Slashdot Mirror

← Back to Stories (view on slashdot.org)

Researchers Tout New Network Worm Weapon

Posted by samzenpus on from the network-thumper dept.

coondoggie writes "Can Internet worms be thwarted within minutes of their infection? Researchers at Ohio State University believe they can. The key, researchers found, is for software to monitor the number of scans that machines on a network send out. When a machine starts sending out too many scans — a sign that it has been infected — administrators should take it off line and check it for viruses. In a nutshell, the researchers developed a model that calculated the probability that a virus would spread, depending on the maximum number of scans allowed before a machine was taken off line.'The difficulty was figuring out how many scans were too many,' researchers said."

3 of 101 comments (clear)

  1. Neat by Zironic · · Score: 5, Insightful

    One of the hardest things to account for when it comes to setting the limit for the number of scans a computer can resonably make must be bittorrent, a computer actively seeding files through bittorrent might connect to hundreds of computers for each file.

    I suppose the admin of a corperate network will probably frown on active bittorrent use in general though.

    1. Re:Neat by zappepcs · · Score: 5, Insightful

      It's not the corporate network where this will be problematic. It is TimeWarner and Comcast. Remember the recent story about MediaDefender? Assumptions about scans are just that. As soon as this methodology is implemented, worms will scan much slower. After all, a virus/worm author normally has some time to build the botnet before they want to activate it. Nothing really depends on quick proliferation except damaging worms.

      IMO, it is the botnets that do the most damage as a collective thing. Stopping a worm that bricks your machine is not hard LOL, stopping one that bricks other machines is good. Stopping DDoS attacks is even MORE important. It is the attack for hire model of hacking that really sucks bad.

      If the botnet owner takes a few months to build the botnet, it is still a botnet. Even better if s/he hides data in video packets or VoIP or IM packets.

      The only real way that I can see to stop the damage is to have 99.9999%+ computers in the world running in a sandbox where the perimeter monitors everything that the user software is doing. So, even if the corporate network is functioning like a sandbox (as it already should be) the danger from worms forming botnets is still a threat, this merely lessens the threat of a quickly spreading/created botnet/worm.

      --
      Support NYCountryLawyer RIAA vs People
    2. Re:Neat by moderatorrater · · Score: 5, Interesting

      They were looking at 10,000 scans, which would be about how much I would expect my constantly-on bittorrent to do over the course of a week or more. I don't think it'll be a problem at that threshold.

      At lower thresholds (which they'll surely need since worms and viruses will just start scanning more slowly), they can start analyzing patterns and individual packets. This won't solve the problem overnight, but it will eliminate virtually all worms and viruses in the wild right now and make future worms and viruses propagate much more slowly.