Slashdot Mirror
Researchers Tout New Network Worm Weapon
coondoggie writes "Can Internet worms be thwarted within minutes of their infection? Researchers at Ohio State University believe they can. The key, researchers found, is for software to monitor the number of scans that machines on a network send out. When a machine starts sending out too many scans — a sign that it has been infected — administrators should take it off line and check it for viruses. In a nutshell, the researchers developed a model that calculated the probability that a virus would spread, depending on the maximum number of scans allowed before a machine was taken off line.'The difficulty was figuring out how many scans were too many,' researchers said."
One of the hardest things to account for when it comes to setting the limit for the number of scans a computer can resonably make must be bittorrent, a computer actively seeding files through bittorrent might connect to hundreds of computers for each file.
I suppose the admin of a corperate network will probably frown on active bittorrent use in general though.
Can useless messages be moderated within minutes of their posting?
Don't iPhones send out an insane number of scans per minute? Isn't that why Duke University banned them from their network, and how that couple had a $3,000 data charge bill from taking their iPhone on a cruise, even though they didn't use it?
http://blindscribblings.com - Tasty pop-culture in conceptual fashion.
Network admins quite often scan large amount of network space especially for vulnerabilities, I know, I do it every day. Device discovery on networks for monitoring, IP address management, the list goes on.
There is the alternative though...
http://xkcd.com/416/
Curiosity was framed; ignorance killed the cat. -- Author unknown
Sorry, you must be new here. Car analogies are the only acceptable analogy on /.
Isn't the described method basically a slight variation on the whole IDS scheme? Establish a baseline and compare to it...? For some reason they don't seem to have thought of the baseline part yet though - apparently they didn't do their research well. Granted I think the baseline is usually bandwidth usage or something of that sort, but this is basically the same thing.
But my UID Yours
Obligatory blog plug: http://www.caseybanner.ca/
...it has been posted on the front page of Slashdot, every future worm author will code their stuff to spread more slowly, so that the increase in scan rate is negligible. Hooray for self-obsoleting discoveries!
(Don't get me wrong, I'm a huge proponent of publicly posting computer security information. But this seems pretty easy to circumvent when considered, no?)
Here's the pdf http://www.ece.osu.edu/~shroff/journal/worm.pdf. Seems like if these countermeasures were put in place, viruses would have to be choosy about which hosts they scan instead of just scanning tons of random addresses if they wanted to propagate.
There is an article about the Blast-o-Mat in the December 2006 issue of the USENIX magazine.
Sufficiently intelligent worms can use passive OS fingerprinting to identify hosts likely to be susceptible to infection (as they make their presence known) and then make a single attempt per host (which will, obviously, succeed or fail), keeping track of such attempts so as to avoid duplicates. Alternatively, worms could use a passive approach and not attempt to propagate at all except in response to traffic from other hosts -- that is, piggybacking themselves on the responses to ordinary traffic, say, HTTP requests, or Torrent requests, or IM requests. While use of such approaches might slow the propagation of a worm in a local sense, they won't slow down network-wide propagation appreciably if initial seeding is done in sufficient numbers and with sufficient network diversity.
Seriously, let's see how this will work.
sysadmin: $max_scans_allowed = 10;
worm: sh1t! $max_scans_allowed = 10;
sysadmin: sh1t! $max_scans_allowed = 9;
worm: sh1t! $max_scans_allowed = 9;
sysadmin: sh1t! $max_scans_allowed = 8;
worm: sh1t! $max_scans_allowed = 8;
sysadmin: sh1t! $max_scans_allowed = 7;
worm: sh1t! $max_scans_allowed = 7;
sysadmin: sh1t! $max_scans_allowed = 6;
worm: sh1t! $max_scans_allowed = 6;
sysadmin: sh1t! $max_scans_allowed = 5;
worm: sh1t! $max_scans_allowed = 5;
sysadmin: sh1t! $max_scans_allowed = 4;
worm: sh1t! $max_scans_allowed = 4;
sysadmin: sh1t! $max_scans_allowed = 3;
worm: sh1t! $max_scans_allowed = 3;
sysadmin: sh1t! $max_scans_allowed = 2;
worm: sh1t! $max_scans_allowed = 2;
sysadmin: sh1t! $max_scans_allowed = 1;
worm: sh1t! $max_scans_allowed = 1;
sysadmin: sh1t! $max_scans_allowed = 0;
Unplug the internet, no communications allowed.
The easy way around this is to just slow down the rate of the scans and the type/quantity of scanning done at any one type. Whether it takes hours or weeks, time is not critical when you have millions of PCs at your disposal.
Anything that requires changes in most or all sub-networks is garantueed to fail. Just look at egress-filtering. Many network admins are still unable or unwilling to do it. And these people expect them to implement a worm detector in every subnet? Forget it.
BTW, the idea is not new: "A Fast Worm Scan Detection Tool for VPN Congestion Avoidance" in Proceedings of DIMVA 2005 uses the same idea, but in a context where it is actually implementable and useful. Online under http://www.tik.ee.ethz.ch/~ddosvax/publications/papers/dimva06scan.pdf.
Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
I've been running the following iptables rules on our routers for at least the last year or two:
iptables -A ssh_attack -m hashlimit --hashlimit 200/min --hashlimit-mode srcip --hashlimit-name ssh_attack --hashlimit-htable-size 599 --hashlimit-htable-max 4096 -j RETURN
iptables -A ssh_attack -m limit --limit 1/sec --limit-burst 1 -j LOG --log-prefix "SSH-Attack:"
iptables -I FORWARD -o eth0 -p tcp -m tcp --dport 22 --tcp-flags SYN,RST,ACK SYN -j ssh_attack
In other words, for each internal host allow them to make 200 outbound SSH connections per minute (tracked individually). If they exceed that limit, log a message.
We then have a nagios plugin that checks for this message being in "dmesg". If it is, we get paged.
We watch the sites we host pretty closely, so we don't often run into them getting compromised. The last one was because a host admin re-enabled password logins in SSH *AND* set up a guest account with a password like "guest". Only the guest account was compromised, but I digress.
The thing is that people who compromise these hosts pretty much always use that host to scan for other hosts to attack. And looking for weak passwords on other hosts via SSH seems to be pretty common.
So, once we saw this it was a no-brainer to set up something to alert us when someone started doing it.
Sean
I used to work as the admin for a small wireless ISP company seven years ago. The equipment they used was easily broken by an infected machine (I think sasser was the big one back then), as the radios packet per second limit was very low compared to other last mile solutions.
:0
To thwart attacks and keep the network working, I would have ntop running at the gateway looking for lots of SYN with no ACK, a usual sign of an infected machine. I would have to kick them off at the node and then politely call them and ask them to have the infection fixed... Once or twice I had to do it myself.
This was a very small company. The original planners set up a whole network on extremely flat land, with an 80 foot tree line and plenty of trees. It was tough enough getting enough customers on each node to justify the costs..
Good times.
Like Windows made MS-DOS viruses something to be mentioned in the past, I don't get why people just stop making slapdash hacks, and move to a platform that is 100% immune to this type of malicious software. MacOS has had -zero- remote rootings in the wild in its whole history. Even the vaunted OpenBSD has had three remote holes on its record.
I say leave the worm finding to the Windows and Linux people who are vulnerable to this stuff, and we Mac people can just point and snicker, because a worm or a botnet "client" is just plain impossible to implement on MacOS.
Maybe it's because I haven't had my coffee, but after reading the headline as 'Researchers Tout New Worm Weapon' the only thing I could think of was, 'Holy crap, System Shock is for real...'
I've been a network specialist/admin for a few companies including banks and a univeristy, and my personal idea/solution is a quasi-vlan system where each workstation is unable to talk directly to other workstations within the same LAN/Campus. Think about it, allow workstations to talk to servers and necessary resources but not directly to each other.
There is no need anymore. People need to connect to the Internet and file servers, etc. Rarely if ever is it actually necessary or preferable to have people connect to each other. The servers *should* be the best updated and protected systems and much easier to trust than Joe Sixpacks PC.
You stop worms from impacting you locally, and at worst your Internet pipe gets congested by a big outbreak which can be easier traced and combated when you aren't also fighting a spreading fire.
http://teasphere.wordpress.com - A little spot of tea
...are not worms.
...blocking Bittorrent isn't a bug, it is a feature.
Help poke pirates in the eyepatch, arr.
I'm betting that you have never been in a hurry but had to buy a new copy of Windows to replace the OEM version that just was FUBAR by a virus or malicious piece of software, or perhaps even by a malignant end user who knows far too much about the delete command and far too little about the windows and system directories.
Unbootable does NOT even begin to describe what you have on your hands. Brick, on the other hand, gets kind of close and conveys the proper frame of mind when you have experienced that kind of frustration. I believe that those who advocate the changing and fluid nature of a language would approve of that use of the word as confined to the electronics realm.
It becomes an even more appropriate usage when you consider that most consumer electronics products are or are very close to throw-away status. That is to say that once they malfunction permanently, it is cheaper to replace them with new units than to have them repaired. This leaves you with something that is about the same use to the average person in their home or office as a brick, Acme or otherwise.
You personally are welcome to not use the word in that context. The rest of us, meh... fsck it, it works for me.
Worms are ugly, but they are not that smart so it won't take long to stop them most likely.
Learn about Programming (C++ ASM) and Web Design and Development (PHP, CSS, Photoshop) from InfernoDevelopment.com
> Stopping DDoS attacks is even MORE important.
What if a "you're DoS-ing me" reply packet was added to TCP/IP, which could be picked up at the ISP level and would (ideally) cause the ISP to throttle that user's bandwidth to the site in question for a short period of time?
The problem with this kind of hacked-on solution is that it often causes other vulnerabilities --- in this case, what if the botnet was set up to spread faked "you're DoS-ing me" packets? One could hope that ISPs would filter such outgoing packets (from their home users), but given the general lack of cooperation of the ISPs against network hacking (or has this changed? Have any ISPs finally implemented egress filters for packets with faked headers nowadays?) I wouldn't hold my breath...
What's wrong with looking at the router lights blinking when the system shouldn't be doing anything and saying "Heeey, that's not right !" ?
Wanna fight ? Bend over, stick your head up your ass, and fight for air.
I scour the local dumpsters for computers (college dorm room dumpsters on move-out day are a freakin' gold mine), reinstall the OS, and do some good with them. Or just fix them and sell them back to the idiots who threw them away in the first place. LMAO.
A system called Quarantainenet attempting to do the same detection and isolation has been up and running for 5+ years at the University of Twente in the Netherlands. It's even evolved into a separate company, which appears to cover several more universities and ISP's in the Netherlands with the system.
I don't think it means what you think it means.
No sig today...
Why to spend money to treat effects when you could prevent cause in first place using SELinux or AppArmor (those kind technics are for Windows too)?
If a machine gets infected by a worm, the anti-virus software must have failed to detect that worm. So, you get a report warning you about a particular machine, run a virus scan and find nothing. Now what?
What you need to do is have the software running on the PC itself, so that it can monitor what task is actually running the scans so a human can check it.
const int one = 65536; (Silvermoon, Texture.cs)
SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
We purchased a Forescout appliance 2 years ago which does the exact same thing. I wonder if the OSU research was reading http://www.forescout.com/counteract/index.html As an OSU Alum, I am embarrassed by this tripe.
We have been doing this kind of analysis and mitigation since the days of blaster. Nothing new, but yes, it does work quite effectively for rapidly spread worms.
Existence is futile
OSU scientists decided to focus on the issue of network worms when they were frustrated by efforts to diffuse offensive attacks by SEC virus. The Florida and LSU variants proved to be too much to handle, and the scientists choked under the pressure.
Don't know if you were joking or not (you were modded funny), but I wish I could easily block bittorrent traffic with my netgear router, or at least throttle it. I share my connection with tenants in our house, and it would be great to be able to limit their bandwidth rather than telling them not to use bittorrent.