Distributive Worm Blocking

wdebruij writes "According to this source (unfortunately in dutch), a number of dutch ISPs are bundling their forces to fight the spread of worms. The technology, called virbl, blocks all accesses from IP addresses from which at least 2 worms were sent for 24 hours, naturally excluding known large email servers. Background info on the project can be found at the developers' project site. So, does anyone have useful remarks on why this may succeed or fail? It appears to me as a simple to implement yet powerful, albeit stopgap, solution."

Zegnar

[Zegnar]

Here is progress - still I imagine many companies will leave things as they are just to avoid having to deal with irate calls to the helpdesk, and carry on broadcasting viruses to the world. Collective defense is fine until it costs money.

Re:Zegnar

[mattyrobinson69]

when freeserve depreciated one of their dial-up numbers, all attempts to access port 80 were forwarded to their http server on a page which explained how to change the number, and what to. - they blocked all other connections i think.

pain in the arse, but it could be useful if the same kind of thing was implemented if you were showing characteristics of running a worm, to redirect you to their free online virus scanner (or somebody elses). that way, you cant infect anybody else, but you can still use the online vius scanner to remove virus's (using an OCX).

this will carry on working, while nearly all worms are for windows. i imagine most people with other os's wouldn't get hit, not because of higher security neccessarily, but because they wouldn't spread well in a world where 90%+ boxes are windows, and even then, the less than 10% of boxes isn't one OS - there's mac, linux, free/open/net bsd, solaris, etc.

a new denial of service attack

[pedantic+bore]

Now all you need to do is trick someone into sending you something that resembles a worm... (all it will take for some trickster to add a rule the worm signature files that says that all messages that contain

^Dear

).

It seems like a good idea, but it seems like the threshold is too low and there ought to be a human in the loop (i.e., if the system suddenly decides to block half the IP numbers in the universe, a human should have to OK it).

Unfortunately I don't read Dutch; maybe they've thought of this already.

Re:a new denial of service attack

[pedantic+bore]

It does say that they "exlude known large email servers" so presumably it would be hard to take out an ISP. But it sounds like you could DHCP-hop your way through a an address bank and make things pretty miserable for someone.

Re:Security by shutdown?

[Roguelazer]

Or, you could just post a link on slashdot to all infected systems. Same end effect.

Frea Speach!

[AndroidCat]

The same people who complain when their ISP is blocked for sending spam will (no doubt) complain that this blocks their constitutional right to run an infested box on the Internet--complete with examples of how innocent people will be hurt by this. (Hmm, how about DHCP dynamic addresses?)

This is a sensible thing to do but....

[Sox2]

how do users then download the patches to deal with the infection? Not everyone on the internet is computer literate; will the ISPs provide some help to these people?

Re:That's not security, that's stupidity.

[[Lizard]]

Ehm, not really, the system also uses a whitelist on which the mailservers of normal ISPs are listed.
Furthermore a bot-created smtp will trigger the protection quick enough so it won't be able to send much. Personally I doubt it will backfire, but maybe there's some place for improvements, time will tell.

(When I have some free time I'll try to translate the article in readable english :)

Re:Dutch DOS

[AndroidCat]

If you can IP spoof with a TCP/IP connection, you could do a lot more damage than a DoS attack.

We use a similar concept @ work

[jsav40]

Infected machines are locked out of the network entirely. Getting the machines reconnected is a fairly lengthy process and users have become *much* more interested in allowing field techs to patch machines since the lockdown process was initiated. We push patches out remotely so only 5% or so of the machines ever need to be manually patched. We also scan our subnet daily for vulnerable machines and proactively patch any machines that turn up that way. Personal laptops were a problem (briefly) but after an incident at another location where the offfending user was terminated folks have gotten the message that it is not OK to attach non company owned computers to the network.

Re:We use a similar concept @ work

[kryptkpr]

zero infections with no anti-virus suite running on the machine at all.

And how exactly do you know there have been zero infections.. without a virus scanner? Or is the machine not connected to the 'net?

Spamhaus

[AndyFewt]

Didn't Spamhaus recently launch the pretty much the same service called the XBL?

"The Spamhaus Exploits Block List (XBL) is a realtime database of IP addresses of illegal 3rd party exploits, including open proxies (HTTP, socks, AnalogX, wingate, etc), worms/viruses with built-in spam engines, and other types of trojan-horse exploits." -- http://www.spamhaus.org/xbl/index.lasso

The only thing I thought was weird about the Dutch system was: "An IP address gets listed after receiving at least 2 viruses".. I think that may be a typo as the system scans some email and grabs the ip from the headers if a virus/worm/trojan is found. But if it's not a typo, any email address that receives 2 viruses it gets listed (regardless of infection) is a pretty sucky system.

Translation for non-Dutchies

[mrjb]

Chello en Tiscali top-spreaders of viruses
A database with infected pc's is the foundation of an ambitions project that should reduce the flood of virus emails
A number of Dutch providers is currently testing a worm blocker based on an extensive database of infected pc's. This file has been kept up-to-date since 2 weeks ago by BIT, a provider for businesses. In this database, amongst other things, is visible from which IP address which virus is being spread.

Other providers can use this database to inform their own customers that their computer is infected and bothering other people, explains Alex Bik of BIT. Self-propagating viruses (worms) are causing more and more trouble, both to private users and providers.

BIT itself has been using the automatic blacklist-system since last week, to protect their customers against the ever growing stream of virus mails. By now, a large number of Dutch [internet] providers, including XS4ALL, Zonnet and IS Internet Services, also have access to the data.

Port 25

In its database, BIT keeps track from which IP addresses virus mails are sent. This sending [of emails] often takes place directly via port 25 from infected computers. As soon as more than 2 infected emails arrive at BIT within 25 hours, the IP address is blacklisted for 24 hours. However, the ip-addresses of mail servers of known providers are not added to the database.

Chello tops the list

The list shows that other providers, too, can benefit from the blacklist. Customers of Chello, Tiscali and @home top the list of major virus spreaders (over 1000 virus emails). The topper is an ip-address at Tiscali, from which as much as 12000 sober G-mails have been sent.

In total, Chello leads with over 27000 sent virus mails with the 25 main 'spreaders', followed by Tiscali (almost 23000), @home (almost 20000), Wanadoo (over 14000), HCCnet (almost 13000) and Planet [internet] (almost 12000).