Slashdot Mirror

← Back to Stories (view on slashdot.org)

Tarpits for Microsoft Worms

Posted by michael on from the brer-fox-he-lay-low dept.

Digital_Quartz writes: "Wired News is reporting on a clever little tool by Tom Liston called LaBrea which uses unused IP addresses on a network to create virtual computers for worms and hackers to attack. LaBrea responds to requests in such a way as to keep the connection open forever, creating a "tarpit" in which worms like Code Red will get "stuck"."

4 of 245 comments (clear)

  1. Nimda around since July? by MS · · Score: 3, Informative
    Some additions w/r to Nimda:

    Strange: of the 27 hosts (IP-based) I run on a single box, the most popular got probed first, not the server with the lowest IP-number, so the worm seems not attacking the IP-numbers sequentially, but rather due to some reference somewhere else. This may also explain, why it spread so quickly: if the worm could replicate itself from a popular webserver, the chances are good for a quicker spread among many surfers... This worm is really an excellent piece of code - kudos to its author!

    And here are some log-entries from another box (NT runnung Apache):

    First suspect entries on July 12(!):

    My Timezone is GMT+1 (That's mid-europe, one hour ahead of Great Britain)
    (SR) stand for ServerRoot which I omitted here

    [Thu Jul 12 03:39:40 2001] [209.3.150.130] File does not exist: (SR)/scripts/..%5c..%5cwinnt/system32/cmd.exe
    [Thu Jul 12 03:39:42 2001] [209.3.150.130] File does not exist: (SR)/msadc/..%5c/..%5c/..%5c/winnt/system32/cmd.ex e
    [Thu Jul 12 03:39:43 2001] [209.3.150.130] File does not exist: (SR)/_vti_bin/../../../../../../winnt/system32/cmd .exe

    I had a few more interesting logs between Jul 28 and Aug 30... but the /. Lameness filter considers it a Junk character post, so I had to shorten it...

    May this information be useful for someone!
    ms

  2. Re:Pointless by PhilHibbs · · Score: 3, Informative
    Why has nobody either sent out a worm to patch machines, or created a script to patch the sender of a worm?
    Already happening. Unfortunately I think that self-destructing worms are by definition going to be less virulent than worms that take over a machine completely and keep trying to spread until they are removed.
  3. Re:LaBrea is not the solution by purd · · Score: 2, Informative

    A better defense, which I admit is more costly in terms of CPU is to run border IDS systems and simply have rulesets to filter this kind of traffic out.

    No, a better defense is a solid firewall, a border ids, host based detection measures, anti-virus, and additional barriers such as honeypots and LaBrea

    No security technology you mention will solve all problems. To provide good security, one must deploy many different technologies depending on their business or personal needs. LaBrea is another tool in the box to throw up in the way of attacks. It happens to be good with worms and scans, while weak in other areas. That's why a variety of barriers should be used. Even then, there is always more that could be done.

  4. Re:Pointless by Gleef · · Score: 3, Informative

    scott1853 writes:

    Don't give me "it's a symptom of the problem" bullshit. The PROBLEM as it is right now, is the worm itself. Stop this worm, stop the next, give the people time to make the server secure and all the idiots time to figure out what they've gotten themself into by assuming they can run w2k.

    OK, we disagree on what the basic problem is. No big deal, we can talk about how to deal with an arbitrary worm (the worm du jour seems to be Nimda).

    So your plan would be to just wait for MS to fix ALL their security holes and make it so my grandma can setup a W2k box and never have a problem? How long will that take, 5, 10, 15 years? And the fixes will introduce new bugs. So the answer is to do what gives the biggest response NOW, not a decade from now.

    That wasn't my plan, although a piece of what I was discussing does involve Microsoft (and other vendors) streamlining their security patch process. There is no way that *any* vendors can fix *all* security holes. Waiting for that would be ludicrous. Regardless, I was referring to how to reduce the impact of future worms (and other internet badness), not how to deal with a worm in the wild now.

    Worm in the wild now: As of this writing, the last three major worms were "Code Red", "Code Red II" and "Nimda". All three of these exploit holes in Microsoft software, and these holes were discovered and a patch written months ago. In addition, Nimda exploits holes opened up by an active Code Red II infection. Any competent administrator unfortunate enough to have to manage an IIS installation has taken their machine offline, made sure their machine is worm-free, patched NT/2000 and IIS, and put it back online. Your main concern is those admins who have not done this, and there are a disappointingly large number of them.

    I don't know what you're referring to in saying that I want everybody to waste their bandwidth. Somebody would need to release a worm that fixes the whole, spreads itself, and removes itself.

    Where do you think the bandwidth issue comes from? When a worm scans host machines to look for places to spread, it uses a lot of bandwidth. This is what most people here are complaining about. Your proposed worm may fix bad IIS installations, but it would have to use at least as much bandwidth as the worm it's designed to fix.

    The people here (me included) won't thank you, since they care more about how these worms impact bandwidth than whether someone has an infected machine somewhere. The administrator of the machines you've "fixed" won't thank you, because now they've had two or three intrusions while they were napping, rather than one.

    If the repair worm has a minor bug in it, it could potentially do more damage than the original worm, or open up a new security hole as it fixes the others. In such a case, at best you are looking at a lawsuit against you; at worst, multiple felony convictions in multiple countries.

    I'm not saying everybody should install the script that simply reboots the machine, that does nothing but give the machine a 2 minutes break in between infections.

    Good, because while I'm not sure what you're talking about here, it doesn't sound like a good idea.

    I'm not saying the worm should scan a thousand IP addressed to see what machines are infected.

    In order for a worm like you describe to work, it probably would have to scan thousands of machines for a vulnerability, infect the machine with your worm, and then detect whether or not the worm is present from the inside.

    You *might* be lucky and target a worm which leaves external evidence so you can scan thousands of machines for the presense of the worm. Both Code Red II and Nimda can be detected from the outside, but the check I know of for Nimda uses a lot of bandwidth. Regardless, a worm would have to scan thousands of machines to impliment your idea, it's just a question of what it scans for.

    Let it check log files if they exist, find any machines that tried to infect it, check and see if those are still infected, if not the worm should delete itself.

    What log files are you talking about? None of the worms leave a log that I know of. Neither NT nor 2000 log intrusion attempts without extra software. I would wager that very few of the infected machines have IDS software installed. In order to write a worm to effectively track down and eliminate worms, you have to use scans at least as extensive as the ones the target worms are using. Unless the target worm has a buggy scanning algorhithm, any repair worm would kill at least as much bandwidth as the original worm.

    This cure is worse than the disease, in my book. I'd rather focus my attention on long-term solutions that will reduce the overall problem.

    --

    ----
    Open mind, insert foot.