IBM's Billy Goat Squashes Worms

fr0z writes "InformationWeek is running a story on "Billy Goat", a novel worm-squashing software developed by researchers in Zurich, Switzerland. IBM says it wants to turn Billy Goat into a product to help guard against computer-network attacks such as those that slowed Internet traffic earlier this month."

Billy Goat

[shird]

This is a play on the name "Bill Gates", surely? Why else would they call it that. Interesting concept nonetheless.

Re:Billy Goat

[bubbasatan]

An amusing interpretation, but how about calling it a billy goat because it will eat anything?

Re:Billy Goat

[KoolDude]

In giving out the details, the researchers mentioned that the full name is Williamy Henry Goat III. They also announced that a helper software code-named Steward "Monkey" Bawlmer will be released soon.

inapproporiate title?

[lingqi]

squashes worms?

it is a detection system. and an imperfect one at that: heck even the designer for the software itself says this...

besides, if it's an outlook mail worm, then every address it goes to is targeted correctly, and Billy Goat will go on munching it's grass and not have a clue while the network slows to a crawl.

I mean, of course it can look for surge traffic, but how do you distinguish that vs. a simple slashdotting?

Re:inapproporiate title?

[farnz]

Something like Blaster scans the network for vunerable machines; some of these IPs are unassigned. Billy Goat detects the attempts to access unassigned IPs, and alerts admins/firewalls your box off/generally makes noise.

The result is that something like Blaster gets caught before your whole network is infested; Billy Goat ignores a slashdotting, since all the traffic goes to assigned IPs.

Re:inapproporiate title?

So then we're in a situation of either

a) The admins take 5 mins to work out what out whats wrong and block the traffic (on a good day)

or

b) The firewall gets its rules automatically updated by billy goat (with an addon?) and successfully blocks the traffic. ...Leading to the attacker having an easy way to do a DOS attack on the entire network (by scanning every possible port on an unused ip address)

Re:inapproporiate title?

[mcc]

you could also just download the free patch that fixed it a month before...

I think the idea is that the product is going to be targetted at ISPs and people in similar situations.. you know, where the people controlling the network don't necessarily have control of the computers actually running on the network. What good is a patch if you can't get your users to install it cuz they're dumb?

"earlier this month"

[mirko]

I do not want to look anal but I think the submitter meant "last month" :-)

Re:"earlier this month"

[F452]

I do not want to look anal but I think the submitter meant "last month" :-)

Eeyu! Look anal? I can see being anal, or sounding anal, but I'd hate to look anal!

What's the point?

[mOoZik]

Detecting potential attacks is one thing and preventing damage and slow-down of the internet is another. Even now we can somewhat predict them before they begin to slow the entire net down. But seeing how something akin to these last two worms will slip right by even with our knowledge, this technology becomes rather redundant. Eventually, educating the end-user will be a greater force than some goat.

P.S. any coincidence it is named "Billy"?

Re:What's the point?

[KrispyKringle]

I'm not sure I follow you on educating the end user. It's definitely a good idea, to be sure, but it does little against worms that require no user interaction to infect the PC, like Blaster. Granted, if the machine were patched, it would help, but not that much. Many users are on slow connections, windowsupdate was unreliable, and the time it takes users to patch--a few hours, a few days--is easily enough time to become infected (I have a friend who connected a new XP machine to the 'Net to run windowsupdate and was infected in minutes).

On the other hand, security professionals can usually whip up IDS signatures in a pretty short amount of time--Blaster, CodeRed, what-have-you all have pretty easy-to-detect signatures--which could easily be implemented on a system plugged into the routers of ISPs. Detect a worm infected machine and lock it out. Simple. The same could be done with managed switches at corporate LANs.

This was actually suggested in a previous story; it's not that big a deal and probably in use various places already. Seems like IBM's only innovation is in detecting a pattern of behaviour rather than just the attack signature itself, in the hope that it will work, without updated signatures, to detect as-yet unknown worms. And even that's not that big a leap.

Re:What's the point?

[mOoZik]

All good points, but I was actually referring to the many worms which dwell in os holes. If users were educated enough to know why a patch is useful, then the effects of the last two (or three?) worms, for example, would be nulled. The warning and patch predated the swarm by 3 weeks. Even for someone on 56K and even with assumed problems with the windows update site, 3 weeks is plenty of time to avoid such a mess. Granted, it wouldn't solve all the problems, and a heavy fist on the side of the ISP's would alleviate the problems, but something like billy goat just doesn't solve them.

Re:What's the point?

[KrispyKringle]

I suppose there are multiple avenues to success. And while educating the end-user may be ideal, I just don't think its reasonable to expect that it will happen any time soon. Heavy-handed ISP's, as you put it, are a good alternative.

End-users often don't see why they should secure their PC's. They figure they don't have anything important on them, so what's the big deal? Then they are used as launching points for DoS attacks, they spread worms, and so forth. But end users don't have the time or inclination to be security professionals.

ISPs could implement stronger router controls to block DoS attacks from zombied machines. They could implement automatic IDS-based router controls to block the spread of worms. And--egads--perhaps software companies could start focusing on security a bit more (with some added incentive from the legal liability they ought to have, in my opinion). In other words, end users should be taken as end users. We cannot expect that all or most will secure their machines to the extent that you or I may. So we find work arounds.

A computer system to seek out worms?

[zippity8]

So you're turning on a computer system thats intended to be intelligent enough to seek out and erradicate computer worms?

Did you NOT see Terminator 3?

- Those that do not learn from history are doomed to repeat it.

Or, in this case, those that don't learn from crappy movies. =P

Re:A computer system to seek out worms?

[Psiren]

There was a story a while back (not sure if it was on /.) about a whole load of traffic on the net that no-one could account for or trace. Makes you think...

I believe Skynet went online August 29th 1997, but software is always late, no? ;)

Interesting technique

[farnz]

It sounds like a nice extension of egress filtering; you know which of your IPs are unassigned, and so you assume that boxes trying to access unused IPs are up to no good, and act accordingly (firewall the affected box off, and investigate). Slows worm propagation, and discourages people from scanning your entire address space unnecessarily.

As in "Billy Goat Gruff"?

[Black+Parrot]

Will it butt trolls off the net too?

issues with this

[segment]

IBM says its prototype combines the strength of analyzing traffic directed at IP addresses assigned to computers on a network with the ability to look at the unassigned addresses worms also target.

What good would this do (checking unassigned addresses) as most worms (at least polymorphic ones) replicate and spread to other users it (the worm) finds on the machine. Hrmm sounds odd typing because I'm tired. Ok, for instance most MS based worms such as Blaster, Sobig, etc., tend to rip a list of address from programs on the infected machine. Blaster and Sobig sent out spoofed emails which differed from the normal worm a bit. Anyway, if a machine is sending info (while infected) to an unassigned IP address, what difference would it make since it somehow obtained the information locally.

Now, I understand that some virii writers often leave some 'h3ll0 i j4m l33t' message, but this is a rarity, so I find it obsolete.

It also can sniff out the signatures of known attacks. By testing the software at a large ISP, IBM can collect more data on worm traffic and help decide how to bring Billy Goat to market, says Adrian Schlund, a manager at IBM Global Services.

This is a bold statement for IBM to make considering they are now claiming to sniff out attacks. Considering attacks change, all they could do is update their rules, which means you could get by without this product if you have an experienced network engineer who has network anamoly detection experience. Hell if you've read enough RFC's and Cisco books, anyone would be able to detect and halt attacks using freeware such as snort.

Oh well it sounded good for a minute, it's a shame they didn't included any screenshots or specs in the article.

Re:issues with this

[mOoZik]

Actually, some of the worst worms have used random IP's. The worms you mentioned only use the emails from the address books, as there is no way to get IP information from it. Therefore monitoring which IP's are fake will provide a method of early warning. Though that's all it'll do.

Slashdot Rule #1

[imadork]

Never click on a link with the word "goat" in it.

Dumb Name

[Kaz+Riprock]

If you built a software package that catches worms...why wouldn't you call it "Early Bird"?

Comment removed

[account_deleted]

Comment removed based on user account deletion

(M$) Bill Goatse?

[VEGx]

Is that a hint that Bill Gates is into Goatse? I'm a nice troll, gimme a cookie.

Um, innovative?

[Rogerborg]

if(>X packets received from ip
&& !reverse dns for ip)
block ip

Do I win $10?

Re:Um, innovative?

[Rogerborg]

How about "ipchains"? That sounds kind of kinky, and I don't think it's been used before.

A better mousetrap, perhaps

[Mostly+a+lurker]

I have two immediate reactions. The first is that, on the face of it, there is nothing very revolutionary here. On the other hand, maybe all that is needed is a high quality implementation of techniques that are already known. I have read in several places recently that (excluding false alarms) rapid detection of attacks was not actually that difficult.

My second reaction is that the focus needs to be at the level of the ISPs. To expect all users to reliably protect themselves against attacks is just naive. Technology that could immediately detect attacks and prevent their propogation to individual users in the first place seems to me feasible and desirable.

LaBrea

[MoogMan]

LaBrea - the "Sticky Tarpit". Seems like the same concept, and has a working, free implementation at http://labrea.sourceforge.net/

Network Management Software

[Dionysus]

Doesn't network management software like NNM and whatever CA's stuff is called, work by doing ping sweeps and other stuff to detect new systems on the network?

Won't it break those systems?

How long before it's turned against file sharers

[ralatalo]

Seems to me that it it's aimed towards detecting sources that aren't published, that somewhere there needs to be a list of 'published sites'. If you're web, ftp, mail, cvs, filesharing software isn't on the list then it will flag everyone who connects to it for futher study.

A minor variation on this...

[zen+parse]

Here's an idea I had a while ago, (probably around slammer time) but never got around to doing anything about (because I don't admin any networks).

A module for your IDS which, if it detects a machine on your network is infected with something, automatically set your router to NAT that machine so it points to some server which will inform the user they are infected, and gives details on how to disinfect themself, or to contact the helpdesk, or whatever.

In addition to the NATing, the next DHCP request they perform could take them off the local network address space (except for the disinfection message machine) so they won't be spreading their infections locally.

The infoming machine would not just be HTTP, which could return the webpage, but also have SMTP, POP3, IMAP servers, whatever else they could be running, which return an error, which (hopefully) will be displayed by the users application, telling the user what is happening.

Even if the user doesn't receive the error messages, they would most likely notice something is wrong when they can't connect to anything, and even if they don't they are isolated from the internet, and after their dhcp lease expires (assuming it has a reasonable length) they would also be isolated from the internal network.

It sounds similar to the 'Billy goat' idea... I hope it's not too similar, or it might be covered by restrictive software patents. ;/

In case you don't get the names...

[Vexar]

short for anal-retentive, a 'clever' way of articulating someone has a detail-oriented obsession or obsessive-compulsive behavior. It describes the person as unable to relax, or constipated.

Sadly, people just know 'anal' these days. Gone are days of long ago when people said what they meant, and did not lean on the spindly crutch of catchphrases and colloquialisms.

I can now imagine that this sort of intrusion detection software will be known only as Billy Goat, just as so many use 'trojan' and 'virus' when such terms are far from inappropriate to describe a specific piece of software with destructive intent. Why, just this morning, an interview with the prosecutor of Blaster.B accused author Jeffrey Lee Parsons, yielded such terms as "cyber-hacker." Since when did "cyber" need to be prefixed? I'm waiting for someone in the legal profession to butcher that term, and vomit terms like Cyber-goat.

IBM was foolish to announce this so early. I just know they will get targeted by the crackers out there for it (note, that's criminal-hacker, not ebonic-slang/slur for white peson), and then the crackers will roast the billy goat over IBM's own firewall!

For those who aren't well-educated on nursery rhymes, go read up on Three Billy Goats Gruff. You will find the proper origin of the software name there, trade-related double-entendre's notwithstanding.

Let billygoat's platform of choice be Linux!

[mwfolsom]

Strikes me that it would be great if billgygoat was designed on top of a Linux kernel.

If it turned out to be a great product that would be a wonderful bit of irony. Linux working to say a messed up windows world.

Missed it by THAT much!

[The+Monster]

block ip

So close. Instead of blocking the IP, tarpit it! Force the attacker to
s l o w . d o w n
while keeping the rest of the network moving right along while emailing the admin about it.

Re: end user patching

[King_TJ]

I'd really be interested to see how many of these recent worm infections happened on company systems, as opposed to people's home computers.

I agree that a big problem is educating the average home user to apply update patches as they become available, but this isn't usually an option at the corporate level.

I've seen corporate environments where even the I.T. staff in charge of the desktop systems has to fight and fight to get the approval to apply a security patch. (The team lead or I.T. manager may scratch the plan, arguing they haven't had sufficient time to make sure the patch doesn't break a "mission critical" application they run, or they may decide the patch can wait until another update it rolled out, so they can get 2 birds killed with one stone.) Letting the end users apply their own patches isn't typically allowed on corporate machines.

Not like this.

[21mhz]

So, the thing that will put an end to the humanity is called Billy Goat? This is just... wrong.