Forgot your password?
typodupeerror

Tools To Squash the Botnets 135

Posted by Zonk
from the squish-squish-little-bugs dept.
Roland Piquepaille writes "This is the intention of Paul Barford, a computer scientist at the University of Wisconsin-Madison. He wants to build a new line of defense against malicious traffic which has become today a billion-dollar 'shadow industry.' As one of 'the most menacing aspects of botnets is that they can go largely undetected' by a PC owner, he developed a new computer security technique for detecting network intrusions. His system has a 99.9% detection rate of malicious signatures, roughly equivalent to some of the best commercial systems. But it has zero false positives when commercial systems have high numbers. This new system could soon be available commercially."
This discussion has been archived. No new comments can be posted.

Tools To Squash the Botnets

Comments Filter:
  • The last line says it "could soon be available commercially". Wonder if I need to start saving pocket change so I can put it on my SimplyMEPIS box? Oh, wait they must be talking about having it run along side of Redmond-warez. nothing here - move on...........
    • Re: (Score:1, Insightful)

      by Anonymous Coward
      This article is junk and provides absolutely no information at all save to make people feel good.
  • I don't see that. (Score:5, Insightful)

    by khasim (1285) <brandioch.conner@gmail.com> on Friday November 09, 2007 @09:19PM (#21303437)
    When the easiest way to DDoS someone's site is to have the zombie army keep hitting the pages ... how will any tool identify or protect you from that threat?

    The zombies can simply flood your pipeline. There are that many of them.
    • Re: (Score:3, Funny)

      by QuantumG (50515)
      You stop the machines becoming part of the botnet.

      You'd know that if you RTFA.
    • by Penguinshit (591885) on Friday November 09, 2007 @09:43PM (#21303577) Homepage Journal

      I thought the easiest way was to link them from a Slashdot article.

      Talk about a zombie army...

    • by mOdQuArK! (87332)
      Zombies? You nuke them from orbit. It's the only way to be sure.
    • Re:I don't see that. (Score:5, Interesting)

      by Sentry21 (8183) on Saturday November 10, 2007 @12:27AM (#21304355) Journal
      A friend of mine is getting DoS'ed for some reason (http://whatsmyip.org/), and he couldn't figure out why, or what to do about it. I suggested scanning the apache logs and firewalling off any IPs that make too many requests, dropping the packets so the application never sees it. Looking through his logs, though, I saw something interesting - the vast majority of connections to his site were from a user-agent of 'Java 1.6' (or somesuch). Configuring Apache to ignore requests from that user-agent resulted in his site becoming responsive again - all of the 'bad' clients were Java clients. Go figure.

      I still think he should use that as a basis for firewalling IPs off, but I guess it doesn't matter in the end.
      • Well, the latest Java runtime available is 1.6. So does that mean these botnets are programed in Java and are executed using this runtime?
        • Re:I don't see that. (Score:4, Interesting)

          by sumdumass (711423) on Saturday November 10, 2007 @05:11AM (#21305235) Journal
          It probably means that there is some java app that as part of it's workings, checks against whatismyip to determine an actual IP addressable from the public. That is somewhat of an issue with a useful site like that. People tend to take it for granted and end up writing programs assuming they have the ability to access it and that the site could handle any of the traffic. Dlink and a few of the home router manufacturers were defaulting their NTP clients to one server and in effect DDos'd that server when those router started selling like hotcakes.

          It could be some request error that instead of checking once a day ends up checking onces every five minute or something of the sort. It is likely something along the lines of the gaming community that is supposed to help gamers connect to each other through firewalls. I have seen a Java app that does this but don't remember the name.
          • by raddan (519638)
            Yes, I remember that. The worst part is that some researchers had already set up a load-balancer for people to use, to ease the load on the stratum 1 machines: pool.ntp.org. If the people writing the D-Link software had spent a few minutes thinking about the impact of what they were doing, using this address would have been obvious. My personal opinion is that D-Link should have set up their own timeserver, and shared that out, since they should have had a reasonable expectation that any address they put
          • by hendridm (302246)

            I remember NetGear was also guilty [slashdot.org] of this for DDoS'ing the University of Wisconsin.

          • So what you do is modify the site to respond to Java 1.6 clients with an IP address of the FBI for example. I'm sure hilarity will ensue.
             
  • Translation: (Score:5, Insightful)

    by rtechie (244489) on Friday November 09, 2007 @09:22PM (#21303455)
    "Our new security company, Nemean Networks, has developed a new IPS technology that will cure cancer and raise the dead."

    What's with this blatant ad? When and if they ship a product or release their technology, we can talk about it. But right now it's just a bunch of hot air.

    • A politician started this company?!
    • by khasim (1285) <brandioch.conner@gmail.com> on Friday November 09, 2007 @10:07PM (#21303731)
      I can accept an ad that describes the advances. This article says NOTHING.

      And the claims he is making do NOT fit with how machines are infected or how the zombies are used.

      Intrusion Detection Systems are based around knowing YOUR traffic. And finding patterns that do NOT match what is normal for your network.

      They include patterns for known exploits ... but there are an almost infinite number of patterns for exploits.

      But there SHOULD be a finite number of LEGITIMATE patterns on your corporate network.

      Instead of claiming "new" ways of "faster" identification of "bad" stuff, a real improvement would be faster identification of LEGIT patterns.

      I'm thinking "snake oil" here.
      • by skoaldipper (752281) <skoalstr8@NosPAM.gmail.com> on Saturday November 10, 2007 @12:16AM (#21304301)
        A huckster in our midst? Let's see.

        "Botnets represent a convergence of all of the other threats that have existed for some time,"
        Scared of rickets? You, sir. Step right up here.

        One of the most menacing aspects of botnets is that they can go largely undetected by the owner of a personal computer.
        Folks, you might not feel sick today, but that's no guarantee you won't feel sick tomorrow.

        Nemean is based on four distinct patents that are either filed or are in process with the Wisconsin Alumni Research Foundation (WARF).
        No matter what ails ya, Professor Nemean's original. medicinal, remedial, compound exlixir is patented and irrevocably guaranteed to...

        The innovation with Nemean is a method to automatically generate intrusion signatures, making the detection process faster and more precise.
        boost your bends, target your temperature, and positively palliate your particulars. Yes, folks...

        "The technology we're developing here really has the potential to transform the face of network security,"
        this age-defying, mystifying, wiz bang fandangle will cure everything from flakey skin to original sin.

        Only two bits a bottle. Worth a dollar a drop! Step right up! Step right up!
    • Re: (Score:3, Insightful)

      by sumdumass (711423)
      This isn't as much a blatents ad but a cover your own ass thing. The guy supposedly making this product realizes that if he can think of it, anyone can. He thinks that it might not be his superior intellect but the circumstances of the times pointing to an obvious solution.

      SO he gets the word out that he is on top of this. Going to release a product and Blah Blah Blah. What it does is show that the obviousness was because he pointed it out. This makes it unique that he might obtain a patent and so on. In 5
  • by Icarus1919 (802533) on Friday November 09, 2007 @09:23PM (#21303457)
    People still have to install it and use it, correct? If so, then why do we believe there aren't going to continue to be hundreds of thousands to millions of users out there who don't give a damn, like there currently are? How is this much of an improvement over the current state of things?
    • by QuantumG (50515)
      Nope. It's an IDS. The ISPs would run it and either inform subscribers that their machine is owned or block the attack traffic.

      Not that this is a very easy sell.. but it is in the interests of the ISP, as spam and DDoS continues eats up their bandwidth.

      • by Joebert (946227)
        So we just have to randomize what the attack traffic looks like ? Doesn't sound too hard.
        • by QuantumG (50515) <qg@biodome.org> on Friday November 09, 2007 @09:52PM (#21303639) Homepage Journal
          Well, ya know, it really doesn't seem *hard* to me to make an IDS which understands protocols and detects when a particular communication fails to conform to it.

                    220 foo.bar.baz.MIL (Well hello there)
                    EHLO so.i.say.mil
                    250-foo.bar.baz.MIL offers THREE extensions:
                    250-8BITMIME
                    250-PIPELINING
                    250 DSN
                    RCPT <exploit@blah.4312&<*~EYN%#^H$%Y$H$W#UJSFBSZCDT^^^&^&##$%FGE#$%$$$$$$$$$$$!/bin/sh$@!#>
                    # id
                    uid=0(root) gid=0(root) groups=0(root)
                    # cd /home
                    # ls -l
                    drwxr-xr-x 4 steve users 4096 2007-05-01 18:26 steve
                    drwxr-xr-x 4 bob users 4096 2007-05-01 18:26 bob
                    drwxr-xr-x 4 tony users 4096 2007-05-01 18:26 tony
                    drwxr-xr-x 4 anne users 4096 2007-05-01 18:26 anne

          pretty obvious that the server didn't reply to the RCPT request correctly isn't it?
          • by FooAtWFU (699187) on Friday November 09, 2007 @10:15PM (#21303773) Homepage

            Well, ya know, it really doesn't seem *hard* to me to make an IDS which understands protocols and detects when a particular communication fails to conform to it.
            Snooping all your outbound SMTP (+etc) traffic to validate that it's conforming to a certain protocol is somewhat resource-intensive. The protocol validation would need to be very, very, very good, or it would be liable to catch all sorts of garbage: there's no shortage of slightly-wrong products out there. (It's not just Microsoft either). Not all communications that you expect to be a certain protocol actually are - and they may be some extended version of the protocol. (Watch WebDAV over HTTP.) Not all protocols are trivial to validate in this manner. Not all exploits require a breach of a certain protocol. (Watch for some of the PHP exploits that you can send in a perfectly valid HTTP POST). Not all exploits are synchronous like this one. And, finally, privacy can be an issue.

            It's not impossible, but it is hard, doubly so if you intend your product to be a good one... and the utility may be rather marginal.

            • by db32 (862117)
              Somewhat resource intensive mattered 10 years ago. When my phone has the same processing power that an F-16 uses to fly...well I think the resource intensive debate is getting silly. Yes it is intensive, but the machines we have today aren't exactly short on the resources to make this extremely capable. In fact Sidewinder firewalls already do a good deal of this type of stuff. To the best of my knowledge they are the only proxy based firewall floating around commercially right now. Packet Inspection to
          • by Joebert (946227)
            Aren't exploits crafted to conform to protocols though ? Seems that untill the screener knows the application can not handle certain instances of a protocol, it would assume they're safe.

            Getting installed on the system isn't the hard part, people willingly listen to Britney Spears for cryin out loud.
            Once on the system, multiple communication applications could be used to communicate from zombie to zombie. Why would anyone suspect that the random person sending them an IM was actually a front for zombie
          • by khasim (1285) <brandioch.conner@gmail.com> on Friday November 09, 2007 @10:39PM (#21303867)
            Someone who isn't going to patch his mail server is going to install this new IDS? Correctly? And keep it patched?

            Now, what if the mail server is responding with a "user not found" error in a multi-line format? Does that trigger your IDS?

            If not, why? Or are you going to set patterns for EVERY possible, legitimate, response so you'll be able to find the ones that don't match it?

            Yeah, good luck with that. You should start working on it now. Maybe in 10 years of so you'll have caught all the possible legit patterns for everything available today.

            That is why current IDS's depend so much upon the ADMINS training the IDS's to what is LEGIT traffic for their particular network.

            Which yields a LOT of "false positives" in the early stages (and immediately after upgrades). But if I'm running Exim4, why should my IDS be looking for patterns of Exchange responses? Or Sendmail responses? Or anything else?

            Despite what that guy claims, there is no easy way to identify the bad without having a person identify what is good.
          • by mcrbids (148650)
            Obvious to us, with our incredibly powerful pattern-matching brains. But while it's easy to write a program to look for this specific example, programming a machine to recognize this without some kind of advance programming/configuration is nothing less than AI.

            It will, I'm sure, be done/possible eventually. But based on my understanding of the field, we aren't there, yet.
      • Re: (Score:3, Insightful)

        by penix1 (722987)

        but it is in the interests of the ISP, as spam and DDoS continues eats up their bandwidth.


        You seem to be of the impression that ISPs care about bandwidth. Here's a clue-by-four for you...

        They don't.

        In fact, they want as much bandwidth being eaten up as possible to support their claims of "teh tubes are clogged!!!111!!! We need to get evil Google (YouTube) to pay more since they are obviously the cause!" to Congress.
        • by cp.tar (871488)
          Besides, even if we got rid of spam, and the bandwith was freed, we normal users wouldn't see a bit of difference.
    • that's exactly why I like my idea better. Get all massive ISPs in the US to get in on this one so no home user has to do much preventative. You find out what just got attacked by let's say the storm botnet. ISPs check their logs and see who tried to contact the victim IP more than 100 times in a minute. Then send em a warning e-mail telling them they're infected and give instructions on what to do to fix it. They could even e-mail them popular removal tools. If they don't do it, disconnect their intern
  • by 140Mandak262Jamuna (970587) on Friday November 09, 2007 @09:24PM (#21303465) Journal
    All packets originating from botnets must set the malicious bit to 1. That is all. Then the system is 100% foolproof.
  • Talk by Paul Barford (Score:5, Informative)

    by QuantumG (50515) <qg@biodome.org> on Friday November 09, 2007 @09:27PM (#21303485) Homepage Journal
    Title: Toward Self-directed Network Intrusion Detection and Prevention

    Abstract:

    Network attacks and intrusions have been a fact of life in the Internet
    for many years and continue to present serious challenges for network
    researchers and operators alike. The objective of our work is to develop
    tools and systems that automate or otherwise enhance key activities of
    network security analysts. In the first part of this talk, I will describe
    our malicious traffic assessment activities using our Internet Sink
    (iSink) system for dark address space monitoring. iSink is a highly
    scalable system that includes both passive packet capture and a set of
    stateless active responders that enable details of exploits to be
    captured. Our results illustrate the variability in the traffic on dark
    address space and the feasibility of efficient classification of attack
    types. I will also describe how data from dark address space monitors can
    be used to provide near real time network "situational awareness" for
    security analysts. iSink data is also the basis for our Nemean system that
    automatically synthesizes signatures for intrusion detection. Unlike
    standard intrusion signatures, Nemean's signatures are protocol aware
    which we show greatly enhances their resilience to false alarms. I will
    describe Nemean, and conclude with a brief description of our current
    activities in adapting Nemean into a real time intrusion prevention
    system.

    Where: Grad. Lounge

    When: Thursday 27th Oct 2005 11 am.

    2 years from lab to startup, not bad dude.
    • by 44BSD (701309)
      The article touts Barford, but it looks as though this is one example of similar work that various researchers have been pursuing for years. Folks at CAIDA, Arbor, and Team Cymru have been talking about darknet design, construction, and use for a long time. This project seems to fit into that space quite nicely, but TFA is a damn press release, so naturally it is useless and devoid of context.

      • by shmlco (594907)
        Worse, it looks like they formed the spinoff company AFTER doing most of the developmental work while at the University. To quote, "Nemean was developed and tested on the Wisconsin Advanced Internet Laboratory (WAIL), a unique test bed for examining complex behavior on the Internet."

        Your public tax dollars at work once again.
    • It only took a month of work, but this is the first we've heard from them because the've been DOSed to oblivion by botnets for the last two years.
  • by Eevee1 (1147279)
    Hello Slashdotters! I have made a new invention as well! It's called "Removing Plug from Wall!" With my new invention, nobody will have to worry about botnets, spammers, trolls and those pop-up ads ever again! Until you plug it back in!
  • by Anonymous Coward on Friday November 09, 2007 @09:35PM (#21303535)
    How about certain thing named Common Sense to be added to the list?
  • by buss_error (142273) on Friday November 09, 2007 @09:56PM (#21303661) Homepage Journal
    Gee. Lookit this big bad threat.
    Boo! Botnet! Boo!
    Bad Botnet! Bad! Bad! Bad!

    We can save you! We have Patented Technology!
    All Hail our most Holy Precious Intellictual Property!
    Hail IP! Hail! Botnet! Boo!

    OK, can some one 'splain to me Lucy why this obvious and fact lacking
    bit of pre-IPO spin made it to SlashDot? Is there anyone that can tell me
    excactly how technology that allows for 99.9 percent accuracy with zero false
    positives actually works? Remember, we're talking millions of infected botnet
    systems with ZERO false positives. Make millions of ANYTHING and you're going
    to have a few errors here and there.

    This is great if it's true, however, I'm highly skeptical without more hard
    facts that this is anything other than vaporware and high hopes for an early
    buyout. Gee! FOUR patents!

    I'll bet I could get four patents on a process to pick my teeth with a toothpick.
    Not that I think it honest, you understand...
    • You should definitely get those four patents on picking your teeth. I think Darl McBride might buy them off you if you tell him they're Linux related.
      • Re: (Score:3, Interesting)

        by buss_error (142273)
        You should definitely get those four patents on picking your teeth. I think Darl McBride might buy them off you if you tell him they're Linux related.

        .

        Well, Darl is a bit short of cash right now, seeing how he's busy transfering a patent to cattleback and all. And, oh, My, we forgot to pay anything for that transfer! Ooops! OUR BAD! Please let us make it right and do it now we've filed for bankrupcy! We'll just move anything of value out of SCOX and leave it with nothing but the bills while we move anyt

    • by Alari (181784)
      > is there anyone that can tell me excactly how technology that allows for 99.9 percent accuracy with zero false positives actually works?

      As a thought exercise I tried to figure out how. This is what I came up with: Set up a secure monitoring server on some random isolated IP address, no DNS name pointing to it or anything. If something connects it's probably malicious, especially if it tries to get all gay with the various known-to-be-vulnerable ports. Propigate that IP to the ISP/company routers' black
      • by Sancho (17056)
        This has been done. Search the web for "honeypot."

        And malware authors work around it by probing. If they suspect that an address in a network is used for a honeypot to blacklist any IP that touches it, then they do a simple binary search to find out which addresses are used, then they stop hitting those addresses.

        Of course, that's only for searching out vulnerabilities with a worm that automatically propagates. How would you get the same statistical results, only when the attack vector is spam containing
        • Re: (Score:3, Interesting)

          by buss_error (142273)
          This has been done. Search the web for "honeypot."

          And see exactly what? That someone is running honeypots? I don't need to look to know that, I run honeypots myself. I've more than two dozen sytems running multiple VM honeypot software from home grown to open source to closed source IDS'es. Let me be clear: I currently run $many to $shitpots of honeypot systems, with Sun boxen, AIX boxen, and WinTel platforms. Mostly these are "spares" to use when a production system goes down. It's a way to keep them "w

          • by Sancho (17056)
            I'm confused as to why you responded to me. The person to whom I was responding did not seem to know what honeypots are. If you'll go back to my post and click "Parent" you'll see that I was replying to comment 21304407 (User Alari.)

            I agree that lots of wild claims are made, and I'm skeptical, too. It would be nice if there was more information.
  • commercially. (Score:3, Interesting)

    by memnock (466995) on Friday November 09, 2007 @09:58PM (#21303675)
    if the botnet thing is that serious, wouldn't it be a better solution if it was free?

    i'm not trying to say it HAS TO be free. hell, most of the people that have compromised machines won't know they need the software and where to get it, free or commercial or whatever. just kind of wondering out loud is all.
    • by khasim (1285)
      I use Snort on our company network and I have absolutely no problems with it. I don't see how anything else could be better.

      But then ... I also do things like block out-bound SMTP from anything other than my mail server and check the logs to see if anything is happening.

      There's not enough info in that "article" ("ad") to say whether his work is even as good as Snort. Let alone better.
    • Not necessarily. If the solution was free, some (and I'm not saying all) users/managers wouldn't take it seriously. Charge them for it, and they'll want it, install it, run it, update it, whatever in order to justify spending money on it. Make it free and for some of them they'll consider installing it, and if they get that far, forget about ever running or updating it. For these people, free=worthless.

  • I buy Windows AND this new stuff (developed at a publically funded U.), and THEN I'll have a safe PC that I can utterly neglect and still feel responsible? Great...fantastic.
  • I have an idea! (Score:5, Insightful)

    by jhfry (829244) on Friday November 09, 2007 @10:05PM (#21303719)
    Why don't isp's implement firewalls at their end that effectively eliminate all traffic except those protocols demanded by the user.

    It would be relatively simple to create a web page that could enable/disable these protocols... the page would know which IP, as you would be connecting from it, and could be protected by a simple captcha or password to make it difficult for malware to enable these protocols itself.

    Obviously, the user could disable all filtering if they so desired.

    This solution would prevent a ton of issues for most users, while still allowing those of us who are wise enough to monitor our own systems to enable everything ourselves.

    In addition, why don't ISP's notify the user if they suddenly see an unusual amount of traffic on an unusual port or protocol... a simple email to say "we are seeing IRC traffic on your connection, you have never used IRC in the past. Some malicious software communicates via IRC protocols which may cause this unusual activity. Please read this linked article if you would like to know more."

    I realize that most of us would rather our ISP stay out of our online activity... however I feel that if they actively participated in preventing the spread of malware on thier customers machines, they would not only increase customer satisfaction, but reduce the bandwidth being wasted. At first it would be an expense, but as the network was cleared of wasted traffic it would eventually pay for itself.
    • Re:I have an idea! (Score:5, Insightful)

      by fireboy1919 (257783) <rustyp@NOspAm.freeshell.org> on Friday November 09, 2007 @10:26PM (#21303819) Homepage Journal
      Of course, they couldn't actually do this on a *per user* basis because the main hub routers aren't even close to powerful enough, and adding that would be astronomically expensive (it would never, ever pay for itself. It'd be better to just lay down fiber to get more bandwidth).

      They could up the bandwidth and do it that way.

      The *much, much* cheaper way would be to just configure the routers that come with the DSL and cable modems to be more restrictive by default and tell the users to change the settings themselves.

      I wonder why they don't do that?
      • by feepness (543479)

        The *much, much* cheaper way would be to just configure the routers that come with the DSL and cable modems to be more restrictive by default and tell the users to change the settings themselves.
        Cheaper for who? You gonna take the tech support calls? ;)

        Seriously, have them change the default password first and put it on a sticker on the box.
        • I will be more explicit. It is much cheaper to put per-user routing restrictions into the DSL or cable modem than it is to put it in the neighborhood level or higher level routers.

          Whether that saves enough bandwidth to be cheaper TCO, I'm not sure, but that's not really what we were discussing. I get the feeling you were talking about implementing versus not rather than the type of implementation, since the support calls would be about the same whether you went to a website that's actually running on your
      • Re: (Score:3, Insightful)

        The compromised computers are running malicious code installed by the bot boss. Anything doable by the user is doable by the bot boss. They probably run cron jobs to reset the router settings to disable all filtering and exposing all the ports etc. Most users of the compromised computers don't know, or they don't care their computer is running malicious software.
        • Anything doable by the user is doable by the bot boss.

          Not reading a sheet of paper. You know...the one that will come with the installation that has the randomly generated key for the password to access the router?

          There isn't one now, but if you're going to be doing this to stop hackers, then you'd (obviously, as you point out) want to do this.
    • nah, i don't need my isp to tell me how much porn i look at ;)
    • by VENONA (902751)
      "Why don't isp's implement firewalls at their end that effectively eliminate all traffic except those protocols demanded by the user."

      At ISP scale, the vast majority of common ports are used for legitimate traffic by someone. That's what makes them common ports. :)

      "It would be relatively simple to create a web page that could enable/disable these protocols... the page would know which IP, as you would be connecting from it, and could be protected by a simple captcha or password to make it difficult for malw
      • by jhfry (829244)
        I am not thinking of myself but the neighbour who has no firewall running (unless you count XP's software firewall), no method of monitoring/restricting outgoing traffic, and wouldn't have the faintest idea what to look for to determine if her machine had been compromised.

        I am more concerned about outbound traffic as it relates to the article in question... if the ISP prevented everything but http(s) traffic by default and you had to manually enable other forms of traffic by visiting a website and selecting
    • The protocol filtering won't fix a thing, unfortunately. The bad guys will then just switch to using common ports (80, 443, 21, etc) to control their botnets. It would also create a usability for lay users. Imagine "I bought this just-released game, but I can't connect to the multiplayer system." Most users would be clueless.

      I like the unusual traffic notifications. It reminds me of the credit card companies' notifications about odd purchases, except the volume of traffic to monitor would be several
  • Ahoy! Press release! (Score:5, Interesting)

    by martin-boundary (547041) on Friday November 09, 2007 @10:20PM (#21303797)
    Where does Roland Piquepaille find all these contentless press releases? No facts, no explanations, pie-in-the-sky false positive claims, unnamed competitor systems...

    Does he think slashdot readers don't read the article or something?

    • Apparently you didn't..

      it has zero false positives when commercial systems have high numbers
      Heh
      • I'd mod you up myself, but I've already commented today!
        • Re: (Score:3, Insightful)

          (for the humour impaired, the comment immediately above is meant to be ironic [wikipedia.org].) There actually are no verifiable facts in the linked to article. The quoted statement

          it has zero false positives when commercial systems have high numbers

          is meaningless drivel, since the commercial systems aren't named and the supposed testing procedure and experimental data is not described and certainly not controllable by others.

          Instead this is a content-less advertising press release (as can be easily seen by no

  • BotHunter, anyone? (Score:4, Informative)

    by AgentPhunk (571249) on Friday November 09, 2007 @10:58PM (#21303949)
    A free/open-source tool called BotHunter has been available for a while now. Sounds like maybe the guy in TFA is just going to copy and sell their ideas.

    http://www.cyber-ta.org/releases/botHunter/ [cyber-ta.org]

    From the site: BotHunterTM is a novel, dialog-correlation-based engine (patent-pending), which recognizes the communication patterns of malware-infected computers within your network perimeter. BotHunterTM is a passive traffic monitoring system, which ties together the dialog trail of inbound intrusion alarms with those outbound communication patterns that are highly indicative of successful local host infection. When a sequence of in and outbound dialog warnings are found to match BotHunter's infection dialog model, a consolidated report is produced to capture all of the relevant events and event sources that played a role during the infection process.

    There's also a great PDF available showing a full dissection of a Storm variant.

  • false positives (Score:4, Insightful)

    by 1u3hr (530656) on Friday November 09, 2007 @10:59PM (#21303955)
    FTFAdvertisement:

    Hackers have become so adept at disguising malicious traffic to look benign that security systems now generate literally thousands of false positives, which Nemean virtually eliminates. In a test comparing Nemean against a current technology on the market, both had a high detection rate of malicious signatures 99.9 percent for Nemean and 99.7 for the comparison technology. However, Nemean had zero false positives, compared to 88,000 generated by the other technology.
    Sure, but if his system went into use, the "hackers" would quickly adapt and it would not be any better than current systems. Lots of anti-spam ideas work fine for the originator, but when they become common enough to bother the spammers, they target them.
    • They tend to test against a VERY limited set of threats.

      And since their product is based upon defeating that very limited set of threats ... it does amazingly well against that very limited set of threats. Mostly because the set of "good" is also very limited.

      The concept of protocol validation is good. But not for an IDS. It is better as part of the firewall protecting that server running that service. BUT! That also means that it needs to be able to shut off access to that server when it sees ANYTHING it d
  • Unworthy article (Score:5, Insightful)

    by flyingfsck (986395) on Friday November 09, 2007 @11:23PM (#21304029)
    Bah! This article isn't even worthy of Digg. Is Roland on their payroll maybe?
  • Great (Score:3, Insightful)

    by causality (777677) on Saturday November 10, 2007 @12:00AM (#21304235)
    I love the way we keep coming up with all these band-aid solutions that attack symptoms without addressing the root cause, just because the root cause is non-trivial.

    There are really only two reasons why botnets and their associated malware have become so prevalent. All other apparent causes stem from these two reasons:
    • The Windows monoculture. When this accounts for over 90% of all desktop installations, it's much easier to write a single worm/trojan/virus/etc that can single-handedly infect many thousands of hosts. This greatly reduces the number of vulnerabilities that need to be targeted and the knowledge necessary to exploit them on a large scale, which is a situation that favors the blackhats tremendously. If nature handled genetics this way, then the first lethal contagious disease to come along would destroy civilization. There are good reasons other than their business practices why the Microsoft monopoly is a bad idea. No matter how hard they work to improve security, there will be vulnerabilities, and due to this monopoly any single vulnerability will instantly affect millions of hosts. If you want the Internet overall to be a more secure place, this is not a good start. I believe this would be the case with any single vendor controlling this much of the market. Consider also that security is not the only selling point of Windows; convenience and "easier to use than EVER!" are also major factors and (especially convenience) are not compatible with security. The boilerplate nature of most commercial software is also a factor here.
    • The lack of education of the average user. I don't really know whether this is more or less difficult to address than the first item. The fact is that most users don't give a damn about security, at least not until their identity gets stolen or their data gets deleted or $AUTHORITY_FIGURE knocks on their door asking why their machine is attacking other machines. This appears to be because they don't see their security as their responsibility; they feel that this is entirely $VENDOR's problem. That they would feel this way is a foreseeable consequence of widespread "more convenient and easier to use than ever!" marketing, since this sets up the expectation that it will Just Work with no effort. While it would be easy to blame this on Microsoft since they have profited handsomely from it, I personally believe that this is an aspect of our general instant-gratification culture that effectively says nothing is worth putting any time and effort into; Microsoft merely had the business sense to realize that catering to it is the path to profit. It's difficult to seriously blame a company for doing something when nearly everyone is rewarding them for it. Because of this, if you try to educate people regarding things like system security, what you will find is that not only are most users ignorant, they don't WANT to learn. They see "all that technobabble" as an inconvenience, yet they insist on using equipment that requires some technical skill to properly maintain. This is something of a Catch-22 because Microsoft would build a much more secure Windows if no one would buy Windows otherwise, but average users with little technical skill are not going to create this kind of market.
    Just like after-the-infection virus and spyware removal tools, this botnet detector is NOT a real solution, it's a form of damage control and should only be represented as such.

    What I really want to see a long-term plan for dealing with those two points. Until these factors change, we are going to keep having the same kind of problems again and again as the arms race between blackhats and whitehats continues. You are never going to have perfect security, but the current situation where one piece of malware can do tremendous damage on a massive scale is a situation that many people have worked very hard to bring about. Too bad that in a superficial society like ours, we have a huge phobia of actually addressing the roots of our problems because we keep hoping to find some form of an "easy way out" of situations that took a long time to become what they are.
    • It's not the Window monoculture so much as the fact that the Windows HTML control is designed to allow you to pass it a chunk of code and say "run this" and if you smell right... it will! How anyone in the world could look at this design and not go "you mean, if I can get some trust hormones and smear them on my program, everyone who looks at it using Internet Explorer will run it?". I mean, this is such a completely insane design that I'm honestly boggled Microsoft hasn't been creamed by a trillion dollar
      • by causality (777677)

        t's not the Window monoculture so much as the fact that the Windows HTML control is designed to allow you to pass it a chunk of code and say "run this" and if you smell right... it will! How anyone in the world could look at this design and not go "you mean, if I can get some trust hormones and smear them on my program, everyone who looks at it using Internet Explorer will run it?". I mean, this is such a completely insane design that I'm honestly boggled Microsoft hasn't been creamed by a trillion dollar c

        • by argent (18001)
          The reason why this was done is because it's so much more convenient and "easier to use than EVER!!" compared to either not having such functionality, or having it severely locked down (say, whitelist-only, with restrictions).

          First, ActiveX in theory *is* whitelist-only. Whitelisting is basically what the "security zones" model is all about. And it doesn't work. The only thing that actually works is providing a strictly restricted API.

          Second, no product implemented this functionality before Microsoft did,
      • Of course it's not a good idea, but look at the alternative. Java's security model=applets, and with only 1.0 java guaranteed that's not much fun either. If you're running a java-app you can do all kinds of mischief but that is perfectly reasonable since you're explicitly running an application on your machine, presumably from a trusted source. In the middle ground there's flash, at least for those not running linux.

        What the hell is wrong with people that anyone, for one minute, could think this is a go

        • by argent (18001)
          Of course it's not a good idea, but look at the alternative.

          The alternative to ActiveX is hard-sandboxed scripts and applets that provide no mechanism for the sandboxed code to ask the user for access outside the sandbox, let alone automatically getting it if they "smell right".

          Since every other HTML implementation in the world, including the ones used by Firefox and Safari, take the alternative path, and the alternative path is the only option if you're not running Windows, then I guess I like the alternat
          • No, actually flash works just fine on a Mac. For client side content you have flash, you have applets, you have activeX. Lots of sites use flash, many sites use activeX, almost nobody uses applets. Java succeeded as a server development language, but it has totally bombed as a client platform. Whether you or I personally like that fact is kind of irrelevant. As Colbert would say 'the free market has spoken'.

            ...and the alternative path is the only option if you're not running Windows, then I guess I like

            • by argent (18001)
              No, actually flash works just fine on a Mac.

              OK, I think you have a really deep and fundamental misunderstanding somewhere about what I wrote.

              This is not about Java. This is not about Java vs Flash, or even Java vs ActiveX.

              This is about ActiveX.

              The alternative path is, basically, everything but ActiveX. EVERYTHING. Flash. Java. Javascript. Embedded Postscript and SafeTcl and all the other technologies that never took off. Out of all the applet technologies for the web that's ever gotten past the starting gat
  • The major ISPs do not want to implement any kind of IDS or traffic monitoring. Why? Because they really enjoy their status as common-carriers. It absolves them of any blame for how the end users use the internet. If they start examining and filtering traffic even for legitimate reasons like detecting malicious traffic, they put that distinction in jeopardy. People and potentially the civil courts would assign the Telco the responsibility of policing their traffic. People would start suing the Telcos
  • His system has a 99.9% detection rate of malicious signatures, roughly equivalent to some of the best commercial systems. But it has zero false positives when commercial systems have high numbers.

    Similarly, you can eliminate SPAM in the lab, but the moment you release it, the SPAM makers will adjust their strategy. That's how arms races work. So get back with us once your solution is still working 6 months from now.

  • Set your routers up to do OS fingerprinting. Drop all traffic from Windows boxes. This will have the handy side-effect of killing 99% of the spam that's out there too.
    • by Macthorpe (960048)

      This will have the handy side-effect of killing 99% of the spam that's out there too.
      And the even handier side-effect of driving away about 90% of your customers.

      It must be nice to cling to an ideology so tightly that you can ignore practical concerns in order to follow it.
      • by Ash-Fox (726320)
        WHOOOOOOSH
        • Re: (Score:3, Insightful)

          by Macthorpe (960048)
          I'd like to remind you that this is Slashdot, and therefore there is a much higher chance that he is sincere ;)
      • by Gordonjcp (186804)
        It must be nice to cling to an ideology so tightly that you can ignore practical concerns in order to follow it.

        It's not a case of "clinging to an ideology". I don't want people with festering sores near me stinking the place up with their germs, and I don't want people with computers running Windows flooding the Internet with their spam and viruses.

        • by Macthorpe (960048)
          You would be absolutely right if it was just Windows machines cracked on the net that were sending spam and viruses. Unfortunately, it's not, so you aren't.
  • Every intrusion detect vendor has hawked ways to reduce or eliminate false positives that have met with marginal success. Put that puppy in a live network and see what te fasle postivies are.

    Now there are certain behaviors that bots exhibit even when they are quiet waiting for commands. So looking at network traffic alone, if you have a bunch of hosts all talking to the same server for a long, long time (days, weeks, hours), that seem to move in unison, you probably have a botnet. This is differnet than

Things are not as simple as they seems at first. - Edward Thorp

Working...