Day in the Life of the Internet Storm Center

← Back to Stories (view on slashdot.org)

Day in the Life of the Internet Storm Center

Posted by ryuzaki0 on Tuesday September 7, 2004 @01:30AM from the jobs-you-don't-want dept.

An anonymous reader writes "Network World Fusion has an article about the Internet Storm Center's inner workings. The writer follows the ISC during the day of the MyDoom-O outbreak (the one that hit Google et al.). The article talks about running W2K in vmware on top of SuSe Linux. A practice very common in malware analysis to isolate yourself from various ill effects of the malware. Other open source software receiving a mention in the article is everybodies favorite packet analyzer Ethereal."

43 of 123 comments (clear)

Min score:

Reason:

Sort:

My Favourite Pony by B3ryllium · 2004-09-07 01:33 · Score: 4, Informative

An invaluable tool for PCs that are "public access" or even boot-partitions of computers at work:

DeepFreeze

Just one reboot, and any malware infection is obliterated. (There are alternatives, too, but I like DeepFreeze the best)
1. Re:My Favourite Pony by stratjakt · 2004-09-07 01:43 · Score: 5, Interesting
  
  Nothing on that link tells you how the product works.
  
  The closest I read was "Deep Freeze instantly protects and preserves original computer configurations" which reads to me that it's kind of like Ghost, except it keeps an image local on the HDD?
  
  If so, I'd shy away from phrases like "Completely invulnerable to hacking".
  
  XP's system restore feature gives you the same functionalities, if it's used properly (of course, it never is). I'm in the habit of making a save point before I do anything that could potentially bork my machine (testing some new driver tweak, etc), and have rolled back successfully on more than one occasion.
  
  --
  I don't need no instructions to know how to rock!!!!
2. Re:My Favourite Pony by ciroknight · 2004-09-07 01:55 · Score: 5, Informative
  
  We happened opon this product at the school where I used to work, and as far as I can tell from using it and poking around at the program, it keeps a log of all harddrive transactions, then when rebooted, it plays back the log backwards, restoring to the state in which the system was before; no Ghost partitioning required, but none-the-less not invunerable to attack. We had kids bring in Knoppix CDs and obliterate hard drives for no other reason than they could.
  
  My suggestion is to use Deep Freeze with Ghost (It's a complex setup, but if you "un-freeze" the system for one reboot, then Ghost, all you have to do is cast the image, change the computer's name (we had a pretty complex naming scheme), then reboot the machine and it's ready to go.) It's a formittable combination, and far better than products like "Foolproof Security". Hope this helps.
  
  --
  "Victory means exit strategy, and it's important for the President to explain to us what the exit strategy is." G.W.Bush
3. Re:My Favourite Pony by stratjakt · 2004-09-07 02:04 · Score: 5, Interesting
  
  See, I have this co-worker who constantly fucks up his machines. He's supposed to be a programmer/analyst/tech support guy just like me (small company, you wear a lot of hats), but everytime something comes up, I have to handle it because his computer is broken.
  
  "I can't build a working EXE, my Visual Studio is screwed up!" "I can't dial into that customer, because my modem isnt working" "I can't VPN in because my computer crashes when I fire up the Cisco client".
  
  He's incompetent, but I'm dubious he's this incompetent. I traded him the machine in my office when I got a new one, everything worked perfectly. A week later, his VPN and Visual Studio are broken. I really dont have the time to keep rebuilding his machine for him. Of course, he claims he doesn't know how to reinstall Office or VStudio, etc..
  
  I think he does it so he won't have to do actual work. I end up doing everything because he always has an excuse. When he's on site, his laptop is broken, so he has to phone in all the code changes he wants, I have to do it, cut an EXE and email it out. Of course, it's double bonus for him. Anything he fucks up on site, he can just blame me for, since I'm actually doing the work remotely.
  
  It's pissing me off, and it makes our company look like a bunch of morons. My archetypal PHB thinks he's just the cats ass because he comes in "early" every morning (he shows up at 8:45 to drink coffee and read the paper, we open at 9. Sheesh).
  
  Anyhow, this sounds like a decent product. I'm downloading the evaluation version now. I'll reinstall his machine one last time, ghost it, install this. Next time I hear "I can't dial in because my modem is screwed up", I'll reboot his box and it'll be fixed.
  
  --
  I don't need no instructions to know how to rock!!!!
4. Re:My Favourite Pony by ciroknight · 2004-09-07 02:07 · Score: 2, Interesting
  
  And it'll work fine for that, as long as the asshat isn't insane enough to actually hack deepfreeze. But this is exactly what this product was made for, and it works wonders for keeping machines alive after a virus storm or freak driver accident.
  
  Hope it works out!
  
  --
  "Victory means exit strategy, and it's important for the President to explain to us what the exit strategy is." G.W.Bush
5. Re:My Favourite Pony by scovetta · 2004-09-07 02:09 · Score: 3, Insightful
  
  Confucius say:
  "Never trust a product that includes the phrase:
  Completely invulnerable to hacking..."
  
  --
  Wer mit Ungeheuern kämpft, mag zusehn, dass er nicht dabei zum Ungeheuer wird. --Nietzsche
6. Re:My Favourite Pony by jrockway · 2004-09-07 02:21 · Score: 4, Interesting
  
  It's pretty good. I couldn't get around it in Windows after they blocked real mode programs. Before that I had to crack the BIOS password and then boot Knoppix, then delete key files. And sometimes the fucker still came back.
  
  So from my independent analysis, I'd say DeepFreeze is good. I haven't done any code-tracing, though, so I don't know if some buffer overflow would ruin the whole thing. It wouldn't surprise me, though.
  
  Closed source is what it is.
  
  --
  My other car is first.
7. Re:My Favourite Pony by Feng · 2004-09-07 02:23 · Score: 2, Insightful
  
  Set the boot priority to boot the hard drive first and password protect the BIOS. That'll make it harder for them to mess things up!
  
  --
  
  --- if y cn rd ths y cn gt a gd jb n cmptr prgmmng!
8. Re:My Favourite Pony by RichardX · 2004-09-07 02:50 · Score: 2, Interesting
  
  This is just a guess, but from the (very limited) description on the site - particularly the bit about only needing 2 Mb of drive space - I suspect than rather than keeping a rollback log, instead it redirects all writes elsewhere and somehow fools the system into combining them
  
  I don't really know if that makes sense, but basically what I'm saying is I think instead of allowing changes to the stuff that's already on the drive, instead it makes the system write the changes to a "scratch space", as it were, and when it comes to read back files, it takes that into account... when you reboot, it wipes the scratch space (which just contains the differenced versions of the files)
  
  The difference between the two methods is the differencing system doesn't take any "extra" space, as anything you're saving/installing you'll be taking into account in your HD space, whereas a changes log could grow huge, fast, and take up a lot of unaccounted-for-by-the-user-space
  
  Wow.. reading this back, it's a really mangled and incomprehensible way of explaining a simple concept. I should write manuals for a living!
  
  --
  Curiosity was framed. Ignorance killed the cat.
9. Re:My Favourite Pony by Anonymous Coward · 2004-09-07 04:27 · Score: 3, Interesting
  
  Just to add to what the others have said, my father also runs a school computer lab, and I fix things for him when I come home to visit every couple months. He is a drafting teacher close to retirement and knows CAD software inside and out but less so when it comes to administrating the network etc, although he is still picking things up. Oh and the school district's computer people are incompetent.
  
  We use DeepFreeze in the lab and it works very well. I have yet to find or hear about any way for the student to mess up the machine as long as it boots off of the drive that DeepFreeze is installed on. Hanging out in script kiddy channels I heard a lot of people asking how to hack DF, but no one had any answers, other than boot disk. So if you disable booting from CDROM and floppy in the BIOS and use a BIOS password, then short of opening the case or figuring out your password, there is really no way that the user can mess things up.
  
  -jackson
10. Re:My Favourite Pony by JThundley · 2004-09-07 12:27 · Score: 2, Interesting
  
  That's what I always thought.
  Just last week at my college I thought I'd throw a knoppix disc and not use their 2 year old installation of Windows 98. Knoppix was slow as fuck with the little amount of RAM it had, so I thought I'd install it to the hard drive so it would run faster, DeepFreeze is on this machine, when I reboot win98 will be right back where it was, right? Wrong. I hope nobody finds out that I did that or I'll get banned from using the college network... again. DeepFreeze wasn't deep enough...
  
  By the way, to see if DeepFreeze is on the computer: Ctrl-Alt-Shift-F6
Correct link by Tyrdium · 2004-09-07 01:33 · Score: 5, Informative

Ethereal's website is ethereal.com, not ethereal.org.
Malware by Ford+Prefect · 2004-09-07 01:34 · Score: 5, Funny

A practice very common in malware analysis to isolate yourself from various ill effects of the malware

Best description of Windows I've heard in ages... ;-)

--
Tedious Bloggy Stuff - hooray?
1. Re:Malware by The+Jonas · 2004-09-07 02:02 · Score: 4, Interesting
  
  True.
  
  However, if anyone out there is running a honeypot as a hobby or are new to setting them up, some good advice on a more secure Windows configuration can be found here. Specifically, it details how to cripple DCOM using a hex editor and reconfiguring other networking services. Good advice, even if you don't use their product. Be careful, you may lose some desktop functionality.
More "fun" than running viruses in vmware... by mkavanagh2 · 2004-09-07 01:36 · Score: 5, Funny

Is running them in WINE. Especially since it's not a virtual machine, and the virus might detect WINE then trash your lunix ;)
1. Re:More "fun" than running viruses in vmware... by DarkOx · 2004-09-07 01:52 · Score: 4, Interesting
  
  only if you are crazy enough to run wine with elevated privilages.
  
  --
  Repeal the 17th Amendment TODAY! Also Please Read http://www.gnu.org/philosophy/right-to-read.html
virus by spotplace · 2004-09-07 01:37 · Score: 5, Interesting

Windows 98 has largely been ignored by the virus writers for the past two years... The worms this year that took down my school districts entire network of w2k machines didnt harm the windows 98 machines at all!
1. Re:virus by ciroknight · 2004-09-07 02:01 · Score: 4, Interesting
  
  Funny, we had the opposite take affect at our school district. We migrated all of the machines we could to Win2k (some were just not powerful enough, sadly), and then got hit by a virus that thrashed the remaining Win98 systems, but left the Win2k machines completely alone. Needless to say, it was an older virus that someone brought in on floppy, but the effect nonetheless was devistating for quite a while. It also seems that the Win9x virus protection programs weren't as effective at scanning the floppy's on mount, verses the Win2k scanners that worked flawlessly for us (Norton for both, 2k3 on the Win2k machines, 2k1? on the Win98 machines).
  
  --
  "Victory means exit strategy, and it's important for the President to explain to us what the exit strategy is." G.W.Bush
2. Re: virus by Alwin+Henseler · 2004-09-07 02:48 · Score: 4, Interesting
  
  Yes, still running Win98 here, and I have the same experience. Visited Windows Update after install, then stripped out IE (98lite), full backup, use Mozilla, regularly updated virusscanner, and rarely run binaries fresh of the 'net. Result: last worm infection was long ago (on a LAN party), lockups are rare, no weird problems of any kind.
  I guess a major factor is that many exploits are created by reverse engineering patches. As Microsoft has ended active support for Win9x systems, that also means no new patches for hackers to reverse engineer. Then there was this source code leak, wasn't it Win2k source code? So different code from what's in Win9x. And as Win9x systems are replaced with Win2k/XP, their smaller market share makes Win9x a less interesting target.
3. Re:virus by russint · 2004-09-07 02:49 · Score: 2, Funny
  
  One more reason to get rid of all those ancient floppy thingies.
  
  --
  ^^
On duty, 24/7 by p0 · 2004-09-07 01:39 · Score: 5, Funny

From TFA :
He is the only full-time staffer among the 30 ISC handlers who span the globe and are on duty 24-7. The rest are volunteers who take turns watching over the Internet. Most have other jobs and aren't expected to be awake for their entire 24-hour shift.

Who the hell is this Ulrich guy? R2D2?

--
This is my sig. There are thousands more, but this one is mine.
1. Re:On duty, 24/7 by Big+Nothing · 2004-09-07 02:11 · Score: 3, Funny
  
  "Who the hell is this Ulrich guy? R2D2"
  
  Funny you should ask...
  
  Here's a pic of Ullrich and here's one of R2D2. Although the picture of R2D2 is a bit old (taken june 12:th, Long Time Ago), it's still obvious that the two are identical or that I am full of shit.
  
  QED.
  
  --
  SIG: TAKE OFF EVERY 'CAPTAIN'!!
Virus naming conventions by AndroidCat · 2004-09-07 01:40 · Score: 5, Funny

Does anyone really remember the difference between MyDoom-O and MyDoom-N? Perhaps they should start using first names like real storm centers do for tropical storms/hurricanes. They could issue warnings about incoming class 5 virus MyBad-Kevin.

--
One line blog. I hear that they're called Twitters now.
1. Re:Virus naming conventions by c0p0n · 2004-09-07 03:06 · Score: 2, Funny
  
  Nope, because you would have to name the viruses with female names. We the /.'ers have enough problems to get a girl, I don't wanna know what could happen if they think that we geeks are male chauvinists...
  
  --
  
  Your head a splode
Three links I just can't live without as an admin: by AcquaCow · 2004-09-07 01:41 · Score: 5, Informative

SANS Internet Storm Center
Provides current Internet port graph history and advisories

CERT's Vulnerabilities page
Provides current Internet virus history and news.

Keynote Internet Health Report
Provides a table of ping times between various Internet backbones and providers. Great for checking if it's your ISP, or the backbone they are attached to that's having a slow day.

I advise everyone to check these out, as they provide a great wealth of information in a nice organized format.

--

up 12 days, 22:30, 2 users, load averages: 993.20, 994.21, 994.56
*makes note to limit user processes...
Re:Ethereal is for the weak by Timesprout · 2004-09-07 01:42 · Score: 4, Funny

snort is for big girls blouses.

Real admins plug the network cable directly into their brains to perform packet analysis

--
Do not try to read the dupe, thats impossible. Instead, only try to realize the truth
What truth?
There is no dupe
Re:The difference between this and real storm chas by no+reason+to+be+here · 2004-09-07 01:43 · Score: 3, Funny

Real storm chasing leads to really cool pictures.

Internet storm chasing leads to porn.

You mean to say porn isn't really cool pictures?

--
my pet machine
The Storm Center is excellent by Saint+Aardvark · 2004-09-07 01:43 · Score: 4, Informative

One of the first things I check out every day is the Storm Center's diary. Between that, and Microsoft's security page, and SecurityFocus, and Infosecdaily.net, I've got more than enough paranoia (I hope...) to make it through BugTraq and Full Disclosure.
What about the rest of you? What links do you check out, and what am I missing?

--
Carousel is a lie!
1. Re:The Storm Center is excellent by presmike · 2004-09-07 02:54 · Score: 2, Informative
  
  I use http://www.dailyrotation.com/ You can customize which sites it draws headlines from. Saves me tons of time by having everying all in one place.
  
  --
  presmike
Re:SuSE and VMware by UnderAttack · 2004-09-07 01:44 · Score: 2, Informative

Get the latest VMware build, and check the vmware community forums. But the latest build I downloaded installed without a hitch on Suse 9.1 running on an AMD64 system.

--
---- join dshield.org Distributed Intrusion Detec
Re:Ethereal is for the weak by Anonymous Coward · 2004-09-07 01:44 · Score: 5, Funny

Real admins plug the network cable directly into their brains

You mis-spelled brains. Its spelled 'ass'
I'm sure today will not be a typical day.. by craznar · 2004-09-07 01:46 · Score: 4, Funny

If slashdot lives up to its reputation, I can imagine that today will not quite follow the usual pattern for the ISC.

--
EMail: 0110001101100010010000000110001101110010 0110000101111010011011100110000101110010 0010111001100011011011110110
Small code ... ? by thrill12 · 2004-09-07 01:58 · Score: 5, Interesting

From the article:
"It's amazing how these virus writers get such small code," Ullrich says. "They should be working for some of the commercial code vendors."

Why not: s/should/could
And for the conspiracy-minded: s/working for/commanded by
Really twisted addon to the latter: s/code vendors/anti-virus vendors

Another episode in "preaching to the converted".

--
Slashdot: stuff for news, nerds that matter, matter for news, stuff that nerd
Re:Ethereal is for the weak by vwjeff · 2004-09-07 02:05 · Score: 3, Funny

Real admins plug the network cable directly into their brains to perform packet analysis.

Real admins don't need the cable. They are already one with the network.
... and a nice Ethereal add-on... by m0rningstar · 2004-09-07 02:10 · Score: 5, Informative

... is Packetyzer, available from Network Chemistry http://www.networkchemistry.com/products/packetyze r/.

Has some neat additional features, such as conversation tracking and I believe it has a few more decodes. Only for Windoze, however, thus encouraging the VMWare machines.
Redefining protocols? by little_fluffy_clouds · 2004-09-07 02:11 · Score: 4, Interesting

From the article...

Like previous versions of MyDoom, this one too seems to be listening on certain ports for commands. Ullrich pings each port, but the virus does not react.

That's a neat trick.

I guess they mean "ping" as in "connected to a TCP or UDP port in some manner", and not the usual "send ICMP ECHO_REQUEST", which I don't believe has anything to do with "ports".

Ah, journalism.

--
What were the skies like when you were young?
Re:Similar Article by UnderAttack · 2004-09-07 02:13 · Score: 4, Informative

don't click on the link unless you want your cube mates stare at you ;-)

--
---- join dshield.org Distributed Intrusion Detec
Since when... by mikrorechner · 2004-09-07 02:48 · Score: 2, Insightful

...are the "commercial code vendors" interested in small code size?

--
"Oh, a lesson in not changing history from Mr I'm-my-own-Grandpa." - Dr Hubert Farnsworth
Forecast by dr_dank · 2004-09-07 02:50 · Score: 4, Funny

from the Internet Storm center. Tonight, expect a high pressure system of script kiddies from the northeast to make the morning telecommute messy. Tomorrow, scattered DDOS showers, high of 10000 bots. Now, here's Glenn with sports.

--
Where does the school board find them and why do they keep sending them to ME?
Re:Three links I just can't live without as an adm by Ice_Balrog · 2004-09-07 03:04 · Score: 2, Informative

For Linux users, I highly recommend Linux Security to keep up on current advisories.

--
#include "sig.h"
Re:Similar Article by Mant · 2004-09-07 03:08 · Score: 2, Interesting

This is something like the third article where someone has posted that link, then it has been modded up as informative.

Maybe a lot of Slashdotters don't pay attention when they Mod, but it smells to me of some organised trolling.
Hahahhaha by brennz · 2004-09-07 03:32 · Score: 2, Interesting

The first word that caught my attention was the word "handler".

To paraphrase Dave Aitel, "handler = someone without a CS degree".

$ans is all about cash. That is why their classes are packed to the brim, so people can watch powerpoint presentations...

(yes I have attended one)

Half of the SANS hardening guides were ripped straight from the US government (NSA/DISA STIGs). No credit given either btw.
1. Re:Hahahhaha by pbemfun · 2004-09-07 03:47 · Score: 2, Informative
  
  Obviously you didn't pay much attention in the class or attended a really bad one. I've attended a few SANS courses, and while they are expensive, they are worth every penny IMO. Every instructor I've had has gone beyond whats on the PPT presentations.