Tools To Squash the Botnets

Roland Piquepaille writes "This is the intention of Paul Barford, a computer scientist at the University of Wisconsin-Madison. He wants to build a new line of defense against malicious traffic which has become today a billion-dollar 'shadow industry.' As one of 'the most menacing aspects of botnets is that they can go largely undetected' by a PC owner, he developed a new computer security technique for detecting network intrusions. His system has a 99.9% detection rate of malicious signatures, roughly equivalent to some of the best commercial systems. But it has zero false positives when commercial systems have high numbers. This new system could soon be available commercially."

I don't see that.

[khasim]

When the easiest way to DDoS someone's site is to have the zombie army keep hitting the pages ... how will any tool identify or protect you from that threat?

The zombies can simply flood your pipeline. There are that many of them.

Re:I don't see that.

[feepness]

hey chef, the tails of shrimp are not food, cut them off. No, they're not food. They're handles.

Re:I don't see that.

[hosecoat]

hey chef, the tails of shrimp are not food, cut them off.

No, they're not food. They're handles.

but why do they leave the tails on in pasta or pad thai.

Translation:

[rtechie]

"Our new security company, Nemean Networks, has developed a new IPS technology that will cure cancer and raise the dead."

What's with this blatant ad? When and if they ship a product or release their technology, we can talk about it. But right now it's just a bunch of hot air.

Re:Translation:

[sumdumass]

This isn't as much a blatents ad but a cover your own ass thing. The guy supposedly making this product realizes that if he can think of it, anyone can. He thinks that it might not be his superior intellect but the circumstances of the times pointing to an obvious solution.

SO he gets the word out that he is on top of this. Going to release a product and Blah Blah Blah. What it does is show that the obviousness was because he pointed it out. This makes it unique that he might obtain a patent and so on. In 5 years when the USPTO gives him a patent and 25 competing companies want prior art, the searches show up that he is his own prior art. That he was working with and on the stuff before anyone else.

So it is basically a CYOA with a little Bragging mixed in.

So in other words...

[Icarus1919]

People still have to install it and use it, correct? If so, then why do we believe there aren't going to continue to be hundreds of thousands to millions of users out there who don't give a damn, like there currently are? How is this much of an improvement over the current state of things?

Re:So in other words...

[QuantumG]

Well, ya know, it really doesn't seem *hard* to me to make an IDS which understands protocols and detects when a particular communication fails to conform to it.

          220 foo.bar.baz.MIL (Well hello there)
          EHLO so.i.say.mil
          250-foo.bar.baz.MIL offers THREE extensions:
          250-8BITMIME
          250-PIPELINING
          250 DSN
          RCPT <exploit@blah.4312&<*~EYN%#^H$%Y$H$W#UJSFBSZCDT^^^&^&##$%FGE#$%$$$$$$$$$$$!/bin/sh$@!#>
          # id
          uid=0(root) gid=0(root) groups=0(root)
          # cd /home
          # ls -l
          drwxr-xr-x 4 steve users 4096 2007-05-01 18:26 steve
          drwxr-xr-x 4 bob users 4096 2007-05-01 18:26 bob
          drwxr-xr-x 4 tony users 4096 2007-05-01 18:26 tony
          drwxr-xr-x 4 anne users 4096 2007-05-01 18:26 anne

pretty obvious that the server didn't reply to the RCPT request correctly isn't it?

Re:So in other words...

[penix1]

but it is in the interests of the ISP, as spam and DDoS continues eats up their bandwidth.

You seem to be of the impression that ISPs care about bandwidth. Here's a clue-by-four for you...

They don't.

In fact, they want as much bandwidth being eaten up as possible to support their claims of "teh tubes are clogged!!!111!!! We need to get evil Google (YouTube) to pay more since they are obviously the cause!" to Congress.

Re:So in other words...

[FooAtWFU]

Well, ya know, it really doesn't seem *hard* to me to make an IDS which understands protocols and detects when a particular communication fails to conform to it.

Snooping all your outbound SMTP (+etc) traffic to validate that it's conforming to a certain protocol is somewhat resource-intensive. The protocol validation would need to be very, very, very good, or it would be liable to catch all sorts of garbage: there's no shortage of slightly-wrong products out there. (It's not just Microsoft either). Not all communications that you expect to be a certain protocol actually are - and they may be some extended version of the protocol. (Watch WebDAV over HTTP.) Not all protocols are trivial to validate in this manner. Not all exploits require a breach of a certain protocol. (Watch for some of the PHP exploits that you can send in a perfectly valid HTTP POST). Not all exploits are synchronous like this one. And, finally, privacy can be an issue.

It's not impossible, but it is hard, doubly so if you intend your product to be a good one... and the utility may be rather marginal.

Re:Tools To Squash the Botnets - Squashed

This article is junk and provides absolutely no information at all save to make people feel good.

See spot run. Run Spot! Run!

[buss_error]

Gee. Lookit this big bad threat.
Boo! Botnet! Boo!
Bad Botnet! Bad! Bad! Bad!

We can save you! We have Patented Technology!
All Hail our most Holy Precious Intellictual Property!
Hail IP! Hail! Botnet! Boo!

OK, can some one 'splain to me Lucy why this obvious and fact lacking
bit of pre-IPO spin made it to SlashDot? Is there anyone that can tell me
excactly how technology that allows for 99.9 percent accuracy with zero false
positives actually works? Remember, we're talking millions of infected botnet
systems with ZERO false positives. Make millions of ANYTHING and you're going
to have a few errors here and there.

This is great if it's true, however, I'm highly skeptical without more hard
facts that this is anything other than vaporware and high hopes for an early
buyout. Gee! FOUR patents!

I'll bet I could get four patents on a process to pick my teeth with a toothpick.
Not that I think it honest, you understand...

I have an idea!

[jhfry]

Why don't isp's implement firewalls at their end that effectively eliminate all traffic except those protocols demanded by the user.

It would be relatively simple to create a web page that could enable/disable these protocols... the page would know which IP, as you would be connecting from it, and could be protected by a simple captcha or password to make it difficult for malware to enable these protocols itself.

Obviously, the user could disable all filtering if they so desired.

This solution would prevent a ton of issues for most users, while still allowing those of us who are wise enough to monitor our own systems to enable everything ourselves.

In addition, why don't ISP's notify the user if they suddenly see an unusual amount of traffic on an unusual port or protocol... a simple email to say "we are seeing IRC traffic on your connection, you have never used IRC in the past. Some malicious software communicates via IRC protocols which may cause this unusual activity. Please read this linked article if you would like to know more."

I realize that most of us would rather our ISP stay out of our online activity... however I feel that if they actively participated in preventing the spread of malware on thier customers machines, they would not only increase customer satisfaction, but reduce the bandwidth being wasted. At first it would be an expense, but as the network was cleared of wasted traffic it would eventually pay for itself.

Re:I have an idea!

[fireboy1919]

Of course, they couldn't actually do this on a *per user* basis because the main hub routers aren't even close to powerful enough, and adding that would be astronomically expensive (it would never, ever pay for itself. It'd be better to just lay down fiber to get more bandwidth).

They could up the bandwidth and do it that way.

The *much, much* cheaper way would be to just configure the routers that come with the DSL and cable modems to be more restrictive by default and tell the users to change the settings themselves.

I wonder why they don't do that?

Re:I have an idea!

[140Mandak262Jamuna]

The compromised computers are running malicious code installed by the bot boss. Anything doable by the user is doable by the bot boss. They probably run cron jobs to reset the router settings to disable all filtering and exposing all the ports etc. Most users of the compromised computers don't know, or they don't care their computer is running malicious software.

Let's look at this logically.

[khasim]

Someone who isn't going to patch his mail server is going to install this new IDS? Correctly? And keep it patched?

Now, what if the mail server is responding with a "user not found" error in a multi-line format? Does that trigger your IDS?

If not, why? Or are you going to set patterns for EVERY possible, legitimate, response so you'll be able to find the ones that don't match it?

Yeah, good luck with that. You should start working on it now. Maybe in 10 years of so you'll have caught all the possible legit patterns for everything available today.

That is why current IDS's depend so much upon the ADMINS training the IDS's to what is LEGIT traffic for their particular network.

Which yields a LOT of "false positives" in the early stages (and immediately after upgrades). But if I'm running Exim4, why should my IDS be looking for patterns of Exchange responses? Or Sendmail responses? Or anything else?

Despite what that guy claims, there is no easy way to identify the bad without having a person identify what is good.

false positives

[1u3hr]

FTFAdvertisement:

Hackers have become so adept at disguising malicious traffic to look benign that security systems now generate literally thousands of false positives, which Nemean virtually eliminates. In a test comparing Nemean against a current technology on the market, both had a high detection rate of malicious signatures 99.9 percent for Nemean and 99.7 for the comparison technology. However, Nemean had zero false positives, compared to 88,000 generated by the other technology. Sure, but if his system went into use, the "hackers" would quickly adapt and it would not be any better than current systems. Lots of anti-spam ideas work fine for the originator, but when they become common enough to bother the spammers, they target them.

Unworthy article

[flyingfsck]

Bah! This article isn't even worthy of Digg. Is Roland on their payroll maybe?

Great

[causality]

I love the way we keep coming up with all these band-aid solutions that attack symptoms without addressing the root cause, just because the root cause is non-trivial.

There are really only two reasons why botnets and their associated malware have become so prevalent. All other apparent causes stem from these two reasons:

• The Windows monoculture. When this accounts for over 90% of all desktop installations, it's much easier to write a single worm/trojan/virus/etc that can single-handedly infect many thousands of hosts. This greatly reduces the number of vulnerabilities that need to be targeted and the knowledge necessary to exploit them on a large scale, which is a situation that favors the blackhats tremendously. If nature handled genetics this way, then the first lethal contagious disease to come along would destroy civilization. There are good reasons other than their business practices why the Microsoft monopoly is a bad idea. No matter how hard they work to improve security, there will be vulnerabilities, and due to this monopoly any single vulnerability will instantly affect millions of hosts. If you want the Internet overall to be a more secure place, this is not a good start. I believe this would be the case with any single vendor controlling this much of the market. Consider also that security is not the only selling point of Windows; convenience and "easier to use than EVER!" are also major factors and (especially convenience) are not compatible with security. The boilerplate nature of most commercial software is also a factor here.
• The lack of education of the average user. I don't really know whether this is more or less difficult to address than the first item. The fact is that most users don't give a damn about security, at least not until their identity gets stolen or their data gets deleted or $AUTHORITY_FIGURE knocks on their door asking why their machine is attacking other machines. This appears to be because they don't see their security as their responsibility; they feel that this is entirely $VENDOR's problem. That they would feel this way is a foreseeable consequence of widespread "more convenient and easier to use than ever!" marketing, since this sets up the expectation that it will Just Work with no effort. While it would be easy to blame this on Microsoft since they have profited handsomely from it, I personally believe that this is an aspect of our general instant-gratification culture that effectively says nothing is worth putting any time and effort into; Microsoft merely had the business sense to realize that catering to it is the path to profit. It's difficult to seriously blame a company for doing something when nearly everyone is rewarding them for it. Because of this, if you try to educate people regarding things like system security, what you will find is that not only are most users ignorant, they don't WANT to learn. They see "all that technobabble" as an inconvenience, yet they insist on using equipment that requires some technical skill to properly maintain. This is something of a Catch-22 because Microsoft would build a much more secure Windows if no one would buy Windows otherwise, but average users with little technical skill are not going to create this kind of market.

Just like after-the-infection virus and spyware removal tools, this botnet detector is NOT a real solution, it's a form of damage control and should only be represented as such.

What I really want to see a long-term plan for dealing with those two points. Until these factors change, we are going to keep having the same kind of problems again and again as the arms race between blackhats and whitehats continues. You are never going to have perfect security, but the current situation where one piece of malware can do tremendous damage on a massive scale is a situation that many people have worked very hard to bring about. Too bad that in a superficial society like ours, we have a huge phobia of actually addressing the roots of our problems because we keep hoping to find some form of an "easy way out" of situations that took a long time to become what they are.

Re:Mod parent up!

[martin-boundary]

(for the humour impaired, the comment immediately above is meant to be ironic.) There actually are no verifiable facts in the linked to article. The quoted statement

it has zero false positives when commercial systems have high numbers

is meaningless drivel, since the commercial systems aren't named and the supposed testing procedure and experimental data is not described and certainly not controllable by others.

Instead this is a content-less advertising press release (as can be easily seen by noticing that the source is the UW-Madison "news" page, which is meant to give alumni and other potential cash donors a warm fuzzy feeling about the achievements of the university). Such press releases rarely have anything concrete in them, because that would allow competitors and critics to point out flaws and wild claims, thereby ruining the effect.

Re:ISPs won't implement it anyway.

[geminidomino]

Why does this get posted in every story involving TCP/IP manipulation? ISPs do not and never have had common carrier status.

Free to use, NOT open source

The source is nowhere to be found. Unfortunately.

Re:Simple solution...

[Macthorpe]

I'd like to remind you that this is Slashdot, and therefore there is a much higher chance that he is sincere ;)