Slashdot Mirror
IBM's Billy Goat Squashes Worms
fr0z writes "InformationWeek is running a story on "Billy Goat", a novel worm-squashing software developed by researchers in Zurich, Switzerland. IBM says it wants to turn Billy Goat into a product to help guard against computer-network attacks such as those that slowed Internet traffic earlier this month."
Oh my god. This has got to be a joke. Bring on the screenshots
This is a play on the name "Bill Gates", surely? Why else would they call it that. Interesting concept nonetheless.
I.O.U One Sig.
squashes worms?
it is a detection system. and an imperfect one at that: heck even the designer for the software itself says this...
besides, if it's an outlook mail worm, then every address it goes to is targeted correctly, and Billy Goat will go on munching it's grass and not have a clue while the network slows to a crawl.
I mean, of course it can look for surge traffic, but how do you distinguish that vs. a simple slashdotting?
My life in the land of the rising sun.
I do not want to look anal but I think the submitter meant "last month" :-)
Trolling using another account since 2005.
Detecting potential attacks is one thing and preventing damage and slow-down of the internet is another. Even now we can somewhat predict them before they begin to slow the entire net down. But seeing how something akin to these last two worms will slip right by even with our knowledge, this technology becomes rather redundant. Eventually, educating the end-user will be a greater force than some goat.
P.S. any coincidence it is named "Billy"?
A blog like any other.
So you're turning on a computer system thats intended to be intelligent enough to seek out and erradicate computer worms?
Did you NOT see Terminator 3?
- Those that do not learn from history are doomed to repeat it.
Or, in this case, those that don't learn from crappy movies. =P
It sounds like a nice extension of egress filtering; you know which of your IPs are unassigned, and so you assume that boxes trying to access unused IPs are up to no good, and act accordingly (firewall the affected box off, and investigate). Slows worm propagation, and discourages people from scanning your entire address space unnecessarily.
I appear to have a blog. Odd.
...with connotations of both the young William Gates and the goatse.cx dude, i predict this meme to become quite popular here at /. and in IT at large.
strangeloop.
You can always depend on IBM. They contribute to Linux... help Windows users... make awesome products, even if they do cost too much... But, hey, IBM is great.
Will it butt trolls off the net too?
Sheesh, evil *and* a jerk. -- Jade
IBM says its prototype combines the strength of analyzing traffic directed at IP addresses assigned to computers on a network with the ability to look at the unassigned addresses worms also target.
What good would this do (checking unassigned addresses) as most worms (at least polymorphic ones) replicate and spread to other users it (the worm) finds on the machine. Hrmm sounds odd typing because I'm tired. Ok, for instance most MS based worms such as Blaster, Sobig, etc., tend to rip a list of address from programs on the infected machine. Blaster and Sobig sent out spoofed emails which differed from the normal worm a bit. Anyway, if a machine is sending info (while infected) to an unassigned IP address, what difference would it make since it somehow obtained the information locally.
Now, I understand that some virii writers often leave some 'h3ll0 i j4m l33t' message, but this is a rarity, so I find it obsolete.
It also can sniff out the signatures of known attacks. By testing the software at a large ISP, IBM can collect more data on worm traffic and help decide how to bring Billy Goat to market, says Adrian Schlund, a manager at IBM Global Services.
This is a bold statement for IBM to make considering they are now claiming to sniff out attacks. Considering attacks change, all they could do is update their rules, which means you could get by without this product if you have an experienced network engineer who has network anamoly detection experience. Hell if you've read enough RFC's and Cisco books, anyone would be able to detect and halt attacks using freeware such as snort.
Oh well it sounded good for a minute, it's a shame they didn't included any screenshots or specs in the article.
MoFscker
TFA isn't very clear, but it sounds like the only thing unique about Billy Goat is that it detects port scans. I can't believe it would take a bunch of PhD computer scientists to figure out how to do that. Anyone else know what makes this thing special?
Not Found
The requested URL
Never click on a link with the word "goat" in it.
This will be in version 3, aka "Great Big Billy Goat Gruff".
IBM can collect more data on worm traffic and help decide how to bring Billy Goat to market... Will Billy Gays ,er Gates, now sue IBM for illegally using his name to make money. After all TIBCO sued Apple on Friday for using the term Rendezvous!!
"...that slowed Internet traffic earlier this month."
Posted by Hemos on Monday September 01, @09:02AM
Wow, they're have already been worms this month???
If you built a software package that catches worms...why wouldn't you call it "Early Bird"?
Mordor...a magical, mythical land where women are more rare than dragons--but where every man would rather find a dragon
Comment removed based on user account deletion
Is that a hint that Bill Gates is into Goatse? I'm a nice troll, gimme a cookie.
if(>X packets received from ip
&& !reverse dns for ip)
block ip
Do I win $10?
If you were blocking sigs, you wouldn't have to read this.
needs to be renamed to :
Billy we got Your Goat
Don't Tread on OpenSource
My second reaction is that the focus needs to be at the level of the ISPs. To expect all users to reliably protect themselves against attacks is just naive. Technology that could immediately detect attacks and prevent their propogation to individual users in the first place seems to me feasible and desirable.
and then
Doesn't this sound like honeyd?
LaBrea - the "Sticky Tarpit". Seems like the same concept, and has a working, free implementation at http://labrea.sourceforge.net/
Doesn't network management software like NNM and whatever CA's stuff is called, work by doing ping sweeps and other stuff to detect new systems on the network?
Won't it break those systems?
Je ne parle pas francais.
Seems to me that it it's aimed towards detecting sources that aren't published, that somewhere there needs to be a list of 'published sites'. If you're web, ftp, mail, cvs, filesharing software isn't on the list then it will flag everyone who connects to it for futher study.
"Well well well, if it isn't fat stinking Billy Goat Billy Boy in poison. How art thou, thou globby bottle of cheap stinking chip oil? Come and get one in the yarbles, if you have any yarbles, you eunuch jelly thou!"
All that is needed is worm called "Alex"...
Lemon curry???
Actually, he is probably thankful. This is exactly what MS needs to overcome their deficencies until they can get LongHorn designed and developed.
I prefer the "u" in honour as it seems to be missing these days.
Here's an idea I had a while ago, (probably around slammer time) but never got around to doing anything about (because I don't admin any networks).
;/
A module for your IDS which, if it detects a machine on your network is infected with something, automatically set your router to NAT that machine so it points to some server which will inform the user they are infected, and gives details on how to disinfect themself, or to contact the helpdesk, or whatever.
In addition to the NATing, the next DHCP request they perform could take them off the local network address space (except for the disinfection message machine) so they won't be spreading their infections locally.
The infoming machine would not just be HTTP, which could return the webpage, but also have SMTP, POP3, IMAP servers, whatever else they could be running, which return an error, which (hopefully) will be displayed by the users application, telling the user what is happening.
Even if the user doesn't receive the error messages, they would most likely notice something is wrong when they can't connect to anything, and even if they don't they are isolated from the internet, and after their dhcp lease expires (assuming it has a reasonable length) they would also be isolated from the internal network.
It sounds similar to the 'Billy goat' idea... I hope it's not too similar, or it might be covered by restrictive software patents.
I'm reporting you to PETA!! Oh wait, you mean computer worms...
But, note - in computer security, as in human health - there are two fundamental approaches:
once well, don't get sick
and
once sick, get well fast
A hospice volunteer I talked to last week pointed out that holistic eastern philosophies of medicine offer an interesting alternative perspective on how to approach "wellness". I wonder if there's something like accupuncture we should be exploring for intrusion detection systems and anti-virus/spam filters?
Comment removed based on user account deletion
Billy Goat, why did you let this happen? Stop making money and fix your software!
Sadly, people just know 'anal' these days. Gone are days of long ago when people said what they meant, and did not lean on the spindly crutch of catchphrases and colloquialisms.
I can now imagine that this sort of intrusion detection software will be known only as Billy Goat, just as so many use 'trojan' and 'virus' when such terms are far from inappropriate to describe a specific piece of software with destructive intent. Why, just this morning, an interview with the prosecutor of Blaster.B accused author Jeffrey Lee Parsons, yielded such terms as "cyber-hacker." Since when did "cyber" need to be prefixed? I'm waiting for someone in the legal profession to butcher that term, and vomit terms like Cyber-goat.
IBM was foolish to announce this so early. I just know they will get targeted by the crackers out there for it (note, that's criminal-hacker, not ebonic-slang/slur for white peson), and then the crackers will roast the billy goat over IBM's own firewall!
For those who aren't well-educated on nursery rhymes, go read up on Three Billy Goats Gruff. You will find the proper origin of the software name there, trade-related double-entendre's notwithstanding.
Actually there is a damn good reason why they say "gain three inches in length" and make no mention of how many millimetres that is.
..... if it only says how long in inches, not in metres, then you can simply redefine an inch to be however many millimetres it would take to get you within code. {'These shoes would be acceptable if there were 40mm. in an inch; therefore, I claim that there are 45mm. in the inch and my shoes are now legal.'} Now it's just your word against theirs. The rule will at least have to be debated before it can be amended, and may be rejected {especially if you can influence enough voting members before the EGM}.
All nations that are signatories to the treaty that established SI have legislation requiring that measurements in SI units are required to be accurate to a certain standard. The measurement does not cover non-SI units. Which is why monitor manufacturers will quite happily give you 22mm. on the inch and marijuana dealers will quite happily give you 24g. on the ounce.
It would be illegal for them to say "gain 75mm." unless the stuff actually made you gain 75mm. But, they can say "gain 3 inches" and they are NOT making a claim, because non-SI measurements have no legal standing. This is how, BTW, you can often get around a school or workplace hair-length, heel-height or skirt-length dress code regulation
Ting! Next please.
to help guard against computer-network attacks such as those that slowed Internet traffic earlier this month You mean the attacks are over? The 67000 icmp probes I received yesterday are legitimate tests?
"I'd rather be a lightning rod than a seismometer." -Ken Kesey
not a bad idea. although, patching would be a good step to throw in before going to the batbelt.
"A powerful virus is running rampant through the world's computers throwing everything a-kilter, so the brass at the Pentagon is considering putting Skynet on line to combat the virus. Unlike the audience, they are unaware that Skynet itself is creating the virus."
It's not the only thing IBM are going to be squashing soon..
Strikes me that it would be great if billgygoat was designed on top of a Linux kernel.
If it turned out to be a great product that would be a wonderful bit of irony. Linux working to say a messed up windows world.
Comment removed based on user account deletion
s l o w . d o w n
while keeping the rest of the network moving right along while emailing the admin about it.
[100% ISO 646 Compliant]
SVM, ERGO MONSTRO.
Anyone else notice that there are only 2 different characters that set Billy Goat and Bill Gates apart.
...
Me thinks there is more to this name than meets the eye
Electronic Music Made Using Linux http://soundcloud.com/polyp
It is a program to 'tar-pit' worms. When something (Code Red was the initial reason) scans an ip address that isn't there, it sends an ack back spoofed to be from that machine, thus causing the worm to have to time out before it goes on, and it can knock the connection into persistant mode, thus locking up the thread on the attacking machine until the thread is killed.
Looks nasty, and there is a debian package. If it works as well as hoped, Linux users could save the networks some trouble.
I'd really be interested to see how many of these recent worm infections happened on company systems, as opposed to people's home computers.
I agree that a big problem is educating the average home user to apply update patches as they become available, but this isn't usually an option at the corporate level.
I've seen corporate environments where even the I.T. staff in charge of the desktop systems has to fight and fight to get the approval to apply a security patch. (The team lead or I.T. manager may scratch the plan, arguing they haven't had sufficient time to make sure the patch doesn't break a "mission critical" application they run, or they may decide the patch can wait until another update it rolled out, so they can get 2 birds killed with one stone.) Letting the end users apply their own patches isn't typically allowed on corporate machines.
Cheezborger, cheezborger, cheezborger. No Pepsi, Coke. No fries, cheeps.
:-)]
[Sorry, but as a Chicagoan, I had to add that to this thread. I was obligated to.
So, the thing that will put an end to the humanity is called Billy Goat? This is just... wrong.
My exception safety is -fno-exceptions.
3BGG
Three Billy Goats Gruff
The Billy Goat tool is not very well described in the article, I'm assuming, since the implementation details are quite vague. However, some things are clear:
1) It looks for computers that are trying to hit unassigned IP address (assuming these are local ones, btw).
2) When it finds a computer trying to hit unassigned IPs (unknown on the required frequencies), it acts to isolate the computer from the rest of the network.
Now, this could be a nice tool. #2 is problematical - if it automatically isolates a computer, this could be bad, but then, hopefully it would be rare, and for some users, they wouldn't even notice. If an administrator is notified that there is some sort of issue going on, here, here, and here, that gives them a heads up to take some action. It wouldn't stop the initial infection, nor would it stop the entire network from being infected, but it might slow down the problem, maybe even enough for us, the slow and stupid human administrators, to get things under control.
Overall, based on what I can see here, a potentially useful tool in a big toolbox.
Billy goats... wasn't there enough troll food already?
*honkenpossiblyobscure*
This is my sig. It's prescription, I swear. I need it for reading things... on the other side of things
Oh, I thought this was going to be an SCO story. I'm sure we're going to see one soon with a similar title!
Skiing? Check out The Independant Skiers Portal
He Gets Mad
Narrator: A goat can feel happy
A goat can feel sad
A goat can feel wonderful
A goat can feel mad
Goat: Feel mad! Feel mad! Feel mad!
It ain't bad to feel mad
N: If someone pulled the hair on his chin
Would a goat say nothing, stand there and grin?
Goat: NO! I get mad! I get mad! I get mad!
It ain't bad to get mad
N: And what if someone gave him a fright
Would a goat laugh, "Ha, ha, it's quite all right"?
Goat: NO! I get mad! I get mad! I get mad!
It ain't bad to get mad
N: And what if someone does something unkind
Would a goat pretend he doesn't mind?
Goat: NO! I get mad! I get mad! I get mad!
It ain't bad to get mad
N: And if a friend lets him down
Pig with ice cream cone: (snorting) Forgot to bring one for YOU.
N: Would a goat say, "No matter, don't worry, I couldn't care less"?
Goat: NO! I get mad! I get mad! I get mad!
It ain't bad to get mad
N: And in the end most folks are glad
To find out what makes him mad
All: He gets mad, he gets mad, he gets mad.
It ain't bad to get mad!
Goat: Yeah!
Next week we will be bringing an automated system online that will do the following:
- snort portscan preprocessor will look for port scanning (with a list of exceptions for data center servers)
- a perl script will have the alerts piped to it and know when a new scan has started
- the perl expect mod will be used to put a null route in the network (on a cisco device) for the host that is doing the scanning. No return packets will make it back to the infected box.
Portsentry on FreeBSD (or BSD in general, I guess) will do all of this for about 10 minutes of work. With Snort you'll be able to collate seemingly random portscans into patterns (sometimes a determined cracker will try to lurk in the background scanning only one port per minute/hour/day/etc), but portsentry will do all the "nullroute anybody who touches a magic port" stuff easily.
When I was a kid, we only had one Darth.
glad you came around. the use of snort and perl, especially in combination with iptables, etc. can make something pretty hard to break if its done right. the great thing about the combination of the three is the flexibility allowed; the different ways to accomplish the same effect on traffic are literally endless, so you see where a flooded job market is still starved for real talent.
one of the things i thought of, that nobody has even brought up that i could find on this post, is the fact that this "Billy Goat" only benefits microsoft in the long run. why should they change now when they can let big ass IBM fork out the funding for this kind of R&D?
after all, hasn't an entire industry spawned in the wake of microsofts neglegence? and to what avail? microsoft needs to either be held accountable or they need to release source code. these are the only 2 ways, and mark the words, one day it will come to that.
You are about to give someone a piece of your mind, something which you can ill afford...
I wonder how this is diffrent from a Tarpit with a program to report everyone who is visiting it. Related slashdot article
NetScreen's IDP product had this technology almost 2 years ago - we called it a 'Network Honeypot'. All it does is respond to IP's that don't exist (or that do, but on ports the machine is not listening on) and then perform rules against that IP. The rules can be a simple as 'log' to aggressive as 'block the subnet of this IP for x hours', or anywhere in between.
But we didn't get press coverage, because:
a) We're not IBM
b) We don't come up with cool codenames
c) This is so obvious it doesn't deserve coverage.
-AC
I wonder how this is diffrent from a Tarpit with a program to report everyone who is visiting it. Related slashdot article
Python script to convert photos into "artsy" portraits: http://p2pbridge.sf.net/pyPortrait/
What is an Anomaly based IDS and how does it differ from Signature based systems?
Signature based systems rely on static analysis of event.
Anomaly systems rely on creating a baseline of normal activity then flag any deviations.
How anomaly based systems work.
A baseline is normally gathered during a tuning phase. Gather all traffic, analyze it, store it.
Data mining process that does statistical analysis of data.
Theory behind them.
If its traffic that hasn't been seen before, its bad.
Attacks cause things the system has not seen before.
How to tear the Castle Down.
1.) More noise, less accuracy.
Single outside point to multiple inside machines.
Properly crafted packets will cause inside machines to appear as attackers.
2.) Covert channels.
Hiding the data in plain site.
How useful is this?
3.) Flooding.
Several outside sources to a single inside source. Not very effective, but useful for quick and dirty.
Flaws in the System
Attacks against the system itself.
Attacks against what feeds the system.
Summary:
It is very easy to use anomalies to sort good traffic from bad. But with everything, this sort of system can be used against itself as a distraction. Its very flaw is its design. Using software such as this to detect worms is a great idea. However, it won't work once someone writes code that dodges this type of detection, ie something that pretends to be normal traffic.
I HATE YOU ASSES!!! How could thi spost have possibly been redundant when it specifically refered to Trolling4Dollars??!!! Did someone else make the same point that if Trolling4Dollars posted that he would have gotten modded as a troll?!! I DON'T THINK SO!!! God you folks are really fucking stupid!! I'd love to find the fucking nerd who modded T4D down and beat the living shit out of him. What T4D said was hilarious and should have been modded as +1 Funny. I can't believe how stupid you fucking moderators are. All you do is ruin the level of humor on Slashdot. You are a disgrace and need to be killed.
About as much good as a network poluted with MS transmitted diseases. The users are not dumb, they are doing what the "experts" tell them is right. It's the "experts" who either lack a clue or have an interest in M$ shit that are the problem. Fix one expert and you swing a few hundred users sooner or later. The more experts you fix the faster the users swing.
I'm now working in the trenches, a local computer retail shop. The cost of this latest wave of viruses is $40, $100 per disabled computer. This is on top of the "normal" windoze attrition that's part of the upgrade train now pushing windoze XP as a fix. Do you have any idea how much it would cost the end user to get all the fucking patches put on after reinstalling their crappy OEM M$ software? Doing the same for broken XP boxes is also expensive, but they seem to fix a little faster. The customers are not happy, yet they feel compelled to stay in windoze land due to Microshit's audio/video device driver lockin or a percieved M$ Word requirement. MSN and AOL subscriptions are another problem.
Still, I see a way to promote free software: use the right tool for the right job. Free software's networking is much better than Microsoft's poor stuff. A dual booting machine that uses free software for all email and other net functions is a practical solution to MS transmitted diseases.
Friends don't help friends install M$ junk.
That Billy Goat is going to clean up the mess left by Billy Gates?
ROFLMAO!
The race isn't always to the swift... but that's the way to bet!
Looking my firewall logs, I am seeing a definite periodicity of pings from the Nachi/Welchia et al.
I have not had time to analyse the logs for frequency vs the time zone of the senders IP address. But a cursory look there appears to be a greater traffic load during work hours.
Yeah yeah, I will get modded troll for the word ' Ultimate' in the subject. See if I care.
A virus/worm I would write would:
- Snort the network for arps and only contact addressess it sees on the wire.
- Lend the OS detection and possibly more of the stealth features from nmap.
- Be multi-os (windows, mac, linux) (not multi-platform, i386 will do nicely, thank you.)
- Use a trick devised by another slashdotter to find follow-up code by doing a google search (possibly hidden in an existing HTTP connection)
- Spite the system-administrator for his not patching known vulnerabilities
- Leave the Linux/BSD admins off the hook (mostly because it's much more difficult to do real damage, oh, and because it's pointless to code for BSD vulnerabilities)
- Kill the windows boxes (without refering to O/S. Don't want give O/S bad publicity now do we? */sarcasm*)
- After a time-out based on the amount of times that we've hit an already infected box within the same sub-net
- Using a decent IP-# generation trick.
It isn't so hard to create a really damaging virus/worm, you just have to put some effort in it(To nay-sayers on the multi-o/s part: if your worm is able to find vulnerabilities, it can use them to install any binary you like. I would think you start out spreading the windows worm with the linux/mac/other payloads in it and making it so that, when installed on the target platform, contain the code to infect all other platforms.)
There's one little problem with this idea: the last time I did real coding, as opposed to scripting, was almost ten years back.
(Would 'they' come after me if a virus writer confesses to have used my ideas?
Karma? What's that again?
Chizborgha! Chizborgha! Chizborgha!
No, wait. I don't want to think about that in connection with squashing worms. Never mind.
My other car is a 1984 Nark Avenger.
There was an episode on Saturday Night Live where Coca-Cola came in an bribed them and immediately wheeled in new machines. And all the customers who were used to ordering Pepsi were told "No Pepsi. Coke."
My other car is a 1984 Nark Avenger.