Tarpits for Microsoft Worms

Digital_Quartz writes: "Wired News is reporting on a clever little tool by Tom Liston called LaBrea which uses unused IP addresses on a network to create virtual computers for worms and hackers to attack. LaBrea responds to requests in such a way as to keep the connection open forever, creating a "tarpit" in which worms like Code Red will get "stuck"."

Interesting utility

[skroz]

I've been looking into this for about a day... looks like it might have a chance, though it wouldn't be difficult to circumvent this kind of "tarpit" in future generations of viruses. By using multiple scanning threads, monitoring existing threads that might be getting stuck, and keeping an internal log of tarpits, a virus could learn which IPs to avoid. Handy in the short term, though, if enough people implement it.

A very sweet trap..

[TheHawke]

Its the equavalent of the Honeypot Project and it shows promise. But the main problem is with these kind of projects, one has to wonder where the funding comes from to provide for the bandwidth..
Honey usually doesn't come without a few stings you know...

Pointless

[scott1853]

It's a cool little program. It's purpose, to use up your own resources to prevent other peoples resources from being used up. There seems to be a little flaw in that logic to me. Personally, I like the scripts that connect to servers that have tried to infect them, and send those servers a bit of code to reboot the machine. I'd rather them install the patch automatically and then reboot the machine though. That seems like a much more effecient use of resources.

Why has nobody either sent out a worm to patch machines, or created a script to patch the sender of a worm? The bandwidth used would be minimal to what is being eaten by these worms, and it would SOLVE the problem. Of course, in this day and age, nobody wants to actually solve a problem, they have to create some technically incredible way of ignoring a problem, or placing blame on the common scapegoat of MS or stupid admins, or doing some trivial task just to prove they can do the same type of thing as the virii spreaders.

BTW, this article was posted on Wired yesterday afternoon, why did it take so long to get here?

Re:Pointless

[Red+Weasel]

According to the article someone did make a worm that patched the infected machines. The programmer was apparently arrested for spreading a worm onto the net.

They could catch the white hat but the rest run free. That's just funny.

Re:Pointless

[Mawbid]

It's been suggested many times, and a few people have even done it (cleaning the attacker, that is -- I'm not aware of a patch-worm having been released).

The problem is that it's illegal. No matter how well meaning you are, no matter how much it helps the owners of the machines cleaned by the retaliation script/worm and the Net as a whole, it's still illegal and can get you in trouble. Like entering someone's parked car to turn off their headlights for them. (Sorry to use a computer/car analoy.)

Re:Pointless

[Gleef]

scott1853 writes:

It's a cool little program. It's purpose, to use up your own resources to prevent other peoples resources from being used up. There seems to be a little flaw in that logic to me.

It's a program to use a little bit of resources on one machine to reduce large resource impacts on many other machines. In addition, it allows you to detect and contact the owner of the infected host, hastening repair of the system and speeding up recovery of the net.

If you have a large network, you might very well be helping yourself far in excess of the bandwith used by the tarpit, certainly a win in my book. Even for those with small networks, some people might well be interested in sacrificing a small, controllable amount of bandwidth to help the general health and well being of the internet as a whole.

Why has nobody either sent out a worm to patch machines, or created a script to patch the sender of a worm? The bandwidth used would be minimal to what is being eaten by these worms,

That is highly debatable.

and it would SOLVE the problem.

But the problem isn't "Code Red", that's just a symptom of the problem. The problem is a combination of low security on the internet and the fact that Microsoft's monopoly has the side effect of making many identical security holes on thousands of machines.

Of course, in this day and age, nobody wants to actually solve a problem,

Nobody particularly wants to waste a great deal of bandwith to put a band aid on other people's sites for each worm that comes out, which is what you seem to recommend.

Real solutions to the problem aren't easy, but most of them are being actively worked on:
* Increase competition in internet server platforms and applications;
* Improve the distribution of security information and patches to the end users;
* More commercial internet monitoring and response services (eg. Counterpane);
* Security-conscious internet insurance plans
* Segregate the typical broadband customer behind transparent firewalls (I'd pay extra for a premium broadband service to give me a real IP if it would get the bozos who shouldn't have a computer much less an internet server off the real IP space).

Re:Pointless

[scott1853]

Don't give me "it's a symptom of the problem" bullshit. The PROBLEM as it is right now, is the worm itself. Stop this worm, stop the next, give the people time to make the server secure and all the idiots time to figure out what they've gotten themself into by assuming they can run w2k. So your plan would be to just wait for MS to fix ALL their security holes and make it so my grandma can setup a W2k box and never have a problem? How long will that take, 5, 10, 15 years? And the fixes will introduce new bugs. So the answer is to do what gives the biggest response NOW, not a decade from now.

I don't know what you're referring to in saying that I want everybody to waste their bandwidth. Somebody would need to release a worm that fixes the whole, spreads itself, and removes itself. I'm not saying everybody should install the script that simply reboots the machine, that does nothing but give the machine a 2 minutes break in between infections. I'm not saying the worm should scan a thousand IP addressed to see what machines are infected. Let it check log files if they exist, find any machines that tried to infect it, check and see if those are still infected, if not the worm should delete itself.

LaBrea is not the solution

[davidu]

Tools like LaBrea are cool, but aren't more then hacks. By wasting the TCP timeout on these worms it just forces the next worm writer to create a multi-threaded worm which would instantly be immune to such a defense.

A better defense, which I admit is more costly in terms of CPU is to run border IDS systems and simply have rulesets to filter this kind of traffic out.

For Example: Here is a snort ruleset for Nimba and Codered and possibly other worm varients against Windows OS's:
alert tcp any any -> any 80 (content: "cmd.exe";msg: "cmd.exe access in HTTP!!";react: block;)
alert tcp any any -> any 80 (content: "root.exe";msg: "root.exe access in HTTP!!";react: block;)

If you're running BigIP switches:
rule block_nimda {
if (http_uri starts_with "/scripts" or http_uri contains "root.exe") {
discard
} else {
use ( server_pool)
}
}

The point is...
It's better to stop these things on border routers and on the edges of Lan's then on individual machines or IPs. LaBrea does nothing to protect other machines aside from slowing down the worm which is almost futile.

Just my $.02,
dave

Re:LaBrea is not the solution

Yeah, but all you have to do is unicode the cmd.exe string, or %u encode it, and then your filter is useless. You have to canonicalize your string before you do the compare.

Stop the infected servers

[wwwillem]

Looking at my Apache logfiles, I see the infected systems trying to obtain many .exe files, like cmd.exe. I was wondering if I could stop those systems, by taking a "shutdown.exe" program, renaming it to "cmd.exe" and putting it on my web-server. Than hoping that they download this "cmd.exe" and will execute it.

OK, it's only a stop-gap solution, just for this particular attack, but it could quiet things down (on my subnet). One problem is that I couldn't find a Windows "shutdown.exe" program that has no GUI and doesn't take any command-line parameters.

Willem

Couldn't a decent firewall do the same thing?

[lar3ry]

Should be simple to write a script that would examine your HTTP error_log file for '\.exe' and insert a rule into IPCHAINS to DENY all connections from that IP. The connection will time out, of course... but it will slow down the virus.

Much better than having your system get hit 15 times a second from Nimda probes, anyway.

This sounds like an MS solution.

[MongooseCN]

Instead of fixing the operating system to avoid these obvious mistakes, we have people creating solutions outside of the operating system. It's like when MS tells people that their systems are buggy, so instead of fixing their own system, they suggest people buy more licenses and more machines to run as backups.

What happened to fixing the problem where it originated from?

Filesystem loops

[Ed+Avis]

Within my home directory I have a couple of symlinks pointing back at the root of the home directory. Because it's exported by Samba to Windows machines, and Windows (or rather, Win32) doesn't know about symlinks, the 'Find File' utility from the Windows Start button would get stuck descending forever into these links. I can't say for sure, but it's possible that a few worms like ILOVEYOU were thwarted or slowed down by this, if they do a depth-first search for files to infect.

Unfortunately, I think that in the end Samba was reconfigured not to serve symlinks :-(. It would be nice to have an option to serve the first level of symlinks but not allow recursive ones.

Re:NOT A TARPIT

[Erasei]

This is exactly like a tarpit. Tarpits don't instantly trap all T-Rexes everywhere in the world. A tarpit will trap the one T-Rex that got a little too close. If there are thousands of tarpits in the world, then a lot more T-Rexes will get trapped. I don't think the author of LaBrea aims to have his program stop all worms on the internet, but if it were to be run on a few thousand machines, it would certainly help.

Re:NOT A TARPIT

[interiot]

Well, for one, this will immensely help corporations with large networks... once you filter incoming email for the specific .exe at the firewall, you need to start cleaning up internal IIS servers. LaBrea will slow the IIS servers down to keep them from hosing your network while you hunt them down and clean them up.

For two... (drum roll please...) What if we had a LaBrea Beowulf? If major network providers (eg. UUNet) implement this across their networks, it would save themselves bandwidth and thus cost, and would make their customers happier.

It doesn't kill worms, it just greatly reduces their impact on the network. Sounds good to me.

Re:temporary measure!

[interiot]

From observation, it seems to me that it takes quite a while for obvious improvements to be included in new worms.

For instance, it's somewhat obvious to me that it'd be good (for a virus) to leave open backdoors, so that your future viruses can springboard off your installed user base. If an old virus can spread from one computer to 20,000 in a week, then a virus that piggybacks on another virus could go from 20,000 infections to 40,000,000 in a week. AFAIK, CodeRed + Nimda was the first to do this.