WormRadar Node Volunteers Help Graph Attacks

zoombat writes "NTBugtraq has a post looking for volunteers to run WormRadar nodes. The nodes are essentially honeypots that watch for suspicious activity. Its purpose is to both measure the frequency of known, current worms and to alert us all when something new becomes active. A graph (updated every 30 minutes) shows what was detected. Currently it looks like only a Windows client is available, though."

Other platforms

[BWJones]

Currently it looks like only a Windows client is available, though."

Might it make more sense to have the client available on platforms which are not necessarily vulnerable to most of these infections? After all, many of the systems which are connected to the Internet full time (servers/workstations etc...) are not Windows machines.

Re:Other platforms

[Raunch]

From The Jargon File

honey pot: n.
1. A box designed to attract crackers so that they can be observed in action. It is usually well isolated from the rest of the network, but has extensive logging (usually network layer, on a different machine). Different from an iron box in that its purpose is to attract, not merely observe. Sometimes, it is also a defensive network security tactic -- you set up an easy-to-crack box so that your real servers don't get messed with. The concept was presented in Cheswick & Bellovin's book Firewalls and Internet Security.
2. A mail server that acts as an open relay when a single message is attempted to send through it, but discards or diverts for examination messages that are detected to be part of a spam run.

With emphasis on the attract part. How are you going to monitor worms that propigate using windows with a linux box? You may be able to say, for instance, how many times a certain port was probed. You can't get a linux box to respond in the same way as a windows box without seriously getting into the kernel though.

Re:Other platforms

[0racle]

Better tell the people at honeyd. They seem to think you can emulate the TCP/IP stack of other OS's, and use scripts to fool the app or person on the other end to run an entire honeynet of composed of several different "OS's" on one system.On top of that, you do not need a vulnerable system, nor allow your box to become compromised in order to attract a worm that will attempt to propagate. If you wanna see how it tries to locally, you analyze the actual code, if you want to see how it affects the network, or detect that something odd is occurring, thats what the honeypot is for.

Obvious joke

[Chris_Jefferson]

Let me be the first to get the obvious joke out of the way.

Why is there only a windows client? Because all the worms only effect windows machines, what would be the point of a client on anything else? :)

Although of course, the more serious answer is "A client on something other than windows would be sensible, because if a new worm comes out and hits a 0-day windows hole then your machine could be infected and dead before it gets the chance to report that it is being attacked. (Just why is it that all these worms people write nowadays just seem so.. nice? I remember the days when 90% of viruses would at the very least format your hard disc.. now they just sit there. It's almost a shame, because one good formating worm might finally make people take them more seriously.. it's only a matter of time)

Re:Obvious joke

[Ironica]

Just why is it that all these worms people write nowadays just seem so.. nice? I remember the days when 90% of viruses would at the very least format your hard disc.. now they just sit there.

Why is smallpox darn near extinct, but the common cold thrives?

If a worm formats your hard disk, it can't keep scanning for and infecting new machines. For one thing, now you know something is wrong, and are more inclined to fix it.

It's almost a shame, because one good formating worm might finally make people take them more seriously.

And there, you answer your own query. If worms did "real" damage (i.e. obviously interfered with the working of the computer), people would be much more cautious about contracting and spreading them. But how many of you freak out and quarantine yourself if you come in contact with a carrier of the common cold? Same thing...

Re:Obvious joke

[tunabomber]

Just why is it that all these worms people write nowadays just seem so.. nice? I remember the days when 90% of viruses would at the very least format your hard disc.. now they just sit there.

It's evolution. A pathogen that kills its host too fast is a failure unless it can spread extremely fast to compensate. While the old viruses and worms were the equivalent of ebola, wreaking as much havoc to the host as possible, the new ones are more the software equivalent of lampreys or tapeworms- slowly but surely stealing a host's resources.
Virus writers just discovered that it was far more logical, efficient (and not to mention profitable) to install a spam proxy that would run silently in the background for as long as possible than to torch the contents of the victim's hard drive and display a splash that says "j00 R 50 0w|\|3d!". ...And they know that the less noise their worms make, the more complacent users will grow, which will increase the amount of potential future hosts.

Open Source or Trojan Horse?

[Comatose51]

Is this thing open source? It doesn't seem like it. For all we know we could be downloading the world's next biggest trojan horse/worm. Considering the only people who would download this would be techies with big pipes, this could get interesting. Just a theory and a reminder to the author that people usually feel safer downloading something they can examine.

Re:Open Source or Trojan Horse?

[tunabomber]

Is this thing open source? It doesn't seem like it. For all we know we could be downloading the world's next biggest trojan horse/worm.

This could be said about any small, proprietary software utility that you see on download.com or tucows. Only time will tell if it's a trojan or not, but if it is, the techies who make up its target audience will find out fast. And they'll spread the word fast. And after receiving the word, they will take it seriously. Techies have other traits besides access to lots of bandwidth.
Also, it's not likely that this program will be installed on anything more mission-critical than an average office workstation, which could just as easily be infected with Kazaa or some other crapware by its PHB or marketroid user.
If you want to spread a trojan, might as well write a porn-based video game or MP3 player to use as the vector. Since your target market will be Joe Luser, you'll go much longer before being caught.

Re:Open Source or Trojan Horse?

[minus_273]

whta gives you the impression that name is the name of the author?

What's Truly Sad...

[ashitaka]

Is the number of SQL-Slammer-infected systems still out there:

Date: 04/23 01:24:30 Name: ICMP PING CyberKit 2.2 Windows
Priority: 3 Type: Misc activity
IP info: 216.18.121.12:n/a -> x.x.x.x:n/a
References: none found SID: 483

Date: 04/23 02:10:26 Name: MS-SQL Worm propagation attempt
Priority: 2 Type: Misc Attack
IP info: 152.66.211.244:3280 -> x.x.x.x:1434
References: none found SID: 2003

Date: 04/23 02:10:59 Name: MS-SQL Worm propagation attempt
Priority: 2 Type: Misc Attack
IP info: 210.13.22.79:1171 -> x.x.x.x:1434
References: none found SID: 2003

Date: 04/23 02:32:46 Name: SCAN Squid Proxy attempt
Priority: 2 Type: Attempted Information Leak
IP info: 69.158.81.79:4380 -> x.x.x.x:3128
References: none found SID: 618

Date: 04/23 02:32:49 Name: SCAN Squid Proxy attempt
Priority: 2 Type: Attempted Information Leak
IP info: 69.158.81.79:4380 -> x.x.x.x:3128
References: none found SID: 618

Date: 04/23 02:32:54 Name: SCAN SOCKS Proxy attempt
Priority: 2 Type: Attempted Information Leak
IP info: 69.158.81.79:4514 -> x.x.x.x:1080
References: none found SID: 615

Date: 04/23 02:32:57 Name: SCAN SOCKS Proxy attempt
Priority: 2 Type: Attempted Information Leak
IP info: 69.158.81.79:4514 -> x.x.x.x:1080
References: none found SID: 615

Date: 04/23 02:59:50 Name: ICMP PING CyberKit 2.2 Windows
Priority: 3 Type: Misc activity
IP info: 216.18.121.12:n/a -> x.x.x.x:n/a
References: none found SID: 483

Date: 04/23 03:22:04 Name: MS-SQL Worm propagation attempt
Priority: 2 Type: Misc Attack
IP info: 67.163.239.113:1209 -> x.x.x.x:1434
References: none found SID: 2003

Re:IINAL

[tomstdenis]

Um whoever modded that as interesting is a fucking moron.

A honeypot is just a pseudo-server meant to trap, delay and/or observe a client. Useful for wasting spammers time/bandwidth, looking for spiders or in this case looking for active worm traffic.

You have to connect to the honeypot for it to be active so in absolutely no way can this be "illegal".

Tom

reporting for ISPs

[SuperBanana]

How about reporting for ISPs? Say, daily reports grouped by netblock owner in an easily parsed format? Set it up so ISPs can sign up for them. ISP doesn't sign up? Shucks, they must be supporting viruses and whatnot.

While backbone providers love 'em because they get paid for every byte...worms are the scourge of DSL/cablemodem companies, because they don't get paid by the byte, and worms eat into their margins. So you'd think they would have a vested interest in taking care of the problem.

Of course, if they were competent, they'd be running IDS systems that would examine a portion of traffic looking for worm activity, automatically shutting off any systems...

PNG for gawds sake!

[eddy]

And oh, "they" use JPEG for the graph! Look at it -- it's horrible!

Okay, you DON'T download and run executables from people who can't even pick the right image format for an image like that one (hint: it's PNG). What's the odds of these people knowing anything about researching worms if they can't even get a fscking image right? Close to zero.

I honestly don't understand how come so many have a problem with this. Just look at that "JPEG patents"-story. Scary. I thought this was a place for nerds?

Here's a heuristics for those of you still confused: "If it's lines, blocks, text (that you want readable) and areas of repetitive pattern(s), then use PNG. Else try JPEG (photographs, noisy images)."

Excellent! An AC Recommending Suspect Software!

Watch me break a leg in my rush to d/l and install on 2,000 clients because he says it's cool.

Re:A little creepy ... calling home?

[Gadi+Evron]

As explained by Roger, the author of WR, WormRadar calls home using SMTP and UDP for real-time, so that the data-sharing between all the nodes can exist.

This data-sharing/graphing of Internet attacks graphs.. etc.. comes as a second to the actual use for the program - a good and decent honey pot.

The program doesn't hide the fact that it "calls home" and it is all explained in another comment.

Re:So I need to run it without a firewall?

I am sure that as a good geek you can come up with a solution to run it with a firewall, unless that is what you want.

DMZ? NAT? personal firewall allowing this program only?

All allowing you to log, so what's the problem?

Re:so go

[Rosco+P.+Coltrane]

Do you really want to fight Microsoft's war for them for free? they won't give you any money to plug their security holes you know...

Besides, the way I see it, the more viruses and worms floating around the better: it helps people realize how shitty Windows is as a platform, and how Microsoft just treats their customer like crap by selling them mediocre products at outrageous prices. I certainly don't to help Microsoft look better.

Re:new open source project idea?

[Gadi+Evron]

I thought the idea of open source was to work together and help out? Not double and compet when there is no real need to?

Email the author and offer your help, he is a great guy and I am sure he will take any help he can get.

I trust him, the question is if he can trust everyone who offers to help with a project such as this? Ask him and you'll find out.

Constructive vs....

"Everybody Knows Roger"? I Don't.

Hands up all those here who know him. What about those who've heard of him. OK. I'm sold. He must be trustworthy.

BTW, who are you? Oh, wait...I'm sure everybody knows you too.

Because

[autopr0n]

A lot of the worms don't cause the machines to go down. Obviously, a lot of users are oblivious to the fact that their machines are not only spreading viruses around the 'net, but are infested with Spyware and probably being used as Spam zombies.

It seems like windows was implemented with the "everyone is mostly nice" idea that the original internet, and certainly the original email system was. No one at MS anticipated that people would run programs that actively harmed them, and that their computers would turn against them.

What we really need is an OS that doesn't just protect one user from another, but also protects users from programs and vise versa. Yeah, things like this can be done in Linux, probably MacOS, and even, in theory Windows (run the program as a service with a user logon, but most programs aren't services). But I don't think it's at all a general, easy to use feature.

Honestly, the only ones who seem to have thought ahead were the java people with their sandbox, and the ability to give permissions based on code signatures.

And then, of course, we get MS trying to shoehorn the whole thing into their "trusted computing" framework witch also tries to protect the content from the user which I think is Bullshit. An entire system to protect users could be built simply by using memory protection and standard user-level controls.

Yes, you can

[autopr0n]

If someone types "rm -rf /" at a terminal, you can be pretty sure they want it to be done.

The problem is that programs these days do things that the user dosn't know about, dosn't want, can't control, and ultimately can't even stop when they find out. That's ridiculous.

If I'm root, and I don't trust a program I'm running, I can su it, and run it as a regular user and lock it down to a single folder on the file system with no network access. You have to do it manually, and on windows you can only do it with services.

What I'm talking about doing is automating the process using certs, things like that, and running them in a java-like sandbox. It's not hard and in the case of java, it's already been done.