IBM's Billy Goat Squashes Worms 170
fr0z writes "InformationWeek is running a story on "Billy Goat", a novel worm-squashing software developed by researchers in Zurich, Switzerland. IBM says it wants to turn Billy Goat into a product to help guard against computer-network attacks such as those that slowed Internet traffic earlier this month."
inapproporiate title? (Score:3, Interesting)
it is a detection system. and an imperfect one at that: heck even the designer for the software itself says this...
besides, if it's an outlook mail worm, then every address it goes to is targeted correctly, and Billy Goat will go on munching it's grass and not have a clue while the network slows to a crawl.
I mean, of course it can look for surge traffic, but how do you distinguish that vs. a simple slashdotting?
issues with this (Score:5, Interesting)
IBM says its prototype combines the strength of analyzing traffic directed at IP addresses assigned to computers on a network with the ability to look at the unassigned addresses worms also target.
What good would this do (checking unassigned addresses) as most worms (at least polymorphic ones) replicate and spread to other users it (the worm) finds on the machine. Hrmm sounds odd typing because I'm tired. Ok, for instance most MS based worms such as Blaster, Sobig, etc., tend to rip a list of address from programs on the infected machine. Blaster and Sobig sent out spoofed emails which differed from the normal worm a bit. Anyway, if a machine is sending info (while infected) to an unassigned IP address, what difference would it make since it somehow obtained the information locally.
Now, I understand that some virii writers often leave some 'h3ll0 i j4m l33t' message, but this is a rarity, so I find it obsolete.
It also can sniff out the signatures of known attacks. By testing the software at a large ISP, IBM can collect more data on worm traffic and help decide how to bring Billy Goat to market, says Adrian Schlund, a manager at IBM Global Services.
This is a bold statement for IBM to make considering they are now claiming to sniff out attacks. Considering attacks change, all they could do is update their rules, which means you could get by without this product if you have an experienced network engineer who has network anamoly detection experience. Hell if you've read enough RFC's and Cisco books, anyone would be able to detect and halt attacks using freeware such as snort.
Oh well it sounded good for a minute, it's a shame they didn't included any screenshots or specs in the article.
Detects port scans? (Score:2, Interesting)
Comment removed (Score:5, Interesting)
Honey, I'm home (Score:2, Interesting)
and then
Doesn't this sound like honeyd [umich.edu]?
Re:What's the point? (Score:5, Interesting)
On the other hand, security professionals can usually whip up IDS signatures in a pretty short amount of time--Blaster, CodeRed, what-have-you all have pretty easy-to-detect signatures--which could easily be implemented on a system plugged into the routers of ISPs. Detect a worm infected machine and lock it out. Simple. The same could be done with managed switches at corporate LANs.
This was actually suggested in a previous story; it's not that big a deal and probably in use various places already. Seems like IBM's only innovation is in detecting a pattern of behaviour rather than just the attack signature itself, in the hope that it will work, without updated signatures, to detect as-yet unknown worms. And even that's not that big a leap.
Network Management Software (Score:4, Interesting)
Won't it break those systems?
How long before it's turned against file sharers (Score:3, Interesting)
A minor variation on this... (Score:3, Interesting)
A module for your IDS which, if it detects a machine on your network is infected with something, automatically set your router to NAT that machine so it points to some server which will inform the user they are infected, and gives details on how to disinfect themself, or to contact the helpdesk, or whatever.
In addition to the NATing, the next DHCP request they perform could take them off the local network address space (except for the disinfection message machine) so they won't be spreading their infections locally.
The infoming machine would not just be HTTP, which could return the webpage, but also have SMTP, POP3, IMAP servers, whatever else they could be running, which return an error, which (hopefully) will be displayed by the users application, telling the user what is happening.
Even if the user doesn't receive the error messages, they would most likely notice something is wrong when they can't connect to anything, and even if they don't they are isolated from the internet, and after their dhcp lease expires (assuming it has a reasonable length) they would also be isolated from the internal network.
It sounds similar to the 'Billy goat' idea... I hope it's not too similar, or it might be covered by restrictive software patents.
Re:Billy Goat (Score:2, Interesting)
Re:inapproporiate title? (Score:4, Interesting)
a) The admins take 5 mins to work out what out whats wrong and block the traffic (on a good day)
or
b) The firewall gets its rules automatically updated by billy goat (with an addon?) and successfully blocks the traffic.
Re:Useful tool to have in an emergency (Score:2, Interesting)
one of the things i thought of, that nobody has even brought up that i could find on this post, is the fact that this "Billy Goat" only benefits microsoft in the long run. why should they change now when they can let big ass IBM fork out the funding for this kind of R&D?
after all, hasn't an entire industry spawned in the wake of microsofts neglegence? and to what avail? microsoft needs to either be held accountable or they need to release source code. these are the only 2 ways, and mark the words, one day it will come to that.