IBM's Billy Goat Squashes Worms

fr0z writes "InformationWeek is running a story on "Billy Goat", a novel worm-squashing software developed by researchers in Zurich, Switzerland. IBM says it wants to turn Billy Goat into a product to help guard against computer-network attacks such as those that slowed Internet traffic earlier this month."

Billy Goat

[shird]

This is a play on the name "Bill Gates", surely? Why else would they call it that. Interesting concept nonetheless.

Re:Billy Goat

[KoolDude]

In giving out the details, the researchers mentioned that the full name is Williamy Henry Goat III. They also announced that a helper software code-named Steward "Monkey" Bawlmer will be released soon.

"earlier this month"

[mirko]

I do not want to look anal but I think the submitter meant "last month" :-)

Re:"earlier this month"

[F452]

I do not want to look anal but I think the submitter meant "last month" :-)

Eeyu! Look anal? I can see being anal, or sounding anal, but I'd hate to look anal!

What's the point?

[mOoZik]

Detecting potential attacks is one thing and preventing damage and slow-down of the internet is another. Even now we can somewhat predict them before they begin to slow the entire net down. But seeing how something akin to these last two worms will slip right by even with our knowledge, this technology becomes rather redundant. Eventually, educating the end-user will be a greater force than some goat.

P.S. any coincidence it is named "Billy"?

Re:What's the point?

[KrispyKringle]

I'm not sure I follow you on educating the end user. It's definitely a good idea, to be sure, but it does little against worms that require no user interaction to infect the PC, like Blaster. Granted, if the machine were patched, it would help, but not that much. Many users are on slow connections, windowsupdate was unreliable, and the time it takes users to patch--a few hours, a few days--is easily enough time to become infected (I have a friend who connected a new XP machine to the 'Net to run windowsupdate and was infected in minutes).

On the other hand, security professionals can usually whip up IDS signatures in a pretty short amount of time--Blaster, CodeRed, what-have-you all have pretty easy-to-detect signatures--which could easily be implemented on a system plugged into the routers of ISPs. Detect a worm infected machine and lock it out. Simple. The same could be done with managed switches at corporate LANs.

This was actually suggested in a previous story; it's not that big a deal and probably in use various places already. Seems like IBM's only innovation is in detecting a pattern of behaviour rather than just the attack signature itself, in the hope that it will work, without updated signatures, to detect as-yet unknown worms. And even that's not that big a leap.

A computer system to seek out worms?

[zippity8]

So you're turning on a computer system thats intended to be intelligent enough to seek out and erradicate computer worms?

Did you NOT see Terminator 3?

- Those that do not learn from history are doomed to repeat it.

Or, in this case, those that don't learn from crappy movies. =P

Interesting technique

[farnz]

It sounds like a nice extension of egress filtering; you know which of your IPs are unassigned, and so you assume that boxes trying to access unused IPs are up to no good, and act accordingly (firewall the affected box off, and investigate). Slows worm propagation, and discourages people from scanning your entire address space unnecessarily.

As in "Billy Goat Gruff"?

[Black+Parrot]

Will it butt trolls off the net too?

issues with this

[segment]

IBM says its prototype combines the strength of analyzing traffic directed at IP addresses assigned to computers on a network with the ability to look at the unassigned addresses worms also target.

What good would this do (checking unassigned addresses) as most worms (at least polymorphic ones) replicate and spread to other users it (the worm) finds on the machine. Hrmm sounds odd typing because I'm tired. Ok, for instance most MS based worms such as Blaster, Sobig, etc., tend to rip a list of address from programs on the infected machine. Blaster and Sobig sent out spoofed emails which differed from the normal worm a bit. Anyway, if a machine is sending info (while infected) to an unassigned IP address, what difference would it make since it somehow obtained the information locally.

Now, I understand that some virii writers often leave some 'h3ll0 i j4m l33t' message, but this is a rarity, so I find it obsolete.

It also can sniff out the signatures of known attacks. By testing the software at a large ISP, IBM can collect more data on worm traffic and help decide how to bring Billy Goat to market, says Adrian Schlund, a manager at IBM Global Services.

This is a bold statement for IBM to make considering they are now claiming to sniff out attacks. Considering attacks change, all they could do is update their rules, which means you could get by without this product if you have an experienced network engineer who has network anamoly detection experience. Hell if you've read enough RFC's and Cisco books, anyone would be able to detect and halt attacks using freeware such as snort.

Oh well it sounded good for a minute, it's a shame they didn't included any screenshots or specs in the article.

Re:inapproporiate title?

[farnz]

Something like Blaster scans the network for vunerable machines; some of these IPs are unassigned. Billy Goat detects the attempts to access unassigned IPs, and alerts admins/firewalls your box off/generally makes noise.

The result is that something like Blaster gets caught before your whole network is infested; Billy Goat ignores a slashdotting, since all the traffic goes to assigned IPs.

Slashdot Rule #1

[imadork]

Never click on a link with the word "goat" in it.

Dumb Name

[Kaz+Riprock]

If you built a software package that catches worms...why wouldn't you call it "Early Bird"?

Comment removed

[account_deleted]

Comment removed based on user account deletion

(M$) Bill Goatse?

[VEGx]

Is that a hint that Bill Gates is into Goatse? I'm a nice troll, gimme a cookie.

Um, innovative?

[Rogerborg]

if(>X packets received from ip
&& !reverse dns for ip)
block ip

Do I win $10?

LaBrea

[MoogMan]

LaBrea - the "Sticky Tarpit". Seems like the same concept, and has a working, free implementation at http://labrea.sourceforge.net/

Re:inapproporiate title?

So then we're in a situation of either

a) The admins take 5 mins to work out what out whats wrong and block the traffic (on a good day)

or

b) The firewall gets its rules automatically updated by billy goat (with an addon?) and successfully blocks the traffic. ...Leading to the attacker having an easy way to do a DOS attack on the entire network (by scanning every possible port on an unused ip address)

Not like this.

[21mhz]

So, the thing that will put an end to the humanity is called Billy Goat? This is just... wrong.

Re:inapproporiate title?

[mcc]

you could also just download the free patch that fixed it a month before...

I think the idea is that the product is going to be targetted at ISPs and people in similar situations.. you know, where the people controlling the network don't necessarily have control of the computers actually running on the network. What good is a patch if you can't get your users to install it cuz they're dumb?