Slashdot Mirror

← Back to Stories (view on slashdot.org)

IBM's Billy Goat Squashes Worms

Posted by Hemos on from the behavior-based-activity dept.

fr0z writes "InformationWeek is running a story on "Billy Goat", a novel worm-squashing software developed by researchers in Zurich, Switzerland. IBM says it wants to turn Billy Goat into a product to help guard against computer-network attacks such as those that slowed Internet traffic earlier this month."

12 of 170 comments (clear)

  1. inapproporiate title? by lingqi · · Score: 3, Interesting

    squashes worms?

    it is a detection system. and an imperfect one at that: heck even the designer for the software itself says this...

    besides, if it's an outlook mail worm, then every address it goes to is targeted correctly, and Billy Goat will go on munching it's grass and not have a clue while the network slows to a crawl.

    I mean, of course it can look for surge traffic, but how do you distinguish that vs. a simple slashdotting?

    --

    My life in the land of the rising sun.

    1. Re:inapproporiate title? by Anonymous Coward · · Score: 4, Interesting

      So then we're in a situation of either

      a) The admins take 5 mins to work out what out whats wrong and block the traffic (on a good day)

      or

      b) The firewall gets its rules automatically updated by billy goat (with an addon?) and successfully blocks the traffic. ...Leading to the attacker having an easy way to do a DOS attack on the entire network (by scanning every possible port on an unused ip address)

  2. issues with this by segment · · Score: 4, Interesting

    IBM says its prototype combines the strength of analyzing traffic directed at IP addresses assigned to computers on a network with the ability to look at the unassigned addresses worms also target.

    What good would this do (checking unassigned addresses) as most worms (at least polymorphic ones) replicate and spread to other users it (the worm) finds on the machine. Hrmm sounds odd typing because I'm tired. Ok, for instance most MS based worms such as Blaster, Sobig, etc., tend to rip a list of address from programs on the infected machine. Blaster and Sobig sent out spoofed emails which differed from the normal worm a bit. Anyway, if a machine is sending info (while infected) to an unassigned IP address, what difference would it make since it somehow obtained the information locally.

    Now, I understand that some virii writers often leave some 'h3ll0 i j4m l33t' message, but this is a rarity, so I find it obsolete.

    It also can sniff out the signatures of known attacks. By testing the software at a large ISP, IBM can collect more data on worm traffic and help decide how to bring Billy Goat to market, says Adrian Schlund, a manager at IBM Global Services.

    This is a bold statement for IBM to make considering they are now claiming to sniff out attacks. Considering attacks change, all they could do is update their rules, which means you could get by without this product if you have an experienced network engineer who has network anamoly detection experience. Hell if you've read enough RFC's and Cisco books, anyone would be able to detect and halt attacks using freeware such as snort.

    Oh well it sounded good for a minute, it's a shame they didn't included any screenshots or specs in the article.

    --
    MoFscker
  3. Detects port scans? by twelveinchbrain · · Score: 2, Interesting

    TFA isn't very clear, but it sounds like the only thing unique about Billy Goat is that it detects port scans. I can't believe it would take a bunch of PhD computer scientists to figure out how to do that. Anyone else know what makes this thing special?

    --
    Not Found
    The requested URL /signature.html was not found on this server.
  4. Comment removed by account_deleted · · Score: 5, Interesting

    Comment removed based on user account deletion

  5. Honey, I'm home by Alejo · · Score: 2, Interesting
    The system uses a unique approach to detecting malicious software by looking at traffic flowing to Internet addresses that aren't assigned to specific computers, trying to isolate computers on a network that attempt to infect others.

    and then
    IBM says its prototype combines the strength of analyzing traffic directed at IP addresses assigned to computers on a network with the ability to look at the unassigned addresses worms also target.

    Doesn't this sound like honeyd?

  6. Re:What's the point? by KrispyKringle · · Score: 4, Interesting
    I'm not sure I follow you on educating the end user. It's definitely a good idea, to be sure, but it does little against worms that require no user interaction to infect the PC, like Blaster. Granted, if the machine were patched, it would help, but not that much. Many users are on slow connections, windowsupdate was unreliable, and the time it takes users to patch--a few hours, a few days--is easily enough time to become infected (I have a friend who connected a new XP machine to the 'Net to run windowsupdate and was infected in minutes).

    On the other hand, security professionals can usually whip up IDS signatures in a pretty short amount of time--Blaster, CodeRed, what-have-you all have pretty easy-to-detect signatures--which could easily be implemented on a system plugged into the routers of ISPs. Detect a worm infected machine and lock it out. Simple. The same could be done with managed switches at corporate LANs.

    This was actually suggested in a previous story; it's not that big a deal and probably in use various places already. Seems like IBM's only innovation is in detecting a pattern of behaviour rather than just the attack signature itself, in the hope that it will work, without updated signatures, to detect as-yet unknown worms. And even that's not that big a leap.

  7. Network Management Software by Dionysus · · Score: 3, Interesting

    Doesn't network management software like NNM and whatever CA's stuff is called, work by doing ping sweeps and other stuff to detect new systems on the network?

    Won't it break those systems?

    --
    Je ne parle pas francais.
  8. How long before it's turned against file sharers by ralatalo · · Score: 3, Interesting

    Seems to me that it it's aimed towards detecting sources that aren't published, that somewhere there needs to be a list of 'published sites'. If you're web, ftp, mail, cvs, filesharing software isn't on the list then it will flag everyone who connects to it for futher study.

  9. A minor variation on this... by zen+parse · · Score: 3, Interesting

    Here's an idea I had a while ago, (probably around slammer time) but never got around to doing anything about (because I don't admin any networks).

    A module for your IDS which, if it detects a machine on your network is infected with something, automatically set your router to NAT that machine so it points to some server which will inform the user they are infected, and gives details on how to disinfect themself, or to contact the helpdesk, or whatever.

    In addition to the NATing, the next DHCP request they perform could take them off the local network address space (except for the disinfection message machine) so they won't be spreading their infections locally.

    The infoming machine would not just be HTTP, which could return the webpage, but also have SMTP, POP3, IMAP servers, whatever else they could be running, which return an error, which (hopefully) will be displayed by the users application, telling the user what is happening.

    Even if the user doesn't receive the error messages, they would most likely notice something is wrong when they can't connect to anything, and even if they don't they are isolated from the internet, and after their dhcp lease expires (assuming it has a reasonable length) they would also be isolated from the internal network.

    It sounds similar to the 'Billy goat' idea... I hope it's not too similar, or it might be covered by restrictive software patents. ;/

  10. Re:Billy Goat by cockroach2 · · Score: 2, Interesting

    funny thing is, in some swiss dialects, "geiss" (swiss-german for goat) is pronounced exactly like "gates" without the t, sort of like "gayss"...

  11. Re:Useful tool to have in an emergency by unixbugs · · Score: 2, Interesting

    glad you came around. the use of snort and perl, especially in combination with iptables, etc. can make something pretty hard to break if its done right. the great thing about the combination of the three is the flexibility allowed; the different ways to accomplish the same effect on traffic are literally endless, so you see where a flooded job market is still starved for real talent.

    one of the things i thought of, that nobody has even brought up that i could find on this post, is the fact that this "Billy Goat" only benefits microsoft in the long run. why should they change now when they can let big ass IBM fork out the funding for this kind of R&D?

    after all, hasn't an entire industry spawned in the wake of microsofts neglegence? and to what avail? microsoft needs to either be held accountable or they need to release source code. these are the only 2 ways, and mark the words, one day it will come to that.

    --
    You are about to give someone a piece of your mind, something which you can ill afford...