Stories
Slash Boxes
Comments
Search

News for nerds, stuff that matters

Slashdot Log In

Log In

Create Account  |  Retrieve Password

Researchers Tout New Network Worm Weapon

Posted by samzenpus on Wed Jun 04, 2008 05:57 PM
from the network-thumper dept.
Worms Security The Internet
coondoggie writes "Can Internet worms be thwarted within minutes of their infection? Researchers at Ohio State University believe they can. The key, researchers found, is for software to monitor the number of scans that machines on a network send out. When a machine starts sending out too many scans — a sign that it has been infected — administrators should take it off line and check it for viruses. In a nutshell, the researchers developed a model that calculated the probability that a virus would spread, depending on the maximum number of scans allowed before a machine was taken off line.'The difficulty was figuring out how many scans were too many,' researchers said."
+ -
story

Related Stories

Submission: Researchers tout new-fangled network worm weapon by coondoggie (973519)
This discussion has been archived. No new comments can be posted.
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.

Researchers Tout New Network Worm Weapon 50 Comments More /

 Full
 Abbreviated
 Hidden
More
Loading... please wait.

  • Neat (Score:5, Insightful)

    by Zironic (1112127) on Wednesday June 04 2008, @06:02PM (#23660943)
    One of the hardest things to account for when it comes to setting the limit for the number of scans a computer can resonably make must be bittorrent, a computer actively seeding files through bittorrent might connect to hundreds of computers for each file.

    I suppose the admin of a corperate network will probably frown on active bittorrent use in general though.

    • Re:Neat (Score:5, Insightful)

      by zappepcs (820751) on Wednesday June 04 2008, @06:22PM (#23661227) Journal
      It's not the corporate network where this will be problematic. It is TimeWarner and Comcast. Remember the recent story about MediaDefender? Assumptions about scans are just that. As soon as this methodology is implemented, worms will scan much slower. After all, a virus/worm author normally has some time to build the botnet before they want to activate it. Nothing really depends on quick proliferation except damaging worms.

      IMO, it is the botnets that do the most damage as a collective thing. Stopping a worm that bricks your machine is not hard LOL, stopping one that bricks other machines is good. Stopping DDoS attacks is even MORE important. It is the attack for hire model of hacking that really sucks bad.

      If the botnet owner takes a few months to build the botnet, it is still a botnet. Even better if s/he hides data in video packets or VoIP or IM packets.

      The only real way that I can see to stop the damage is to have 99.9999%+ computers in the world running in a sandbox where the perimeter monitors everything that the user software is doing. So, even if the corporate network is functioning like a sandbox (as it already should be) the danger from worms forming botnets is still a threat, this merely lessens the threat of a quickly spreading/created botnet/worm.
      • Can we stop using the term "brick" in reference to something that merely makes a system unbootable?

          • Re: (Score:2, Informative)

            by Anonymous Coward
            "Brick" means not revivable except possibly with special equipment that nobody has (an eprom programmer for example). What you describe is nowhere near that, it is only a temporary inconvenience.

          • Re:Merely? M E R E L Y ???? (Score:5, Insightful)

            by Yetihehe (971185) on Thursday June 05 2008, @01:35AM (#23664515)
            And this is the way "hacker" word lost its meaning.
      • > Stopping DDoS attacks is even MORE important.

        What if a "you're DoS-ing me" reply packet was added to TCP/IP, which could be picked up at the ISP level and would (ideally) cause the ISP to throttle that user's bandwidth to the site in question for a short period of time?

        The problem with this kind of hacked-on solution is that it often causes other vulnerabilities --- in this case, what if the botnet was set up to spread faked "you're DoS-ing me" packets? One could hope that ISPs would filter such outgoi

      • Re: (Score:2, Interesting)

        by deroby (568773)
        In theory, worms simply don't have 'months' to spread, because, in theory, a vulnerability is detected and fixed within a short time-span, hence, the worm needs to abuse it as much as possible in the shortest time possible, right !?

        In practice off course :
        * there are vulnerabilities that nobody (except the abuser) knows about and hence 'spreading slowly' is fine too
        * exploits are only created AFTER they have been identified (see "script kiddies") and rely upon people that are too uneducated/lazy/slow/dumb/p
      • I don't think it means what you think it means.
    • Although, this may work for a University/College, or business network (to a signifigant degree at least) where someone can physically go to the computer and check it out, or at least momentarily take it offline and tell it to scan/scan it...

      But, I dont see how this would work (such as you mentioned BitTorrent, et al) for the 'public' unless ISP's starting DoS-ing their customers, or sending them direct messages...

      Suspicious Amount Of Traffic Detected, Disconnect From Internet?
      (Cancel) (Allow)

      Which would mea

    • Re:Neat (Score:5, Interesting)

      by moderatorrater (1095745) on Wednesday June 04 2008, @06:45PM (#23661483)
      They were looking at 10,000 scans, which would be about how much I would expect my constantly-on bittorrent to do over the course of a week or more. I don't think it'll be a problem at that threshold.

      At lower thresholds (which they'll surely need since worms and viruses will just start scanning more slowly), they can start analyzing patterns and individual packets. This won't solve the problem overnight, but it will eliminate virtually all worms and viruses in the wild right now and make future worms and viruses propagate much more slowly.
    • ...blocking Bittorrent isn't a bug, it is a feature.

  • Well? (Score:2, Insightful)

    by Anonymous Coward
    Can useless messages be moderated within minutes of their posting?
    • They could, if I didn't just waste my mod points by commenting in a thread I just modded... crap!

  • iPhones (Score:3, Interesting)

    by Enderandrew (866215) <enderandrewNO@SPAMgmail.com> on Wednesday June 04 2008, @06:07PM (#23661041) Homepage Journal
    Don't iPhones send out an insane number of scans per minute? Isn't that why Duke University banned them from their network, and how that couple had a $3,000 data charge bill from taking their iPhone on a cruise, even though they didn't use it?

    • Re: (Score:3, Informative)

      by tlhIngan (30335)

      Don't iPhones send out an insane number of scans per minute? Isn't that why Duke University banned them from their network, and how that couple had a $3,000 data charge bill from taking their iPhone on a cruise, even though they didn't use it?

      Not really.

      The reason Duke had to ban them was because the way they did their WiFi somehow clashed with the way Duke's WiFi network was set up. The end result was that a small concentration of iPhones managed to actually take down the WiFi network by consuming inordina

  • Network admins quite often scan large amount of network space especially for vulnerabilities, I know, I do it every day. Device discovery on networks for monitoring, IP address management, the list goes on.

    There is the alternative though...

    http://xkcd.com/416/ [xkcd.com]

  • IDS (Score:4, Insightful)

    by imunfair (877689) on Wednesday June 04 2008, @06:13PM (#23661123) Homepage
    Isn't the described method basically a slight variation on the whole IDS scheme? Establish a baseline and compare to it...? For some reason they don't seem to have thought of the baseline part yet though - apparently they didn't do their research well. Granted I think the baseline is usually bandwidth usage or something of that sort, but this is basically the same thing.

    • Re: (Score:3, Interesting)

      by ShakaUVM (157947)
      Yeah, just watching the number of scans a computer makes isn't worm detection, per se, but more of intrusion detection, as you say.

      It will incidentally also allow network admins to automatically shut down bittorrent, so it should be quite popular.

    • Establish a baseline and compare to it...? For some reason they don't seem to have thought of the baseline part yet though - apparently they didn't do their research well.

      Huh? Did you RTFA?

      Their baseline is 10,000 connections a month.
      Anything over that gets flagged.

      I guess 10,000 connection per month is a lot for a corporate environment.
      Obviously that number would need to be tweaked depending on the company, but 10k is their baseline.

      Or does baseline mean something other than what I think it means?

  • And now that... (Score:4, Interesting)

    by Ai Olor-Wile (997427) on Wednesday June 04 2008, @06:17PM (#23661161) Homepage
    ...it has been posted on the front page of Slashdot, every future worm author will code their stuff to spread more slowly, so that the increase in scan rate is negligible. Hooray for self-obsoleting discoveries!

    (Don't get me wrong, I'm a huge proponent of publicly posting computer security information. But this seems pretty easy to circumvent when considered, no?)

    • Re:And now that... (Score:4, Insightful)

      by quercus.aeternam (1174283) on Wednesday June 04 2008, @06:26PM (#23661273) Homepage

      If the worms are coded to spread more slowly, it will decrease the rate of propogation, making it more difficult for the worms to survive.

      If they don't alter their code, worms will have a much harder time surviving on networks that take advantage of this discovery.

      The net effect is positive.

      • Re: (Score:3, Insightful)

        by Goaway (82658)
        Actually, worms are already spreading slower in order to survive longer. Even without a system like this, a worm that spreads fast gathers much more attention than one that spreads slow.

  • The paper (Score:3, Informative)

    by textstring (924171) on Wednesday June 04 2008, @06:19PM (#23661197)
    Here's the pdf http://www.ece.osu.edu/~shroff/journal/worm.pdf [osu.edu]. Seems like if these countermeasures were put in place, viruses would have to be choosy about which hosts they scan instead of just scanning tons of random addresses if they wanted to propagate.

  • This is trivially defeated (Score:5, Insightful)

    by Arrogant-Bastard (141720) on Wednesday June 04 2008, @06:23PM (#23661241)
    Sufficiently intelligent worms can use passive OS fingerprinting to identify hosts likely to be susceptible to infection (as they make their presence known) and then make a single attempt per host (which will, obviously, succeed or fail), keeping track of such attempts so as to avoid duplicates. Alternatively, worms could use a passive approach and not attempt to propagate at all except in response to traffic from other hosts -- that is, piggybacking themselves on the responses to ordinary traffic, say, HTTP requests, or Torrent requests, or IM requests. While use of such approaches might slow the propagation of a worm in a local sense, they won't slow down network-wide propagation appreciably if initial seeding is done in sufficient numbers and with sufficient network diversity.

  • Seriously Useless (Score:2, Funny)

    by Anonymous Coward
    Seriously, let's see how this will work.

    sysadmin: $max_scans_allowed = 10;
    worm: sh1t! $max_scans_allowed = 10;
    sysadmin: sh1t! $max_scans_allowed = 9;
    worm: sh1t! $max_scans_allowed = 9;
    sysadmin: sh1t! $max_scans_allowed = 8;
    worm: sh1t! $max_scans_allowed = 8;
    sysadmin: sh1t! $max_scans_allowed = 7;
    worm: sh1t! $max_scans_allowed = 7;
    sysadmin: sh1t! $max_scans_allowed = 6;
    worm: sh1t! $max_scans_allowed = 6;
    sysadmin: sh1t! $max_scans_allowed = 5;
    worm: sh1t! $max_scans_allowed = 5;
    sysadmin: sh1t! $max_scans_allow

      • Re: (Score:3, Funny)

        by Anonymous Coward
        sh1t! is programing slang for 100100001

  • Easy to circumvent. (Score:4, Insightful)

    by thePowerOfGrayskull (905905) on Wednesday June 04 2008, @06:27PM (#23661291) Homepage Journal
    The easy way around this is to just slow down the rate of the scans and the type/quantity of scanning done at any one type. Whether it takes hours or weeks, time is not critical when you have millions of PCs at your disposal.
      • Hm - kind of. An argument could be made that it would slow the spread of the botnet. And it is probably a safe bet that if the machines can get infected in the first place (unless it's a brand new exploit), there won't be patch updates/installs forthcoming from those particular users...

        • Re:Easy to circumvent. (Score:4, Informative)

          by hedwards (940851) on Wednesday June 04 2008, @08:57PM (#23662697)
          This has been brought up before. Basically, slowing down a worm allows for more time to create and disseminate a patch for the vulnerability. The idea was that when a virus is detected to throttle down on the bandwidth allocated to the computer and perhaps limit it to just specific securty sites for patching as well.

          Basically dry up the resources available to the worm and make it as unprofitable as possible to run a botnet in that fashion.

          Or in a more cost effective way, just throttle everybody's connection when there's a major outbreak while people get patched. Force the worms and viruses into a much smaller pool. Realistically when some of the larger worms have hit, the bandwidth ends up going mostly to the worms anyways, why not deny the resource to the worm.
          • But the point is if it was slowed down by design that wouldn't work - because it would remain undetected. That might have other repercussions as well: major outbreaks would not have immediately visible symptoms (such as flooding probes), and so may actually be harder to detect.

  • Undeployable (Score:4, Insightful)

    by gweihir (88907) on Wednesday June 04 2008, @06:34PM (#23661357)
    Anything that requires changes in most or all sub-networks is garantueed to fail. Just look at egress-filtering. Many network admins are still unable or unwilling to do it. And these people expect them to implement a worm detector in every subnet? Forget it.

    BTW, the idea is not new: "A Fast Worm Scan Detection Tool for VPN Congestion Avoidance" in Proceedings of DIMVA 2005 uses the same idea, but in a context where it is actually implementable and useful. Online under http://www.tik.ee.ethz.ch/~ddosvax/publications/papers/dimva06scan.pdf [ee.ethz.ch].

  • I didn't realize this was news 2 years ago... (Score:5, Insightful)

    by jafo (11982) on Wednesday June 04 2008, @07:02PM (#23661531) Homepage
    I've been running the following iptables rules on our routers for at least the last year or two:

    iptables -A ssh_attack -m hashlimit --hashlimit 200/min --hashlimit-mode srcip --hashlimit-name ssh_attack --hashlimit-htable-size 599 --hashlimit-htable-max 4096 -j RETURN

    iptables -A ssh_attack -m limit --limit 1/sec --limit-burst 1 -j LOG --log-prefix "SSH-Attack:"

    iptables -I FORWARD -o eth0 -p tcp -m tcp --dport 22 --tcp-flags SYN,RST,ACK SYN -j ssh_attack

    In other words, for each internal host allow them to make 200 outbound SSH connections per minute (tracked individually). If they exceed that limit, log a message.

    We then have a nagios plugin that checks for this message being in "dmesg". If it is, we get paged.

    We watch the sites we host pretty closely, so we don't often run into them getting compromised. The last one was because a host admin re-enabled password logins in SSH *AND* set up a guest account with a password like "guest". Only the guest account was compromised, but I digress.

    The thing is that people who compromise these hosts pretty much always use that host to scan for other hosts to attack. And looking for weak passwords on other hosts via SSH seems to be pretty common.

    So, once we saw this it was a no-brainer to set up something to alert us when someone started doing it.

    Sean

  • Move to MacOS -- worms are obsolete here (Score:2, Interesting)

    by Anonymous Coward
    Like Windows made MS-DOS viruses something to be mentioned in the past, I don't get why people just stop making slapdash hacks, and move to a platform that is 100% immune to this type of malicious software. MacOS has had -zero- remote rootings in the wild in its whole history. Even the vaunted OpenBSD has had three remote holes on its record.

    I say leave the worm finding to the Windows and Linux people who are vulnerable to this stuff, and we Mac people can just point and snicker, because a worm or a botne

    • Re:Move to MacOS -- worms are obsolete here (Score:4, Interesting)

      by thejynxed (831517) on Wednesday June 04 2008, @10:26PM (#23663435) Homepage
      Erm, actually, OSX has been found to be vulnerable to TONS of things, why else the 30 and 40 patch packs released all at once :)

      Remote vulnerabilities such as this: http://www.securityfocus.com/bid/29514 [securityfocus.com] would say well, maybe MacOSX IS vulnerable to such types of malware (they only need to cause buffer overflows or exploit remote code vulnerabilities and you can get nailed just like any other OS that is coded by humans).

      The question is: Are Macs with their puny marketshare, worth the bother of hacking?

      Answer: Some people/groups are starting to show interest in this, yes. But on the whole, no, they aren't worth the bother. Mainly this interest has grown since Apple swapped over to x86 architecture. I find that interesting.

      I think the bigger thing to sit and think about is this: No software written, and no hardware designed by humans will ever be perfect. There will always be a weakness somewhere in the system. Deal with it the best you can, like everyone else, and stop spouting stupid nonsense about an invulnerable OS.

  • As a network admin... (Score:5, Interesting)

    by rAiNsT0rm (877553) on Wednesday June 04 2008, @08:46PM (#23662607) Homepage
    I've been a network specialist/admin for a few companies including banks and a univeristy, and my personal idea/solution is a quasi-vlan system where each workstation is unable to talk directly to other workstations within the same LAN/Campus. Think about it, allow workstations to talk to servers and necessary resources but not directly to each other.

    There is no need anymore. People need to connect to the Internet and file servers, etc. Rarely if ever is it actually necessary or preferable to have people connect to each other. The servers *should* be the best updated and protected systems and much easier to trust than Joe Sixpacks PC.

    You stop worms from impacting you locally, and at worst your Internet pipe gets congested by a big outbreak which can be easier traced and combated when you aren't also fighting a spreading fire.
    • That's not quite as simple as you make it out to be. Ok, assuming a corporate network, you don't have to worry about as many peer-to-peer connections (such as bit torrent), but I can still think of a number of situations when workstations need to be able to chat with each other. Instant messengers, impromptu document sharing when there isn't an "official" share set up that both parties have access to, VoIP applications and teleconferencing solutions, and so forth.

      You could design your network from the groun
      • I disagree completely. IM uses a central server. "Impromptu document sharing" is exactly the type of thing that this stops, which is dangerous and circumvents a number of safeguards. Macro viruses, viruses, scattered documents which aren't properly backed up, lost due to a system crash, misplaced, inaccessible once an employee leaves, etc. VOIP and teleconferencing can be handled via QoS or a central server.

        It isn't hard. I have actually implemented this idea in labs and test case scenarios/labs and each an
        • Of course they're going to tell you that. You're the BOFH, and if they complain, you'll just give them something to really complain about.
    • Um, right. So when I'm out of the office for a meeting, I shouldn't be able to ssh into my desktop computer to grab some data I forgot to put on my laptop? Or if I need to host a wiki for the lab, I'm going to have to fight with IT instead of just installing a LAMP stack on a spare box and plugging it in? Or what about hosting our lab's database of plasmids, oligos, and cell lines? Or hell, even just retrieving data from various computers hooked up to instruments, our gel imager, phosphoimager, microscop

      • Re:As a network admin... (Score:5, Informative)

        by Gnavpot (708731) on Thursday June 05 2008, @04:08AM (#23665383)

        Yeah, thats a fantastic approach, block computers from connecting to each other. Who wants a functional network anyway?

        The GP explained his point in an easily understandable way. I don't know how you failed to understand it. Anyway, here it comes again in slow motion for your benefit:

        In most corporate networks, clients need to connect to servers. They do not need to connect to other clients.

        If you block clients' ability to connect to other clients, no functionality is lost, but infected clients can not attack other clients directly.

        (I know that some companies uses IM internally, but there is nothing forcing IM solutions to be P2P.)

  • Blinking Lights (Score:3, Funny)

    by Joebert (946227) on Thursday June 05 2008, @01:30AM (#23664477) Homepage
    What's wrong with looking at the router lights blinking when the system shouldn't be doing anything and saying "Heeey, that's not right !" ?
  • Why to spend money to treat effects when you could prevent cause in first place using SELinux or AppArmor (those kind technics are for Windows too)?
  • If a machine gets infected by a worm, the anti-virus software must have failed to detect that worm. So, you get a report warning you about a particular machine, run a virus scan and find nothing. Now what?

    What you need to do is have the software running on the PC itself, so that it can monitor what task is actually running the scans so a human can check it.

All trademarks and copyrights on this page are owned by their respective owners. Comments are owned by the Poster. The Rest © 1997-2009 Geeknet, Inc.