Slashdot Mirror

← Back to Stories (view on slashdot.org)

Researchers Tout New Network Worm Weapon

Posted by samzenpus on from the network-thumper dept.

coondoggie writes "Can Internet worms be thwarted within minutes of their infection? Researchers at Ohio State University believe they can. The key, researchers found, is for software to monitor the number of scans that machines on a network send out. When a machine starts sending out too many scans — a sign that it has been infected — administrators should take it off line and check it for viruses. In a nutshell, the researchers developed a model that calculated the probability that a virus would spread, depending on the maximum number of scans allowed before a machine was taken off line.'The difficulty was figuring out how many scans were too many,' researchers said."

12 of 101 comments (clear)

  1. Neat by Zironic · · Score: 5, Insightful

    One of the hardest things to account for when it comes to setting the limit for the number of scans a computer can resonably make must be bittorrent, a computer actively seeding files through bittorrent might connect to hundreds of computers for each file.

    I suppose the admin of a corperate network will probably frown on active bittorrent use in general though.

    1. Re:Neat by zappepcs · · Score: 5, Insightful

      It's not the corporate network where this will be problematic. It is TimeWarner and Comcast. Remember the recent story about MediaDefender? Assumptions about scans are just that. As soon as this methodology is implemented, worms will scan much slower. After all, a virus/worm author normally has some time to build the botnet before they want to activate it. Nothing really depends on quick proliferation except damaging worms.

      IMO, it is the botnets that do the most damage as a collective thing. Stopping a worm that bricks your machine is not hard LOL, stopping one that bricks other machines is good. Stopping DDoS attacks is even MORE important. It is the attack for hire model of hacking that really sucks bad.

      If the botnet owner takes a few months to build the botnet, it is still a botnet. Even better if s/he hides data in video packets or VoIP or IM packets.

      The only real way that I can see to stop the damage is to have 99.9999%+ computers in the world running in a sandbox where the perimeter monitors everything that the user software is doing. So, even if the corporate network is functioning like a sandbox (as it already should be) the danger from worms forming botnets is still a threat, this merely lessens the threat of a quickly spreading/created botnet/worm.

      --
      Support NYCountryLawyer RIAA vs People
    2. Re:Neat by moderatorrater · · Score: 5, Interesting

      They were looking at 10,000 scans, which would be about how much I would expect my constantly-on bittorrent to do over the course of a week or more. I don't think it'll be a problem at that threshold.

      At lower thresholds (which they'll surely need since worms and viruses will just start scanning more slowly), they can start analyzing patterns and individual packets. This won't solve the problem overnight, but it will eliminate virtually all worms and viruses in the wild right now and make future worms and viruses propagate much more slowly.

  2. SOP - Standard operating procedure by bernywork · · Score: 4, Funny

    Network admins quite often scan large amount of network space especially for vulnerabilities, I know, I do it every day. Device discovery on networks for monitoring, IP address management, the list goes on.

    There is the alternative though...

    http://xkcd.com/416/

    --
    Curiosity was framed; ignorance killed the cat. -- Author unknown
  3. And now that... by Ai+Olor-Wile · · Score: 4, Interesting

    ...it has been posted on the front page of Slashdot, every future worm author will code their stuff to spread more slowly, so that the increase in scan rate is negligible. Hooray for self-obsoleting discoveries!

    (Don't get me wrong, I'm a huge proponent of publicly posting computer security information. But this seems pretty easy to circumvent when considered, no?)

    1. Re:And now that... by quercus.aeternam · · Score: 4, Insightful

      If the worms are coded to spread more slowly, it will decrease the rate of propogation, making it more difficult for the worms to survive.

      If they don't alter their code, worms will have a much harder time surviving on networks that take advantage of this discovery.

      The net effect is positive.

  4. This is trivially defeated by Arrogant-Bastard · · Score: 4, Insightful

    Sufficiently intelligent worms can use passive OS fingerprinting to identify hosts likely to be susceptible to infection (as they make their presence known) and then make a single attempt per host (which will, obviously, succeed or fail), keeping track of such attempts so as to avoid duplicates. Alternatively, worms could use a passive approach and not attempt to propagate at all except in response to traffic from other hosts -- that is, piggybacking themselves on the responses to ordinary traffic, say, HTTP requests, or Torrent requests, or IM requests. While use of such approaches might slow the propagation of a worm in a local sense, they won't slow down network-wide propagation appreciably if initial seeding is done in sufficient numbers and with sufficient network diversity.

  5. I didn't realize this was news 2 years ago... by jafo · · Score: 4, Insightful

    I've been running the following iptables rules on our routers for at least the last year or two:

    iptables -A ssh_attack -m hashlimit --hashlimit 200/min --hashlimit-mode srcip --hashlimit-name ssh_attack --hashlimit-htable-size 599 --hashlimit-htable-max 4096 -j RETURN

    iptables -A ssh_attack -m limit --limit 1/sec --limit-burst 1 -j LOG --log-prefix "SSH-Attack:"

    iptables -I FORWARD -o eth0 -p tcp -m tcp --dport 22 --tcp-flags SYN,RST,ACK SYN -j ssh_attack

    In other words, for each internal host allow them to make 200 outbound SSH connections per minute (tracked individually). If they exceed that limit, log a message.

    We then have a nagios plugin that checks for this message being in "dmesg". If it is, we get paged.

    We watch the sites we host pretty closely, so we don't often run into them getting compromised. The last one was because a host admin re-enabled password logins in SSH *AND* set up a guest account with a password like "guest". Only the guest account was compromised, but I digress.

    The thing is that people who compromise these hosts pretty much always use that host to scan for other hosts to attack. And looking for weak passwords on other hosts via SSH seems to be pretty common.

    So, once we saw this it was a no-brainer to set up something to alert us when someone started doing it.

    Sean

  6. As a network admin... by rAiNsT0rm · · Score: 4, Interesting

    I've been a network specialist/admin for a few companies including banks and a univeristy, and my personal idea/solution is a quasi-vlan system where each workstation is unable to talk directly to other workstations within the same LAN/Campus. Think about it, allow workstations to talk to servers and necessary resources but not directly to each other.

    There is no need anymore. People need to connect to the Internet and file servers, etc. Rarely if ever is it actually necessary or preferable to have people connect to each other. The servers *should* be the best updated and protected systems and much easier to trust than Joe Sixpacks PC.

    You stop worms from impacting you locally, and at worst your Internet pipe gets congested by a big outbreak which can be easier traced and combated when you aren't also fighting a spreading fire.

    --
    http://teasphere.wordpress.com - A little spot of tea
    1. Re:As a network admin... by Gnavpot · · Score: 4, Informative

      Yeah, thats a fantastic approach, block computers from connecting to each other. Who wants a functional network anyway?

      The GP explained his point in an easily understandable way. I don't know how you failed to understand it. Anyway, here it comes again in slow motion for your benefit:

      In most corporate networks, clients need to connect to servers. They do not need to connect to other clients.

      If you block clients' ability to connect to other clients, no functionality is lost, but infected clients can not attack other clients directly.

      (I know that some companies uses IM internally, but there is nothing forcing IM solutions to be P2P.)
  7. Re:Move to MacOS -- worms are obsolete here by thejynxed · · Score: 4, Interesting

    Erm, actually, OSX has been found to be vulnerable to TONS of things, why else the 30 and 40 patch packs released all at once :)

    Remote vulnerabilities such as this: http://www.securityfocus.com/bid/29514 would say well, maybe MacOSX IS vulnerable to such types of malware (they only need to cause buffer overflows or exploit remote code vulnerabilities and you can get nailed just like any other OS that is coded by humans).

    The question is: Are Macs with their puny marketshare, worth the bother of hacking?

    Answer: Some people/groups are starting to show interest in this, yes. But on the whole, no, they aren't worth the bother. Mainly this interest has grown since Apple swapped over to x86 architecture. I find that interesting.

    I think the bigger thing to sit and think about is this: No software written, and no hardware designed by humans will ever be perfect. There will always be a weakness somewhere in the system. Deal with it the best you can, like everyone else, and stop spouting stupid nonsense about an invulnerable OS.

    --
    @Mindless Drivel: 100% of Twitter posts ever Tweeted.
  8. Re:Merely? M E R E L Y ???? by Yetihehe · · Score: 4, Insightful

    And this is the way "hacker" word lost its meaning.

    --
    Extreme Programming - Redundant Array of Inexpensive Developers