to http requests, number requested, the order they are
requested etc. This will spot a rereleased version of Nimda that we know
will be in the wild in a matter of time.

screen shot ( http://www.hackersdigest.com/wormwatch/wormwatch.j pg )
source code ( http://www.hackersdigest.com/wormwatch/wormwatch.z ip )

What would be nifty...

[StealthBadger]

(I know I'm not putting this well, I'm tired :P) is if there were some way to combine this set of redirect conditions (which is what I'm currently using on my server - I know the worm doesn't follow them but it keeps the size of my error log down :P):

Redirect permanent /scripts/ http://127.0.0.1/
Redirect permanent /_vti_bin/ http://127.0.0.1/
Redirect permanent /_mem_bin/ http://127.0.0.1/
Redirect permanent /c/winnt/ http://127.0.0.1/
Redirect permanent /d/winnt/ http://127.0.0.1/
Redirect permanent /msadc/ http://127.0.0.1/
Redirect permanent /MSADC/ http://127.0.0.1/
Redirect permanent /default.ida http://127.0.0.1/

within Labrea in such a way that any GET to /scrips/, /_vti_bin/, etc. would trigger the "tar baby" effect, but other HTTP requests would go through. That way we could have our Apache web servers and our Tar Pits too. I would LOVE to have one of those.

--

Searching for Truth, Justice, and the Guy Who Boosted My Wallet a Few Weeks Back....

Not right for .edus

[epsalon]

There are several large sinks of IPs on the net. For example .edus... Do you really think MIT uses it's entire class A network? Just assume the MIT net admin installs LaBrea.
In my university (technion.ac.il) we have two class B networks. How much of that do you think we use. I have just advised our administrators to install LaBrea on our net.

Left out ...

[wytcld]

That script example shoulda had at the top:

#!/bin/sh

followed by a blank line, of course.

casting the bad into a lowernet

The three levels of the net:

Heaven- Internet2 (IPv6)
Earth- Internet (IPv4)
Hell- Lowernet (policy routed IPv4)

I propose that wide spread policy routing give the Internet (at the backbone level) the ability to cast wayward IPv4 Internet connected boxes into Lowernet, where all the compromised hosts can spend eternity scanning eachother. A well connected backbone provider could donate a large proxy from which all traffic to non-Lowernet hosts could be mitigated. This change would only required one entry into the global BGP routing tables and althogh the entry would probably grow quickly, it would provide administrators and service providers a global method by which they could understand the impact boxes connected on their networks are having on the internet in general. Additional administrative costs could be spun around by on-selling security, patching and rebuild services to those who wanted to get out of Lowernet. The provider of the Lowernet to Internet proxy can use frame based (a la security focus/portal) advertizing to recoupe their bandwidth and proxying costs. The overall impact that Lowernet would have on the Internet links it would ride could be mitigated by heavy bandwidth limiting on those tunneled connections. Federal agencies responsible for overseeing network security could admin and maintain Lowernet as an intelligence source. Tarpits, honeypots and IDS boxes could identifiy canidates for Lowernet status and those cast into Lowernet could eventually, through time be elevated back up to Internet status through route aggrigation expiration (preventing entire ppp dial-up pools from being cast into Lowernet for eternity).

...just an idea

didn't they already do this?

[mrsmalkav]

I thought they've already done this where part of the security for a network was to create a dummy network with "servers" that appeared to have ports open and services running, along with "workstations" et al. Theoretically, the hackers would attack the fake network and get distracted running around there instead of getting to the good stuff. Wouldn't that work for something like Nimda?

Re:didn't they already do this?

[LinuxHam]

That's called a honeynet or a honeypot.. like putting honey on the far side of your property to make the bees stay away from the house. Its suitable for situations where human attackers would target a specific entity, usually a company with highly sought after assets. The protecting admin would do the things you mentioned and try use interesting machine names on the false network so as to make the attackers think they are going after the machines holding the data they want. The admins would even go as far as creating databases loaded with false data to really keep the (again, human) attackers busy trying to figure out what to do with all this useless stuff if they make it all the way into the database server.

Worms like Code Red and Nimda just semi-randomly select IP addresses of machines to connect to and try to infect. If you maintain a network with dozens or hundreds of IP addresses, you would install LaBrea at a point where it can see all traffic coming into your network. If it sees lots of connection attempts coming in for an IP address that does not appear to be in use on your network, it will forge fake packets pretending to come from the host that the worm is trying to connect to, and make the worm suffer through an excruciatingly slow connection that never gets anywhere once its started.

Nimda doesn't look at the names of the computers its attacking or look for "interesting stuff" on those computers. It just chooses an IP address and attacks the hell out of it.

Old news

[RoyalTS]

Hey, I posted info about this more than a month ago... Here are the articles I linked to: Heise News Ticker and the posting at incidents.org in which Tom Liston first introduced his idea...

Ludicrously, unbelievably OT, but . . .

[Lyka]

Animals that fell into tar "pits" were NOT "preserved in pristine condition". Their remains were reduced to bones with no soft tissue.

You're probably thinking of those "frozen" mammoths and other critters from Siberia and Alaska. And even they aren't "pristine" -- they had time to begin to decompose, then were both dried and frozen, becoming mummified (like the "Ice Man"). Read R. Dale Guthrie's "Frozen Fauna: the Story of Blue Babe" for the details.

Lyka, the compulsive armchair paleontologist

SPAM trap?

I wonder... could a similar approach work against SPAM? Perhaps scanning for well known stealth mailer signatures and then slowing the data flow to nearly a stop.

Anything like that out there already?

The ultimate worm:

[scorcherer]

In order to attack site X, the worm penetrates into Slashdot servers and writes an article that links to X.

count your attackers...

[SethJohnson]

If you want to see how many attacks have been logged against your web server since the last time the access_log rolled over, here's a simple command line operation that will count the number of unique attackers your machine has encountered:

seth@soldier:/var/log/httpd > cat access_log |grep scripts| cut -f1 -d' ' |sort|uniq|wc -l

Although I've got a lot of requests coming in, throughout the day, I've only seen about 220 unique attacks.

Multiple Prong Approach

[delta0]

To really help this situation out -- make a script that (some are controversial and could be debated):
0) Diverts log spamming by making an abuse.log or the likes;
1) Reports these attacks to databases that are interested in gathering statistics and also collaberative blacklists that can be used in the future;
1) Blocks further requests from the IP (netblock?).
2) Leaves a message on the effected machine -- that the machine has been infected;
2) Attempts to find the administrators of the network/domain that the machine resides on - Maybe like spamcop looks for the abuse email - and sends out a notification;
3) Slows down or stops the worm by exploiting it's automated scanning cycle (like this tool attempts to do);
4) Attempts to stop the worm by infecting it with a worm killing virus such as a small script that executes on the host crippling the propogation mechanism.
4) Shutsdown or freezes the machine if the administrator doesn't fix the problem with in a days time (other detected attacks from same network).

Re:Multiple Prong Approach

[delta0]

5) Reports to Microsofts abuse team each attack.

Also note that some other ways of slowing it down have been discussed such as simply putting in a 2-4 second delay before the request finishes. Lets just hope that future worms don't multithread the scanning cycle. Or if you have a lot of spare bandwidth just let it chug along downloading a 40 Mb file (throttle the bandwidth?)

Ideas for notifying the admin: pop-up windows,
desktop picture changed to a worm. Screen saver scrolling: "You're infected by Nimda, your computer system has been compromised!".. ??

Ahh lot's of fun could be had.

The other thing that I think future worms could use is polymorphism. Good thing this one doesn't morph itself or have much in that way.

wrong... incorrect... in error...

It's VIRUSES, not virii. No such word as virii, no matter how cool you think you sound when you use it.

Re:wrong... incorrect... in error...

[leucadiadude]

Haha, I was soooo sure that virii was a real word, and that I would shoot you down in flames, that I just went through 5 different online dictionaries looking for it. And you know? I just can't believe these dumb imbeciles didn't include an entry for it in their supposedly "complete" work.

Hats off to ya.

Strange metaphor

[Riktov]

from the article:

"Up until now, the black hats were the Mick Jaggers of the Net..."

So they...
Have big lips?
Keep making womrs even though they're way past their prime?
Do lots of drugs?
Star in, and direct, lousy movies?

Shutdown attackers web server

[TheWil]

Okay, please don't flame this suggestion (in case I haven't thought it through).

Nimda is basically pissing me off because of the generated network traffic. A possible solution is to shut down (and clean) the infected IIS servers. From my understanding the worm has a number of phases but they basically allow programs to be run on the infected machine (to set up samba mounts etc). So how about this:

• Map all virus http requests (or appropriate ones) to a script. No rocket science here.
• When receiving a request make a connection to the sender asking it to "run a command" on the infected machine. Choose a command to either shutdown the web server or reboot the machine or something that isn't too nasty but puts it out of action.

I'm not that familar with Windows so don't know how easy/feasible this is. It's a challenge and if I wasn't going on holidays in two days with shit load of things to do I'd make it my new short-term pet project.

Wil
--
http://bd4.amristar.com.au/

Re:Shutdown attackers web server

[dragonsister]

Well - if you and your funky unix box can log attacks from Nimda-infected servers, and then exploit Nimda's features to run commands on the infected servers that have attacked you, wouldn't you be able to run a set of commands that a) downloaded and ran a disinfection utility (I assume they're available for free download from places that can cope) and b) raised security settings or even told the machine to go update from MS website?

Requires a darn sight more knowhow than *I* have, and perhaps the 'update' bit requires inconvenient things like CD keys, but surely the 'run disinfection program' part is feasible.

DragonSister

Epoxy for port scanners...

[Ungrounded+Lightning]

If you have a large network, you might very well be helping yourself far in excess of the bandwith used by the tarpit, certainly a win in my book.

A variant of this that stickied up ALL the ports rather than just port 80 might be interesting. Deply that on your net and anybody who tries to portscan the phantom machines might spend a LONG time trying to categorize them. B-)

Similarly, making some of the otherwise unused ports on a REAL machine sticky would also be a problem for portscanners - though somewhat impolite to people who are attempting to connect for legitimate reasons.

Damage capacity? DHCP?

[einhverfr]

OK. I have to admit that this tool is pretty neat. But here is a potential problem I see:

1: Computer running LaBrea picks up a request for 10.0.4.1, and adds it to the IP address list it monitors.

2: Computer "Atlantis" boots up and requests the ip address 10.0.4.1 from the DHCP server.

3: The DHCP has no record of any other computer using this IP address, so it issues this IP address.

4: "Atlantis" is now cur off from the network.

Does anyone know if this is a problem? I imagine it could be solved by making it dhcp aware and using rarp after seeing dhcp requests...

Re:Damage capacity? DHCP?

[ahrenritter]

This is not supposed to happen, and in most cases it won't. LaBrea will attempt to release any hold it has on an ip address if a legitimate machine comes onto the LAN with that IP. It is in the docs, take a look.

that is one of those "why didn't I think of that"

Prolly cause i'm a dumb ass... anyway

this is something that the w3 should really look into.. I cant really imagine implementing something like this as a 'standard', but it would kick ass for the whole net to be set up in such a way. its definately a good deterent to all these retarded m$ worms and the hordes of kidiots.

great software...

Multithreaded viruses are not imune

[einhverfr]

Tools like LaBrea are cool, but aren't more then hacks. By wasting the TCP timeout on these worms it just forces the next worm writer to create a multi-threaded worm which would instantly be immune to such a defense.

Multi-threaded. You mean it might spin up, maybe 100 or 300 threads and attack other machines? Oh wait! Code red did that!

Many wroms are multithreaded, and Labrea would show them down too. However, a very clever virus might initially take a performance hit but then recover and not hit known tarpits. That would, however, prevent the virus from being very...undetectible