Slashdot Mirror

← Back to Stories (view on slashdot.org)

Day in the Life of the Internet Storm Center

Posted by ryuzaki0 on from the jobs-you-don't-want dept.

An anonymous reader writes "Network World Fusion has an article about the Internet Storm Center's inner workings. The writer follows the ISC during the day of the MyDoom-O outbreak (the one that hit Google et al.). The article talks about running W2K in vmware on top of SuSe Linux. A practice very common in malware analysis to isolate yourself from various ill effects of the malware. Other open source software receiving a mention in the article is everybodies favorite packet analyzer Ethereal."

25 of 123 comments (clear)

  1. My Favourite Pony by B3ryllium · · Score: 4, Informative

    An invaluable tool for PCs that are "public access" or even boot-partitions of computers at work:

    DeepFreeze

    Just one reboot, and any malware infection is obliterated. (There are alternatives, too, but I like DeepFreeze the best)

    1. Re:My Favourite Pony by stratjakt · · Score: 5, Interesting

      Nothing on that link tells you how the product works.

      The closest I read was "Deep Freeze instantly protects and preserves original computer configurations" which reads to me that it's kind of like Ghost, except it keeps an image local on the HDD?

      If so, I'd shy away from phrases like "Completely invulnerable to hacking".

      XP's system restore feature gives you the same functionalities, if it's used properly (of course, it never is). I'm in the habit of making a save point before I do anything that could potentially bork my machine (testing some new driver tweak, etc), and have rolled back successfully on more than one occasion.

      --
      I don't need no instructions to know how to rock!!!!
    2. Re:My Favourite Pony by ciroknight · · Score: 5, Informative

      We happened opon this product at the school where I used to work, and as far as I can tell from using it and poking around at the program, it keeps a log of all harddrive transactions, then when rebooted, it plays back the log backwards, restoring to the state in which the system was before; no Ghost partitioning required, but none-the-less not invunerable to attack. We had kids bring in Knoppix CDs and obliterate hard drives for no other reason than they could.

      My suggestion is to use Deep Freeze with Ghost (It's a complex setup, but if you "un-freeze" the system for one reboot, then Ghost, all you have to do is cast the image, change the computer's name (we had a pretty complex naming scheme), then reboot the machine and it's ready to go.) It's a formittable combination, and far better than products like "Foolproof Security". Hope this helps.

      --
      "Victory means exit strategy, and it's important for the President to explain to us what the exit strategy is." G.W.Bush
    3. Re:My Favourite Pony by stratjakt · · Score: 5, Interesting

      See, I have this co-worker who constantly fucks up his machines. He's supposed to be a programmer/analyst/tech support guy just like me (small company, you wear a lot of hats), but everytime something comes up, I have to handle it because his computer is broken.

      "I can't build a working EXE, my Visual Studio is screwed up!" "I can't dial into that customer, because my modem isnt working" "I can't VPN in because my computer crashes when I fire up the Cisco client".

      He's incompetent, but I'm dubious he's this incompetent. I traded him the machine in my office when I got a new one, everything worked perfectly. A week later, his VPN and Visual Studio are broken. I really dont have the time to keep rebuilding his machine for him. Of course, he claims he doesn't know how to reinstall Office or VStudio, etc..

      I think he does it so he won't have to do actual work. I end up doing everything because he always has an excuse. When he's on site, his laptop is broken, so he has to phone in all the code changes he wants, I have to do it, cut an EXE and email it out. Of course, it's double bonus for him. Anything he fucks up on site, he can just blame me for, since I'm actually doing the work remotely.

      It's pissing me off, and it makes our company look like a bunch of morons. My archetypal PHB thinks he's just the cats ass because he comes in "early" every morning (he shows up at 8:45 to drink coffee and read the paper, we open at 9. Sheesh).

      Anyhow, this sounds like a decent product. I'm downloading the evaluation version now. I'll reinstall his machine one last time, ghost it, install this. Next time I hear "I can't dial in because my modem is screwed up", I'll reboot his box and it'll be fixed.

      --
      I don't need no instructions to know how to rock!!!!
    4. Re:My Favourite Pony by jrockway · · Score: 4, Interesting

      It's pretty good. I couldn't get around it in Windows after they blocked real mode programs. Before that I had to crack the BIOS password and then boot Knoppix, then delete key files. And sometimes the fucker still came back.

      So from my independent analysis, I'd say DeepFreeze is good. I haven't done any code-tracing, though, so I don't know if some buffer overflow would ruin the whole thing. It wouldn't surprise me, though.

      Closed source is what it is.

      --
      My other car is first.
  2. Correct link by Tyrdium · · Score: 5, Informative

    Ethereal's website is ethereal.com, not ethereal.org.

  3. Malware by Ford+Prefect · · Score: 5, Funny

    A practice very common in malware analysis to isolate yourself from various ill effects of the malware

    Best description of Windows I've heard in ages... ;-)

    --
    Tedious Bloggy Stuff - hooray?
    1. Re:Malware by The+Jonas · · Score: 4, Interesting

      True.

      However, if anyone out there is running a honeypot as a hobby or are new to setting them up, some good advice on a more secure Windows configuration can be found here. Specifically, it details how to cripple DCOM using a hex editor and reconfiguring other networking services. Good advice, even if you don't use their product. Be careful, you may lose some desktop functionality.

  4. More "fun" than running viruses in vmware... by mkavanagh2 · · Score: 5, Funny

    Is running them in WINE. Especially since it's not a virtual machine, and the virus might detect WINE then trash your lunix ;)

    1. Re:More "fun" than running viruses in vmware... by DarkOx · · Score: 4, Interesting

      only if you are crazy enough to run wine with elevated privilages.

      --
      Repeal the 17th Amendment TODAY! Also Please Read http://www.gnu.org/philosophy/right-to-read.html
  5. virus by spotplace · · Score: 5, Interesting

    Windows 98 has largely been ignored by the virus writers for the past two years... The worms this year that took down my school districts entire network of w2k machines didnt harm the windows 98 machines at all!

    1. Re:virus by ciroknight · · Score: 4, Interesting

      Funny, we had the opposite take affect at our school district. We migrated all of the machines we could to Win2k (some were just not powerful enough, sadly), and then got hit by a virus that thrashed the remaining Win98 systems, but left the Win2k machines completely alone. Needless to say, it was an older virus that someone brought in on floppy, but the effect nonetheless was devistating for quite a while. It also seems that the Win9x virus protection programs weren't as effective at scanning the floppy's on mount, verses the Win2k scanners that worked flawlessly for us (Norton for both, 2k3 on the Win2k machines, 2k1? on the Win98 machines).

      --
      "Victory means exit strategy, and it's important for the President to explain to us what the exit strategy is." G.W.Bush
    2. Re: virus by Alwin+Henseler · · Score: 4, Interesting
      Yes, still running Win98 here, and I have the same experience. Visited Windows Update after install, then stripped out IE (98lite), full backup, use Mozilla, regularly updated virusscanner, and rarely run binaries fresh of the 'net. Result: last worm infection was long ago (on a LAN party), lockups are rare, no weird problems of any kind.

      I guess a major factor is that many exploits are created by reverse engineering patches. As Microsoft has ended active support for Win9x systems, that also means no new patches for hackers to reverse engineer. Then there was this source code leak, wasn't it Win2k source code? So different code from what's in Win9x. And as Win9x systems are replaced with Win2k/XP, their smaller market share makes Win9x a less interesting target.

  6. On duty, 24/7 by p0 · · Score: 5, Funny


    From TFA :
    He is the only full-time staffer among the 30 ISC handlers who span the globe and are on duty 24-7. The rest are volunteers who take turns watching over the Internet. Most have other jobs and aren't expected to be awake for their entire 24-hour shift.

    Who the hell is this Ulrich guy? R2D2?

    --
    This is my sig. There are thousands more, but this one is mine.
  7. Virus naming conventions by AndroidCat · · Score: 5, Funny

    Does anyone really remember the difference between MyDoom-O and MyDoom-N? Perhaps they should start using first names like real storm centers do for tropical storms/hurricanes. They could issue warnings about incoming class 5 virus MyBad-Kevin.

    --
    One line blog. I hear that they're called Twitters now.
  8. Three links I just can't live without as an admin: by AcquaCow · · Score: 5, Informative

    SANS Internet Storm Center
    Provides current Internet port graph history and advisories

    CERT's Vulnerabilities page
    Provides current Internet virus history and news.

    Keynote Internet Health Report
    Provides a table of ping times between various Internet backbones and providers. Great for checking if it's your ISP, or the backbone they are attached to that's having a slow day.

    I advise everyone to check these out, as they provide a great wealth of information in a nice organized format.

    --

    up 12 days, 22:30, 2 users, load averages: 993.20, 994.21, 994.56
    *makes note to limit user processes...
  9. Re:Ethereal is for the weak by Timesprout · · Score: 4, Funny

    snort is for big girls blouses.

    Real admins plug the network cable directly into their brains to perform packet analysis

    --
    Do not try to read the dupe, thats impossible. Instead, only try to realize the truth
    What truth?
    There is no dupe
  10. The Storm Center is excellent by Saint+Aardvark · · Score: 4, Informative
    One of the first things I check out every day is the Storm Center's diary. Between that, and Microsoft's security page, and SecurityFocus, and Infosecdaily.net, I've got more than enough paranoia (I hope...) to make it through BugTraq and Full Disclosure.

    What about the rest of you? What links do you check out, and what am I missing?

    --
    Carousel is a lie!
  11. Re:Ethereal is for the weak by Anonymous Coward · · Score: 5, Funny

    Real admins plug the network cable directly into their brains

    You mis-spelled brains. Its spelled 'ass'

  12. I'm sure today will not be a typical day.. by craznar · · Score: 4, Funny

    If slashdot lives up to its reputation, I can imagine that today will not quite follow the usual pattern for the ISC.

    --
    EMail: 0110001101100010010000000110001101110010 0110000101111010011011100110000101110010 0010111001100011011011110110
  13. Small code ... ? by thrill12 · · Score: 5, Interesting

    From the article:
    "It's amazing how these virus writers get such small code," Ullrich says. "They should be working for some of the commercial code vendors."

    Why not: s/should/could
    And for the conspiracy-minded: s/working for/commanded by
    Really twisted addon to the latter: s/code vendors/anti-virus vendors

    Another episode in "preaching to the converted".

    --
    Slashdot: stuff for news, nerds that matter, matter for news, stuff that nerd
  14. ... and a nice Ethereal add-on... by m0rningstar · · Score: 5, Informative

    ... is Packetyzer, available from Network Chemistry http://www.networkchemistry.com/products/packetyze r/.

    Has some neat additional features, such as conversation tracking and I believe it has a few more decodes. Only for Windoze, however, thus encouraging the VMWare machines.

  15. Redefining protocols? by little_fluffy_clouds · · Score: 4, Interesting


    From the article...

    Like previous versions of MyDoom, this one too seems to be listening on certain ports for commands. Ullrich pings each port, but the virus does not react.

    That's a neat trick.

    I guess they mean "ping" as in "connected to a TCP or UDP port in some manner", and not the usual "send ICMP ECHO_REQUEST", which I don't believe has anything to do with "ports".

    Ah, journalism.

    --
    What were the skies like when you were young?
  16. Re:Similar Article by UnderAttack · · Score: 4, Informative

    don't click on the link unless you want your cube mates stare at you ;-)

    --
    ---- join dshield.org Distributed Intrusion Detec
  17. Forecast by dr_dank · · Score: 4, Funny

    from the Internet Storm center. Tonight, expect a high pressure system of script kiddies from the northeast to make the morning telecommute messy. Tomorrow, scattered DDOS showers, high of 10000 bots. Now, here's Glenn with sports.

    --
    Where does the school board find them and why do they keep sending them to ME?