Forgot your password?
typodupeerror
Security IBM

IBM's Billy Goat Squashes Worms 170

Posted by Hemos
from the behavior-based-activity dept.
fr0z writes "InformationWeek is running a story on "Billy Goat", a novel worm-squashing software developed by researchers in Zurich, Switzerland. IBM says it wants to turn Billy Goat into a product to help guard against computer-network attacks such as those that slowed Internet traffic earlier this month."
This discussion has been archived. No new comments can be posted.

IBM's Billy Goat Squashes Worms

Comments Filter:
  • Billy Goat (Score:5, Funny)

    by shird (566377) on Monday September 01, 2003 @08:06AM (#6843969) Homepage Journal
    This is a play on the name "Bill Gates", surely? Why else would they call it that. Interesting concept nonetheless.
  • by lingqi (577227) on Monday September 01, 2003 @08:06AM (#6843970) Journal
    squashes worms?

    it is a detection system. and an imperfect one at that: heck even the designer for the software itself says this...

    besides, if it's an outlook mail worm, then every address it goes to is targeted correctly, and Billy Goat will go on munching it's grass and not have a clue while the network slows to a crawl.

    I mean, of course it can look for surge traffic, but how do you distinguish that vs. a simple slashdotting?
    • by farnz (625056) <slashdot@@@farnz...org...uk> on Monday September 01, 2003 @08:15AM (#6844016) Homepage Journal
      Something like Blaster scans the network for vunerable machines; some of these IPs are unassigned. Billy Goat detects the attempts to access unassigned IPs, and alerts admins/firewalls your box off/generally makes noise.

      The result is that something like Blaster gets caught before your whole network is infested; Billy Goat ignores a slashdotting, since all the traffic goes to assigned IPs.

      • by Anonymous Coward on Monday September 01, 2003 @10:17AM (#6844571)
        So then we're in a situation of either

        a) The admins take 5 mins to work out what out whats wrong and block the traffic (on a good day)

        or

        b) The firewall gets its rules automatically updated by billy goat (with an addon?) and successfully blocks the traffic. ...Leading to the attacker having an easy way to do a DOS attack on the entire network (by scanning every possible port on an unused ip address)
      • The result is that something like Blaster gets caught before your whole network is infested.

        Instead of buying something called "Billy Goat," you could also just download the free patch that fixed it a month before...
        • by mcc (14761) <amcclure@purdue.edu> on Monday September 01, 2003 @01:13PM (#6845362) Homepage
          you could also just download the free patch that fixed it a month before...

          I think the idea is that the product is going to be targetted at ISPs and people in similar situations.. you know, where the people controlling the network don't necessarily have control of the computers actually running on the network. What good is a patch if you can't get your users to install it cuz they're dumb?
          • What good is a patch if you can't get your users to install it cuz they're dumb?

            About as much good as a network poluted with MS transmitted diseases. The users are not dumb, they are doing what the "experts" tell them is right. It's the "experts" who either lack a clue or have an interest in M$ shit that are the problem. Fix one expert and you swing a few hundred users sooner or later. The more experts you fix the faster the users swing.

            I'm now working in the trenches, a local computer retail shop.

  • by mirko (198274) on Monday September 01, 2003 @08:06AM (#6843971) Journal
    I do not want to look anal but I think the submitter meant "last month" :-)
    • He probably submitted it while it was still August.
    • by F452 (97091) on Monday September 01, 2003 @08:36AM (#6844104) Homepage
      I do not want to look anal but I think the submitter meant "last month" :-)

      Eeyu! Look anal? I can see being anal, or sounding anal, but I'd hate to look anal!

      • Eeyu! Look anal? I can see being anal, or sounding anal, but I'd hate to look anal!

        [ insert ontopic goatse link ]
      • short for anal-retentive, a 'clever' way of articulating someone has a detail-oriented obsession or obsessive-compulsive behavior. It describes the person as unable to relax, or constipated.

        Sadly, people just know 'anal' these days. Gone are days of long ago when people said what they meant, and did not lean on the spindly crutch of catchphrases and colloquialisms.

        I can now imagine that this sort of intrusion detection software will be known only as Billy Goat, just as so many use 'trojan' and 'virus'

        • short for anal-retentive, a 'clever' way of articulating someone has a detail-oriented obsession or obsessive-compulsive behavior. It describes the person as unable to relax, or constipated.

          Geeh, thanks. This and the rest of your post sure made things clear to me! :-)
        • Gone are days of long ago when people said what they meant, and did not lean on the spindly crutch of catchphrases and colloquialisms.

          ...and when was those good old days? I imagine such shorthand ways of expressing things has been around just about as long as language itself -- and for good reason.

          I think most reasonably-educated people know that the term anal refers to anal-rententiveness. I assume you also know this is a Freudian concept.

          Incidentally, your complaint about the term "cyber-hacker"
      • We used to have a saying when I was younger - "My face, your bum". No I mean, "Your bum, my face". Goddammit never could get the hang of that one. Ah "Your bum, my face". That was it.
      • Eeyu! Look anal? I can see being anal, or sounding anal, but I'd hate to look anal!

        Maybe the owner of the original statement has two rosy cheeks and one brown eye.
    • I do not want to look anal but I think the submitter meant "last month"

      You obviously haven't noticed how long the editors take to accept a story, have you? ;-)

  • What's the point? (Score:5, Insightful)

    by mOoZik (698544) on Monday September 01, 2003 @08:07AM (#6843974) Homepage
    Detecting potential attacks is one thing and preventing damage and slow-down of the internet is another. Even now we can somewhat predict them before they begin to slow the entire net down. But seeing how something akin to these last two worms will slip right by even with our knowledge, this technology becomes rather redundant. Eventually, educating the end-user will be a greater force than some goat.

    P.S. any coincidence it is named "Billy"?
    • Re:What's the point? (Score:5, Interesting)

      by KrispyKringle (672903) on Monday September 01, 2003 @08:58AM (#6844200)
      I'm not sure I follow you on educating the end user. It's definitely a good idea, to be sure, but it does little against worms that require no user interaction to infect the PC, like Blaster. Granted, if the machine were patched, it would help, but not that much. Many users are on slow connections, windowsupdate was unreliable, and the time it takes users to patch--a few hours, a few days--is easily enough time to become infected (I have a friend who connected a new XP machine to the 'Net to run windowsupdate and was infected in minutes).

      On the other hand, security professionals can usually whip up IDS signatures in a pretty short amount of time--Blaster, CodeRed, what-have-you all have pretty easy-to-detect signatures--which could easily be implemented on a system plugged into the routers of ISPs. Detect a worm infected machine and lock it out. Simple. The same could be done with managed switches at corporate LANs.

      This was actually suggested in a previous story; it's not that big a deal and probably in use various places already. Seems like IBM's only innovation is in detecting a pattern of behaviour rather than just the attack signature itself, in the hope that it will work, without updated signatures, to detect as-yet unknown worms. And even that's not that big a leap.

      • by mOoZik (698544)
        All good points, but I was actually referring to the many worms which dwell in os holes. If users were educated enough to know why a patch is useful, then the effects of the last two (or three?) worms, for example, would be nulled. The warning and patch predated the swarm by 3 weeks. Even for someone on 56K and even with assumed problems with the windows update site, 3 weeks is plenty of time to avoid such a mess. Granted, it wouldn't solve all the problems, and a heavy fist on the side of the ISP's would
        • by King_TJ (85913) on Monday September 01, 2003 @11:25AM (#6844899) Journal
          I'd really be interested to see how many of these recent worm infections happened on company systems, as opposed to people's home computers.

          I agree that a big problem is educating the average home user to apply update patches as they become available, but this isn't usually an option at the corporate level.

          I've seen corporate environments where even the I.T. staff in charge of the desktop systems has to fight and fight to get the approval to apply a security patch. (The team lead or I.T. manager may scratch the plan, arguing they haven't had sufficient time to make sure the patch doesn't break a "mission critical" application they run, or they may decide the patch can wait until another update it rolled out, so they can get 2 birds killed with one stone.) Letting the end users apply their own patches isn't typically allowed on corporate machines.

        • by KrispyKringle (672903) on Monday September 01, 2003 @11:26AM (#6844904)
          I suppose there are multiple avenues to success. And while educating the end-user may be ideal, I just don't think its reasonable to expect that it will happen any time soon. Heavy-handed ISP's, as you put it, are a good alternative.

          End-users often don't see why they should secure their PC's. They figure they don't have anything important on them, so what's the big deal? Then they are used as launching points for DoS attacks, they spread worms, and so forth. But end users don't have the time or inclination to be security professionals.

          ISPs could implement stronger router controls to block DoS attacks from zombied machines. They could implement automatic IDS-based router controls to block the spread of worms. And--egads--perhaps software companies could start focusing on security a bit more (with some added incentive from the legal liability they ought to have, in my opinion). In other words, end users should be taken as end users. We cannot expect that all or most will secure their machines to the extent that you or I may. So we find work arounds.

        • What you say is true, but it doesn't mean something like Billy Goat isn't necessary. What if there isn't a patch for the security hole? What if the worm uses a 0 day exploit? Adding more defenses is not redundant. Luckily most worm / virus writers are stupid. Luckily they try to use already known and patched exploits. Luckily they don't know how (or aren't willing) to write really nasty worms.

          What if someone develops a really nasty worm. One which uses one or multiple 0 day exploits. There is no patch and

  • by zippity8 (446412) on Monday September 01, 2003 @08:07AM (#6843977)
    So you're turning on a computer system thats intended to be intelligent enough to seek out and erradicate computer worms?

    Did you NOT see Terminator 3?

    - Those that do not learn from history are doomed to repeat it.

    Or, in this case, those that don't learn from crappy movies. =P

  • by farnz (625056) <slashdot@@@farnz...org...uk> on Monday September 01, 2003 @08:08AM (#6843985) Homepage Journal
    It sounds like a nice extension of egress filtering; you know which of your IPs are unassigned, and so you assume that boxes trying to access unused IPs are up to no good, and act accordingly (firewall the affected box off, and investigate). Slows worm propagation, and discourages people from scanning your entire address space unnecessarily.
  • Well... (Score:2, Insightful)

    by Kai_MH (632216)
    You can always depend on IBM. They contribute to Linux... help Windows users... make awesome products, even if they do cost too much... But, hey, IBM is great.
    • Re:Well... (Score:3, Insightful)

      by alangmead (109702) *

      I'm sorry. I remember too much of the antitrust suit [lib.de.us] against IBM to fully trust them. I'll thank them for each thing they do to help advance free software, and the computer industry as a whole, but I reserve the right to examine each decision individually.

  • by Black Parrot (19622) on Monday September 01, 2003 @08:12AM (#6844005)


    Will it butt trolls off the net too?

  • issues with this (Score:5, Interesting)

    by segment (695309) <{gro.xirtilop} {ta} {lis}> on Monday September 01, 2003 @08:13AM (#6844007) Homepage Journal

    IBM says its prototype combines the strength of analyzing traffic directed at IP addresses assigned to computers on a network with the ability to look at the unassigned addresses worms also target.

    What good would this do (checking unassigned addresses) as most worms (at least polymorphic ones) replicate and spread to other users it (the worm) finds on the machine. Hrmm sounds odd typing because I'm tired. Ok, for instance most MS based worms such as Blaster, Sobig, etc., tend to rip a list of address from programs on the infected machine. Blaster and Sobig sent out spoofed emails which differed from the normal worm a bit. Anyway, if a machine is sending info (while infected) to an unassigned IP address, what difference would it make since it somehow obtained the information locally.

    Now, I understand that some virii writers often leave some 'h3ll0 i j4m l33t' message, but this is a rarity, so I find it obsolete.

    It also can sniff out the signatures of known attacks. By testing the software at a large ISP, IBM can collect more data on worm traffic and help decide how to bring Billy Goat to market, says Adrian Schlund, a manager at IBM Global Services.

    This is a bold statement for IBM to make considering they are now claiming to sniff out attacks. Considering attacks change, all they could do is update their rules, which means you could get by without this product if you have an experienced network engineer who has network anamoly detection experience. Hell if you've read enough RFC's and Cisco books, anyone would be able to detect and halt attacks using freeware such as snort.

    Oh well it sounded good for a minute, it's a shame they didn't included any screenshots or specs in the article.

    • Re:issues with this (Score:3, Informative)

      by mOoZik (698544)
      Actually, some of the worst worms have used random IP's. The worms you mentioned only use the emails from the address books, as there is no way to get IP information from it. Therefore monitoring which IP's are fake will provide a method of early warning. Though that's all it'll do.
    • Re:issues with this (Score:2, Informative)

      by tesmako (602075)
      Repeat after me: Sobig is *NOT* a worm, it requires the user to execute the attachment. It relies on somewhat crude social engineering, absolutely not a self-replicating worm.
    • Since when did Blaster send out emails?
    • Now, I understand that some virii writers often leave some 'h3ll0 i j4m l33t' message, but this is a rarity, so I find it obsolete

      Queue up the people arguing over virii versus viruseseses.
  • TFA isn't very clear, but it sounds like the only thing unique about Billy Goat is that it detects port scans. I can't believe it would take a bunch of PhD computer scientists to figure out how to do that. Anyone else know what makes this thing special?
  • by imadork (226897) on Monday September 01, 2003 @08:16AM (#6844018) Homepage
    Never click on a link with the word "goat" in it.
  • Dumb Name (Score:5, Funny)

    by Kaz Riprock (590115) on Monday September 01, 2003 @08:26AM (#6844072)

    If you built a software package that catches worms...why wouldn't you call it "Early Bird"?
  • by mikem170 (698970) * on Monday September 01, 2003 @08:33AM (#6844096) Homepage
    The network at the company where I work took a beating from the blaster worm - especially the D varient. We spent a week "quarantining" sites that had infected PCs. We blocked outbound port 135 and ICMP.

    The volume of traffic put on the network by these worms threatened to saturate the hub circuits at the data center. A pentium 3 PC on 100MB ethernet can fill up a good part of a T1 with ICMP traffic pretty easily. Multiply that by 100 sites!!!!

    Next week we will be bringing an automated system online that will do the following:

    - snort portscan preprocessor will look for port scanning (with a list of exceptions for data center servers)

    - a perl script will have the alerts piped to it and know when a new scan has started

    - the perl expect mod will be used to put a null route in the network (on a cisco device) for the host that is doing the scanning. No return packets will make it back to the infected box.

    - We will also be rate limiting ICMP at all sites, to 8kb/s.

    My biggest worry is some billigerant spoofing server addresses to set off false alerts, that's why we will program in an exception list for the mission critical stuff.

    I might not run this thing all the time, but it is a great trick to have in the bag. We will lift the blocks at sites that look clean next week and I can rest easy knowing that any wormed PCs that crop up will not be able to spread (because of the automatic null route) nor will they be able to bomb the hub site (because of rate limited ICMP).
    • Next week we will be bringing an automated system online that will do the following:

      - snort portscan preprocessor will look for port scanning (with a list of exceptions for data center servers)

      - a perl script will have the alerts piped to it and know when a new scan has started

      - the perl expect mod will be used to put a null route in the network (on a cisco device) for the host that is doing the scanning. No return packets will make it back to the infected box.


      Portsentry on FreeBSD (or BSD in general,
    • glad you came around. the use of snort and perl, especially in combination with iptables, etc. can make something pretty hard to break if its done right. the great thing about the combination of the three is the flexibility allowed; the different ways to accomplish the same effect on traffic are literally endless, so you see where a flooded job market is still starved for real talent.

      one of the things i thought of, that nobody has even brought up that i could find on this post, is the fact that this "Bi
  • by Rogerborg (306625) on Monday September 01, 2003 @08:38AM (#6844113) Homepage
    if(>X packets received from ip
    && !reverse dns for ip)
    block ip

    Do I win $10?
  • needs to be renamed to :

    Billy we got Your Goat
  • by Mostly a lurker (634878) on Monday September 01, 2003 @08:40AM (#6844122)
    I have two immediate reactions. The first is that, on the face of it, there is nothing very revolutionary here. On the other hand, maybe all that is needed is a high quality implementation of techniques that are already known. I have read in several places recently that (excluding false alarms) rapid detection of attacks was not actually that difficult.

    My second reaction is that the focus needs to be at the level of the ISPs. To expect all users to reliably protect themselves against attacks is just naive. Technology that could immediately detect attacks and prevent their propogation to individual users in the first place seems to me feasible and desirable.

  • Honey, I'm home (Score:2, Interesting)

    by Alejo (69447)

    The system uses a unique approach to detecting malicious software by looking at traffic flowing to Internet addresses that aren't assigned to specific computers, trying to isolate computers on a network that attempt to infect others.

    and then

    IBM says its prototype combines the strength of analyzing traffic directed at IP addresses assigned to computers on a network with the ability to look at the unassigned addresses worms also target.

    Doesn't this sound like honeyd [umich.edu]?

  • LaBrea (Score:5, Informative)

    by MoogMan (442253) on Monday September 01, 2003 @08:58AM (#6844198)
    LaBrea - the "Sticky Tarpit". Seems like the same concept, and has a working, free implementation at http://labrea.sourceforge.net/
    • Actually LaBrea is a honeypot that refuses to release connections once they're open. So, it's not really the same at all, but it might slow down some worms if they were poorly coded.
  • by Dionysus (12737) on Monday September 01, 2003 @09:02AM (#6844214) Homepage
    Doesn't network management software like NNM and whatever CA's stuff is called, work by doing ping sweeps and other stuff to detect new systems on the network?

    Won't it break those systems?
  • by ralatalo (673742) on Monday September 01, 2003 @09:03AM (#6844222)
    Seems to me that it it's aimed towards detecting sources that aren't published, that somewhere there needs to be a list of 'published sites'. If you're web, ftp, mail, cvs, filesharing software isn't on the list then it will flag everyone who connects to it for futher study.
  • I'm wondering, oh my brothers, if "Billy Goat" is a really horrorshow name for this software. If I remember correctly, it was your humble narrator who gave most of the tolchocks, while Billy Boy was mostly on the receiving end. You might not remember the happenings all horrorshow like, oh my brothers, so let me refresh your memory...

    "Well well well, if it isn't fat stinking Billy Goat Billy Boy in poison. How art thou, thou globby bottle of cheap stinking chip oil? Come and get one in the yarbles, if you

  • by zen parse (607603) on Monday September 01, 2003 @09:17AM (#6844278)
    Here's an idea I had a while ago, (probably around slammer time) but never got around to doing anything about (because I don't admin any networks).

    A module for your IDS which, if it detects a machine on your network is infected with something, automatically set your router to NAT that machine so it points to some server which will inform the user they are infected, and gives details on how to disinfect themself, or to contact the helpdesk, or whatever.

    In addition to the NATing, the next DHCP request they perform could take them off the local network address space (except for the disinfection message machine) so they won't be spreading their infections locally.

    The infoming machine would not just be HTTP, which could return the webpage, but also have SMTP, POP3, IMAP servers, whatever else they could be running, which return an error, which (hopefully) will be displayed by the users application, telling the user what is happening.

    Even if the user doesn't receive the error messages, they would most likely notice something is wrong when they can't connect to anything, and even if they don't they are isolated from the internet, and after their dhcp lease expires (assuming it has a reasonable length) they would also be isolated from the internal network.

    It sounds similar to the 'Billy goat' idea... I hope it's not too similar, or it might be covered by restrictive software patents. ;/
  • by di0s (582680) <cabbot917@g m a i l .com> on Monday September 01, 2003 @09:17AM (#6844280) Homepage Journal
    I'm reporting you to PETA!! Oh wait, you mean computer worms...
  • For years the common wisdom has been that traffic analysis attacks were too hard to master to worry about. It's interesting that the technique is now being turned on the attackers themselves as a means of detecting infections. Makes sense in the context of IBM's auto-immune system approach to system health.

    But, note - in computer security, as in human health - there are two fundamental approaches:

    once well, don't get sick
    and

    once sick, get well fast

    A hospice volunteer I talked to last week pointed

  • to help guard against computer-network attacks such as those that slowed Internet traffic earlier this month You mean the attacks are over? The 67000 icmp probes I received yesterday are legitimate tests?
  • "A powerful virus is running rampant through the world's computers throwing everything a-kilter, so the brass at the Pentagon is considering putting Skynet on line to combat the virus. Unlike the audience, they are unaware that Skynet itself is creating the virus."
  • Hehe (Score:2, Funny)

    by orbitalia (470425)
    It's not the only thing IBM are going to be squashing soon..
  • by mwfolsom (234049) on Monday September 01, 2003 @10:38AM (#6844661)
    Strikes me that it would be great if billgygoat was designed on top of a Linux kernel.

    If it turned out to be a great product that would be a wonderful bit of irony. Linux working to say a messed up windows world.
  • I found it a couple of days ago, and it looks very interesting.

    It is a program to 'tar-pit' worms. When something (Code Red was the initial reason) scans an ip address that isn't there, it sends an ack back spoofed to be from that machine, thus causing the worm to have to time out before it goes on, and it can knock the connection into persistant mode, thus locking up the thread on the attacking machine until the thread is killed.

    Looks nasty, and there is a debian package. If it works as well as hoped, Li

  • Cheezborger [cityinsights.com], cheezborger, cheezborger. No Pepsi, Coke. No fries, cheeps.

    [Sorry, but as a Chicagoan, I had to add that to this thread. I was obligated to. :-)]
  • The Billy Goat tool is not very well described in the article, I'm assuming, since the implementation details are quite vague. However, some things are clear:

    1) It looks for computers that are trying to hit unassigned IP address (assuming these are local ones, btw).
    2) When it finds a computer trying to hit unassigned IPs (unknown on the required frequencies), it acts to isolate the computer from the rest of the network.

    Now, this could be a nice tool. #2 is problematical - if it automatically isolat
  • by Ripplet (591094)
    Oh, I thought this was going to be an SCO story. I'm sure we're going to see one soon with a similar title!
  • by Anonymous Coward
    NetScreen's IDP product had this technology almost 2 years ago - we called it a 'Network Honeypot'. All it does is respond to IP's that don't exist (or that do, but on ports the machine is not listening on) and then perform rules against that IP. The rules can be a simple as 'log' to aggressive as 'block the subnet of this IP for x hours', or anywhere in between.

    But we didn't get press coverage, because:

    a) We're not IBM
    b) We don't come up with cool codenames
    c) This is so obvious it doesn't deserve cover
  • I wonder how this is diffrent from a Tarpit [hackbusters.net] with a program to report everyone who is visiting it. Related slashdot article [slashdot.org]
  • That Billy Goat is going to clean up the mess left by Billy Gates?

    ROFLMAO!
  • Yeah yeah, I will get modded troll for the word ' Ultimate' in the subject. See if I care.

    A virus/worm I would write would:

    • Snort the network for arps and only contact addressess it sees on the wire.
    • Lend the OS detection and possibly more of the stealth features from nmap.
    • Be multi-os (windows, mac, linux) (not multi-platform, i386 will do nicely, thank you.)
    • Use a trick devised by another slashdotter to find follow-up code by doing a google search (possibly hidden in an existing HTTP connection)
    • Spite th

With all the fancy scientists in the world, why can't they just once build a nuclear balm?

Working...