Researchers Tout New Network Worm Weapon

coondoggie writes "Can Internet worms be thwarted within minutes of their infection? Researchers at Ohio State University believe they can. The key, researchers found, is for software to monitor the number of scans that machines on a network send out. When a machine starts sending out too many scans — a sign that it has been infected — administrators should take it off line and check it for viruses. In a nutshell, the researchers developed a model that calculated the probability that a virus would spread, depending on the maximum number of scans allowed before a machine was taken off line.'The difficulty was figuring out how many scans were too many,' researchers said."

Neat

[Zironic]

One of the hardest things to account for when it comes to setting the limit for the number of scans a computer can resonably make must be bittorrent, a computer actively seeding files through bittorrent might connect to hundreds of computers for each file.

I suppose the admin of a corperate network will probably frown on active bittorrent use in general though.

Well?

[Anonymous Coward]

Can useless messages be moderated within minutes of their posting?

IDS

[imunfair]

Isn't the described method basically a slight variation on the whole IDS scheme? Establish a baseline and compare to it...? For some reason they don't seem to have thought of the baseline part yet though - apparently they didn't do their research well. Granted I think the baseline is usually bandwidth usage or something of that sort, but this is basically the same thing.

Re:Neat

[zappepcs]

It's not the corporate network where this will be problematic. It is TimeWarner and Comcast. Remember the recent story about MediaDefender? Assumptions about scans are just that. As soon as this methodology is implemented, worms will scan much slower. After all, a virus/worm author normally has some time to build the botnet before they want to activate it. Nothing really depends on quick proliferation except damaging worms.

IMO, it is the botnets that do the most damage as a collective thing. Stopping a worm that bricks your machine is not hard LOL, stopping one that bricks other machines is good. Stopping DDoS attacks is even MORE important. It is the attack for hire model of hacking that really sucks bad.

If the botnet owner takes a few months to build the botnet, it is still a botnet. Even better if s/he hides data in video packets or VoIP or IM packets.

The only real way that I can see to stop the damage is to have 99.9999%+ computers in the world running in a sandbox where the perimeter monitors everything that the user software is doing. So, even if the corporate network is functioning like a sandbox (as it already should be) the danger from worms forming botnets is still a threat, this merely lessens the threat of a quickly spreading/created botnet/worm.

This is trivially defeated

[Arrogant-Bastard]

Sufficiently intelligent worms can use passive OS fingerprinting to identify hosts likely to be susceptible to infection (as they make their presence known) and then make a single attempt per host (which will, obviously, succeed or fail), keeping track of such attempts so as to avoid duplicates. Alternatively, worms could use a passive approach and not attempt to propagate at all except in response to traffic from other hosts -- that is, piggybacking themselves on the responses to ordinary traffic, say, HTTP requests, or Torrent requests, or IM requests. While use of such approaches might slow the propagation of a worm in a local sense, they won't slow down network-wide propagation appreciably if initial seeding is done in sufficient numbers and with sufficient network diversity.

Re:And now that...

[quercus.aeternam]

If the worms are coded to spread more slowly, it will decrease the rate of propogation, making it more difficult for the worms to survive.

If they don't alter their code, worms will have a much harder time surviving on networks that take advantage of this discovery.

The net effect is positive.

Easy to circumvent.

[thePowerOfGrayskull]

The easy way around this is to just slow down the rate of the scans and the type/quantity of scanning done at any one type. Whether it takes hours or weeks, time is not critical when you have millions of PCs at your disposal.

Undeployable

[gweihir]

Anything that requires changes in most or all sub-networks is garantueed to fail. Just look at egress-filtering. Many network admins are still unable or unwilling to do it. And these people expect them to implement a worm detector in every subnet? Forget it.

BTW, the idea is not new: "A Fast Worm Scan Detection Tool for VPN Congestion Avoidance" in Proceedings of DIMVA 2005 uses the same idea, but in a context where it is actually implementable and useful. Online under http://www.tik.ee.ethz.ch/~ddosvax/publications/papers/dimva06scan.pdf [ee.ethz.ch].

I didn't realize this was news 2 years ago...

[jafo]

I've been running the following iptables rules on our routers for at least the last year or two:

iptables -A ssh_attack -m hashlimit --hashlimit 200/min --hashlimit-mode srcip --hashlimit-name ssh_attack --hashlimit-htable-size 599 --hashlimit-htable-max 4096 -j RETURN

iptables -A ssh_attack -m limit --limit 1/sec --limit-burst 1 -j LOG --log-prefix "SSH-Attack:"

iptables -I FORWARD -o eth0 -p tcp -m tcp --dport 22 --tcp-flags SYN,RST,ACK SYN -j ssh_attack

In other words, for each internal host allow them to make 200 outbound SSH connections per minute (tracked individually). If they exceed that limit, log a message.

We then have a nagios plugin that checks for this message being in "dmesg". If it is, we get paged.

We watch the sites we host pretty closely, so we don't often run into them getting compromised. The last one was because a host admin re-enabled password logins in SSH *AND* set up a guest account with a password like "guest". Only the guest account was compromised, but I digress.

The thing is that people who compromise these hosts pretty much always use that host to scan for other hosts to attack. And looking for weak passwords on other hosts via SSH seems to be pretty common.

So, once we saw this it was a no-brainer to set up something to alert us when someone started doing it.

Sean

Re:And now that...

[Goaway]

Actually, worms are already spreading slower in order to survive longer. Even without a system like this, a worm that spreads fast gathers much more attention than one that spreads slow.

Anti-DDoS TCP/IP additions?

[Mathinker]

> Stopping DDoS attacks is even MORE important.

What if a "you're DoS-ing me" reply packet was added to TCP/IP, which could be picked up at the ISP level and would (ideally) cause the ISP to throttle that user's bandwidth to the site in question for a short period of time?

The problem with this kind of hacked-on solution is that it often causes other vulnerabilities --- in this case, what if the botnet was set up to spread faked "you're DoS-ing me" packets? One could hope that ISPs would filter such outgoing packets (from their home users), but given the general lack of cooperation of the ISPs against network hacking (or has this changed? Have any ISPs finally implemented egress filters for packets with faked headers nowadays?) I wouldn't hold my breath...

Re:Merely? M E R E L Y ????

[Yetihehe]

And this is the way "hacker" word lost its meaning.