Slashdot Mirror

← Back to Stories (view on slashdot.org)

IBM's Billy Goat Squashes Worms

Posted by Hemos on from the behavior-based-activity dept.

fr0z writes "InformationWeek is running a story on "Billy Goat", a novel worm-squashing software developed by researchers in Zurich, Switzerland. IBM says it wants to turn Billy Goat into a product to help guard against computer-network attacks such as those that slowed Internet traffic earlier this month."

7 of 170 comments (clear)

  1. Re:inapproporiate title? by farnz · · Score: 5, Informative
    Something like Blaster scans the network for vunerable machines; some of these IPs are unassigned. Billy Goat detects the attempts to access unassigned IPs, and alerts admins/firewalls your box off/generally makes noise.

    The result is that something like Blaster gets caught before your whole network is infested; Billy Goat ignores a slashdotting, since all the traffic goes to assigned IPs.

    --
    I appear to have a blog. Odd.
  2. Re:issues with this by mOoZik · · Score: 3, Informative

    Actually, some of the worst worms have used random IP's. The worms you mentioned only use the emails from the address books, as there is no way to get IP information from it. Therefore monitoring which IP's are fake will provide a method of early warning. Though that's all it'll do.

    --
    A blog like any other.
  3. Re:Billy Goat by Anonymous Coward · · Score: 2, Informative

    Actually, it's probably more likely they are referencing the folk tale of the Three Billy Goats Gruff.

  4. LaBrea by MoogMan · · Score: 5, Informative

    LaBrea - the "Sticky Tarpit". Seems like the same concept, and has a working, free implementation at http://labrea.sourceforge.net/

  5. Re:issues with this by tesmako · · Score: 2, Informative

    Repeat after me: Sobig is *NOT* a worm, it requires the user to execute the attachment. It relies on somewhat crude social engineering, absolutely not a self-replicating worm.

  6. Re: end user patching by King_TJ · · Score: 3, Informative

    I'd really be interested to see how many of these recent worm infections happened on company systems, as opposed to people's home computers.

    I agree that a big problem is educating the average home user to apply update patches as they become available, but this isn't usually an option at the corporate level.

    I've seen corporate environments where even the I.T. staff in charge of the desktop systems has to fight and fight to get the approval to apply a security patch. (The team lead or I.T. manager may scratch the plan, arguing they haven't had sufficient time to make sure the patch doesn't break a "mission critical" application they run, or they may decide the patch can wait until another update it rolled out, so they can get 2 birds killed with one stone.) Letting the end users apply their own patches isn't typically allowed on corporate machines.

  7. NetScreen IDP has had this two years ago... by Anonymous Coward · · Score: 2, Informative

    NetScreen's IDP product had this technology almost 2 years ago - we called it a 'Network Honeypot'. All it does is respond to IP's that don't exist (or that do, but on ports the machine is not listening on) and then perform rules against that IP. The rules can be a simple as 'log' to aggressive as 'block the subnet of this IP for x hours', or anywhere in between.

    But we didn't get press coverage, because:

    a) We're not IBM
    b) We don't come up with cool codenames
    c) This is so obvious it doesn't deserve coverage.

    -AC