Become a fan of Slashdot on Facebook

 


Forgot your password?
Close
typodupeerror
×
Worms Security The Internet

Researchers Tout New Network Worm Weapon 101

Posted by samzenpus from the network-thumper dept.
coondoggie writes "Can Internet worms be thwarted within minutes of their infection? Researchers at Ohio State University believe they can. The key, researchers found, is for software to monitor the number of scans that machines on a network send out. When a machine starts sending out too many scans — a sign that it has been infected — administrators should take it off line and check it for viruses. In a nutshell, the researchers developed a model that calculated the probability that a virus would spread, depending on the maximum number of scans allowed before a machine was taken off line.'The difficulty was figuring out how many scans were too many,' researchers said."
This discussion has been archived. No new comments can be posted.

Researchers Tout New Network Worm Weapon More

Researchers Tout New Network Worm Weapon

Comments Filter:

  • iPhones (Score:3, Interesting)

    by Enderandrew ( 866215 ) <enderandrew@NOsPAM.gmail.com> on Wednesday June 04, 2008 @07:07PM (#23661041) Homepage Journal
    Don't iPhones send out an insane number of scans per minute? Isn't that why Duke University banned them from their network, and how that couple had a $3,000 data charge bill from taking their iPhone on a cruise, even though they didn't use it?

  • And now that... (Score:4, Interesting)

    by Ai Olor-Wile ( 997427 ) on Wednesday June 04, 2008 @07:17PM (#23661161) Homepage
    ...it has been posted on the front page of Slashdot, every future worm author will code their stuff to spread more slowly, so that the increase in scan rate is negligible. Hooray for self-obsoleting discoveries!

    (Don't get me wrong, I'm a huge proponent of publicly posting computer security information. But this seems pretty easy to circumvent when considered, no?)

  • Re:IDS (Score:3, Interesting)

    by ShakaUVM ( 157947 ) on Wednesday June 04, 2008 @07:20PM (#23661209) Homepage Journal
    Yeah, just watching the number of scans a computer makes isn't worm detection, per se, but more of intrusion detection, as you say.

    It will incidentally also allow network admins to automatically shut down bittorrent, so it should be quite popular.

  • Re:Neat (Score:5, Interesting)

    by moderatorrater ( 1095745 ) on Wednesday June 04, 2008 @07:45PM (#23661483)
    They were looking at 10,000 scans, which would be about how much I would expect my constantly-on bittorrent to do over the course of a week or more. I don't think it'll be a problem at that threshold.

    At lower thresholds (which they'll surely need since worms and viruses will just start scanning more slowly), they can start analyzing patterns and individual packets. This won't solve the problem overnight, but it will eliminate virtually all worms and viruses in the wild right now and make future worms and viruses propagate much more slowly.

  • Re:Easy to circumvent. (Score:1, Interesting)

    by Anonymous Coward on Wednesday June 04, 2008 @07:45PM (#23661493)
    Although this does mean we've effectively reduced the size of the botnet by a (possibly quite large) constant factor. It would be a greater effect if machines were patched faster.

  • Move to MacOS -- worms are obsolete here (Score:2, Interesting)

    by Anonymous Coward on Wednesday June 04, 2008 @08:21PM (#23661709)
    Like Windows made MS-DOS viruses something to be mentioned in the past, I don't get why people just stop making slapdash hacks, and move to a platform that is 100% immune to this type of malicious software. MacOS has had -zero- remote rootings in the wild in its whole history. Even the vaunted OpenBSD has had three remote holes on its record.

    I say leave the worm finding to the Windows and Linux people who are vulnerable to this stuff, and we Mac people can just point and snicker, because a worm or a botnet "client" is just plain impossible to implement on MacOS.

  • As a network admin... (Score:5, Interesting)

    by rAiNsT0rm ( 877553 ) on Wednesday June 04, 2008 @09:46PM (#23662607) Homepage
    I've been a network specialist/admin for a few companies including banks and a univeristy, and my personal idea/solution is a quasi-vlan system where each workstation is unable to talk directly to other workstations within the same LAN/Campus. Think about it, allow workstations to talk to servers and necessary resources but not directly to each other.

    There is no need anymore. People need to connect to the Internet and file servers, etc. Rarely if ever is it actually necessary or preferable to have people connect to each other. The servers *should* be the best updated and protected systems and much easier to trust than Joe Sixpacks PC.

    You stop worms from impacting you locally, and at worst your Internet pipe gets congested by a big outbreak which can be easier traced and combated when you aren't also fighting a spreading fire.

  • Re:Move to MacOS -- worms are obsolete here (Score:4, Interesting)

    by thejynxed ( 831517 ) on Wednesday June 04, 2008 @11:26PM (#23663435)
    Erm, actually, OSX has been found to be vulnerable to TONS of things, why else the 30 and 40 patch packs released all at once :)

    Remote vulnerabilities such as this: http://www.securityfocus.com/bid/29514 [securityfocus.com] would say well, maybe MacOSX IS vulnerable to such types of malware (they only need to cause buffer overflows or exploit remote code vulnerabilities and you can get nailed just like any other OS that is coded by humans).

    The question is: Are Macs with their puny marketshare, worth the bother of hacking?

    Answer: Some people/groups are starting to show interest in this, yes. But on the whole, no, they aren't worth the bother. Mainly this interest has grown since Apple swapped over to x86 architecture. I find that interesting.

    I think the bigger thing to sit and think about is this: No software written, and no hardware designed by humans will ever be perfect. There will always be a weakness somewhere in the system. Deal with it the best you can, like everyone else, and stop spouting stupid nonsense about an invulnerable OS.

  • Re:As a network admin... (Score:1, Interesting)

    by Anonymous Coward on Wednesday June 04, 2008 @11:41PM (#23663517)
    Yeah, thats a fantastic approach, block computers from connecting to each other. Who wants a functional network anyway?

    "What, you want your computers to be able to connect to each other via the network? Really? Let me guess, you also want printers that print too?"

  • Merely? M E R E L Y ???? (Score:1, Interesting)

    by Anonymous Coward on Thursday June 05, 2008 @12:17AM (#23663741)
    I'm betting that you have never been in a hurry but had to buy a new copy of Windows to replace the OEM version that just was FUBAR by a virus or malicious piece of software, or perhaps even by a malignant end user who knows far too much about the delete command and far too little about the windows and system directories.

    Unbootable does NOT even begin to describe what you have on your hands. Brick, on the other hand, gets kind of close and conveys the proper frame of mind when you have experienced that kind of frustration. I believe that those who advocate the changing and fluid nature of a language would approve of that use of the word as confined to the electronics realm.

    It becomes an even more appropriate usage when you consider that most consumer electronics products are or are very close to throw-away status. That is to say that once they malfunction permanently, it is cheaper to replace them with new units than to have them repaired. This leaves you with something that is about the same use to the average person in their home or office as a brick, Acme or otherwise.

    You personally are welcome to not use the word in that context. The rest of us, meh... fsck it, it works for me.

  • Re:Neat (Score:2, Interesting)

    by deroby ( 568773 ) <deroby@yucom.be> on Thursday June 05, 2008 @04:35AM (#23665203)
    In theory, worms simply don't have 'months' to spread, because, in theory, a vulnerability is detected and fixed within a short time-span, hence, the worm needs to abuse it as much as possible in the shortest time possible, right !?

    In practice off course :
    * there are vulnerabilities that nobody (except the abuser) knows about and hence 'spreading slowly' is fine too
    * exploits are only created AFTER they have been identified (see "script kiddies") and rely upon people that are too uneducated/lazy/slow/dumb/paranoid/... to keep there system (more or less) secure, so again, 'spreading slowly' is fine again... the target audience will be smaller, but is still there.

    So yes, it think it WILL help to have this kind of system in place (**), but indeed it sounds like it will simply be a matter of 'knowing the magic value' and making sure once's worm stays right below that threshold.

    FTA : "An infected machine would reach this value very quickly, while a regular machine would not," Shroff explained. "A worm has to hit so many IP addresses so quickly in order to survive."

    The main question here is IMHO : what do they mean with SCANS ? Are those (failed) connections that do not get ACK's back ? I'm pretty sure most P2P traffic would be able to cause false alerts, and although the network admin wouldn't be too happy to have bittorrent or emule on a machine (different from his own =), I can tell you that eg Skype can't be missed anymore where I work.

    ** remember MS already did something similar when SQL SLAMMER hit IIRC, and look where that got us : major cry-out that MS limited the number of new outward connections per second.

Slashdot Top Deals

He has not acquired a fortune; the fortune has acquired him. -- Bion

Close