IBM's Billy Goat Squashes Worms 170
fr0z writes "InformationWeek is running a story on "Billy Goat", a novel worm-squashing software developed by researchers in Zurich, Switzerland. IBM says it wants to turn Billy Goat into a product to help guard against computer-network attacks such as those that slowed Internet traffic earlier this month."
Billy Goat (Score:5, Funny)
Re:Billy Goat (Score:3, Insightful)
Re:Billy Goat (Score:1)
(M$) Bill Goatse? (Score:4, Funny)
Re:Billy Goat (Score:2, Informative)
Re:Billy Goat (Score:5, Funny)
In giving out the details, the researchers mentioned that the full name is Williamy Henry Goat III. They also announced that a helper software code-named Steward "Monkey" Bawlmer will be released soon.
Re:Billy Goat (Score:2, Interesting)
Re:Billy Goat (Score:1)
Bill Gates? What about trolls? (Score:1)
*honkenpossiblyobscure*
inapproporiate title? (Score:3, Interesting)
it is a detection system. and an imperfect one at that: heck even the designer for the software itself says this...
besides, if it's an outlook mail worm, then every address it goes to is targeted correctly, and Billy Goat will go on munching it's grass and not have a clue while the network slows to a crawl.
I mean, of course it can look for surge traffic, but how do you distinguish that vs. a simple slashdotting?
Re:inapproporiate title? (Score:5, Informative)
The result is that something like Blaster gets caught before your whole network is infested; Billy Goat ignores a slashdotting, since all the traffic goes to assigned IPs.
Re:inapproporiate title? (Score:4, Interesting)
a) The admins take 5 mins to work out what out whats wrong and block the traffic (on a good day)
or
b) The firewall gets its rules automatically updated by billy goat (with an addon?) and successfully blocks the traffic.
Re:inapproporiate title? (Score:1)
Re:inapproporiate title? (Score:1)
Like a worm...
Re:inapproporiate title? (Score:2, Insightful)
Instead of buying something called "Billy Goat," you could also just download the free patch that fixed it a month before...
Re:inapproporiate title? (Score:5, Insightful)
I think the idea is that the product is going to be targetted at ISPs and people in similar situations.. you know, where the people controlling the network don't necessarily have control of the computers actually running on the network. What good is a patch if you can't get your users to install it cuz they're dumb?
dumb and dummer. (Score:2)
About as much good as a network poluted with MS transmitted diseases. The users are not dumb, they are doing what the "experts" tell them is right. It's the "experts" who either lack a clue or have an interest in M$ shit that are the problem. Fix one expert and you swing a few hundred users sooner or later. The more experts you fix the faster the users swing.
I'm now working in the trenches, a local computer retail shop.
"earlier this month" (Score:5, Funny)
Re:"earlier this month" (Score:2)
Re:"earlier this month" (Score:5, Funny)
Eeyu! Look anal? I can see being anal, or sounding anal, but I'd hate to look anal!
Re:"earlier this month" (Score:1, Offtopic)
[ insert ontopic goatse link ]
In case you don't get the names... (Score:3, Insightful)
Sadly, people just know 'anal' these days. Gone are days of long ago when people said what they meant, and did not lean on the spindly crutch of catchphrases and colloquialisms.
I can now imagine that this sort of intrusion detection software will be known only as Billy Goat, just as so many use 'trojan' and 'virus'
Re:In case you don't get the names... (Score:1)
Geeh, thanks. This and the rest of your post sure made things clear to me!
Re:In case you don't get the names... (Score:1)
I think most reasonably-educated people know that the term anal refers to anal-rententiveness. I assume you also know this is a Freudian concept.
Incidentally, your complaint about the term "cyber-hacker"
Re:"earlier this month" (Score:1)
Re:"earlier this month" (Score:1)
Re:"earlier this month" (Score:2)
Re:"earlier this month" (Score:2)
Maybe the owner of the original statement has two rosy cheeks and one brown eye.
Re:"earlier this month" (Score:2)
You obviously haven't noticed how long the editors take to accept a story, have you? ;-)
Re:"earlier this month" (Score:2)
What's the point? (Score:5, Insightful)
P.S. any coincidence it is named "Billy"?
Re:What's the point? (Score:5, Interesting)
On the other hand, security professionals can usually whip up IDS signatures in a pretty short amount of time--Blaster, CodeRed, what-have-you all have pretty easy-to-detect signatures--which could easily be implemented on a system plugged into the routers of ISPs. Detect a worm infected machine and lock it out. Simple. The same could be done with managed switches at corporate LANs.
This was actually suggested in a previous story; it's not that big a deal and probably in use various places already. Seems like IBM's only innovation is in detecting a pattern of behaviour rather than just the attack signature itself, in the hope that it will work, without updated signatures, to detect as-yet unknown worms. And even that's not that big a leap.
Re:What's the point? (Score:3, Insightful)
Re: end user patching (Score:4, Informative)
I agree that a big problem is educating the average home user to apply update patches as they become available, but this isn't usually an option at the corporate level.
I've seen corporate environments where even the I.T. staff in charge of the desktop systems has to fight and fight to get the approval to apply a security patch. (The team lead or I.T. manager may scratch the plan, arguing they haven't had sufficient time to make sure the patch doesn't break a "mission critical" application they run, or they may decide the patch can wait until another update it rolled out, so they can get 2 birds killed with one stone.) Letting the end users apply their own patches isn't typically allowed on corporate machines.
Re:What's the point? (Score:4, Insightful)
End-users often don't see why they should secure their PC's. They figure they don't have anything important on them, so what's the big deal? Then they are used as launching points for DoS attacks, they spread worms, and so forth. But end users don't have the time or inclination to be security professionals.
ISPs could implement stronger router controls to block DoS attacks from zombied machines. They could implement automatic IDS-based router controls to block the spread of worms. And--egads--perhaps software companies could start focusing on security a bit more (with some added incentive from the legal liability they ought to have, in my opinion). In other words, end users should be taken as end users. We cannot expect that all or most will secure their machines to the extent that you or I may. So we find work arounds.
Re:What's the point? (Score:2)
What you say is true, but it doesn't mean something like Billy Goat isn't necessary. What if there isn't a patch for the security hole? What if the worm uses a 0 day exploit? Adding more defenses is not redundant. Luckily most worm / virus writers are stupid. Luckily they try to use already known and patched exploits. Luckily they don't know how (or aren't willing) to write really nasty worms.
What if someone develops a really nasty worm. One which uses one or multiple 0 day exploits. There is no patch and
A computer system to seek out worms? (Score:5, Funny)
Did you NOT see Terminator 3?
- Those that do not learn from history are doomed to repeat it.
Or, in this case, those that don't learn from crappy movies. =P
Re:A computer system to seek out worms? (Score:4, Funny)
I believe Skynet went online August 29th 1997, but software is always late, no?
Re:A computer system to seek out worms? (Score:2)
--RJ
Not like this. (Score:5, Funny)
Interesting technique (Score:5, Insightful)
Re:Interesting technique (Score:2)
Re:Interesting technique (Score:2)
this slowed a kazaa box from scanning my internal network endlessly. little bastard. next step: boot it off Knoppix, shred
Well... (Score:2, Insightful)
Re:Well... (Score:3, Insightful)
I'm sorry. I remember too much of the antitrust suit [lib.de.us] against IBM to fully trust them. I'll thank them for each thing they do to help advance free software, and the computer industry as a whole, but I reserve the right to examine each decision individually.
As in "Billy Goat Gruff"? (Score:5, Funny)
Will it butt trolls off the net too?
In version 3 (Score:1)
issues with this (Score:5, Interesting)
IBM says its prototype combines the strength of analyzing traffic directed at IP addresses assigned to computers on a network with the ability to look at the unassigned addresses worms also target.
What good would this do (checking unassigned addresses) as most worms (at least polymorphic ones) replicate and spread to other users it (the worm) finds on the machine. Hrmm sounds odd typing because I'm tired. Ok, for instance most MS based worms such as Blaster, Sobig, etc., tend to rip a list of address from programs on the infected machine. Blaster and Sobig sent out spoofed emails which differed from the normal worm a bit. Anyway, if a machine is sending info (while infected) to an unassigned IP address, what difference would it make since it somehow obtained the information locally.
Now, I understand that some virii writers often leave some 'h3ll0 i j4m l33t' message, but this is a rarity, so I find it obsolete.
It also can sniff out the signatures of known attacks. By testing the software at a large ISP, IBM can collect more data on worm traffic and help decide how to bring Billy Goat to market, says Adrian Schlund, a manager at IBM Global Services.
This is a bold statement for IBM to make considering they are now claiming to sniff out attacks. Considering attacks change, all they could do is update their rules, which means you could get by without this product if you have an experienced network engineer who has network anamoly detection experience. Hell if you've read enough RFC's and Cisco books, anyone would be able to detect and halt attacks using freeware such as snort.
Oh well it sounded good for a minute, it's a shame they didn't included any screenshots or specs in the article.
Re:issues with this (Score:3, Informative)
Re:issues with this (Score:2, Informative)
Re:issues with this (Score:1)
Re:issues with this (Score:2)
they share in common the vulnerabilities used
Re:issues with this (Score:2)
Queue up the people arguing over virii versus viruseseses.
Detects port scans? (Score:2, Interesting)
Slashdot Rule #1 (Score:5, Funny)
Dumb Name (Score:5, Funny)
If you built a software package that catches worms...why wouldn't you call it "Early Bird"?
Re:Dumb Name (Score:2)
Early Bird Intrusion Detection [treachery.net] aims to catch the NIMDA worm.
Re:Dumb Name (Score:1)
Re:Dumb Name (Score:1)
and catch the worm for your breakfast plate.
If you're a bird, be an early, early bird...
but if you're a worm, sleep late.
Silverstein
Comment removed (Score:5, Interesting)
Re:Useful tool to have in an emergency (Score:2)
- snort portscan preprocessor will look for port scanning (with a list of exceptions for data center servers)
- a perl script will have the alerts piped to it and know when a new scan has started
- the perl expect mod will be used to put a null route in the network (on a cisco device) for the host that is doing the scanning. No return packets will make it back to the infected box.
Portsentry on FreeBSD (or BSD in general,
Re:Useful tool to have in an emergency (Score:2, Interesting)
one of the things i thought of, that nobody has even brought up that i could find on this post, is the fact that this "Bi
Re: (Score:1)
Um, innovative? (Score:5, Funny)
&& !reverse dns for ip)
block ip
Do I win $10?
Re:Um, innovative? (Score:1)
Unfortunately, you failed to come up with such a creative name as "Billy Goat" for your project. Who can resist software called "Billy Goat"? Perhaps you can call your project "She-Buffalo" and you'd have a chance!
Re:Um, innovative? (Score:4, Funny)
Missed it by THAT much! (Score:4, Insightful)
s l o w . d o w n
while keeping the rest of the network moving right along while emailing the admin about it.
Re:Missed it by THAT much! (Score:2)
needs to be renamed (Score:2)
Billy we got Your Goat
Re:needs to be renamed (Score:1)
Allright, I'm going back to bed now. Shouldn't post to Slashdot while having fever.
A better mousetrap, perhaps (Score:4, Insightful)
My second reaction is that the focus needs to be at the level of the ISPs. To expect all users to reliably protect themselves against attacks is just naive. Technology that could immediately detect attacks and prevent their propogation to individual users in the first place seems to me feasible and desirable.
Honey, I'm home (Score:2, Interesting)
and then
Doesn't this sound like honeyd [umich.edu]?
LaBrea (Score:5, Informative)
Re:LaBrea (Score:1)
Network Management Software (Score:4, Interesting)
Won't it break those systems?
Re: (Score:1)
Re:Network Management Software (Score:2)
How long before it's turned against file sharers (Score:3, Interesting)
How? With a bit of the old ultra-violence??? (Score:1)
"Well well well, if it isn't fat stinking Billy Goat Billy Boy in poison. How art thou, thou globby bottle of cheap stinking chip oil? Come and get one in the yarbles, if you
A minor variation on this... (Score:3, Interesting)
A module for your IDS which, if it detects a machine on your network is infected with something, automatically set your router to NAT that machine so it points to some server which will inform the user they are infected, and gives details on how to disinfect themself, or to contact the helpdesk, or whatever.
In addition to the NATing, the next DHCP request they perform could take them off the local network address space (except for the disinfection message machine) so they won't be spreading their infections locally.
The infoming machine would not just be HTTP, which could return the webpage, but also have SMTP, POP3, IMAP servers, whatever else they could be running, which return an error, which (hopefully) will be displayed by the users application, telling the user what is happening.
Even if the user doesn't receive the error messages, they would most likely notice something is wrong when they can't connect to anything, and even if they don't they are isolated from the internet, and after their dhcp lease expires (assuming it has a reasonable length) they would also be isolated from the internal network.
It sounds similar to the 'Billy goat' idea... I hope it's not too similar, or it might be covered by restrictive software patents.
squashes worms?? (Score:3, Funny)
Traffic Analysis and Holistic Medicine (Score:1)
But, note - in computer security, as in human health - there are two fundamental approaches:
once well, don't get sick
and
once sick, get well fast
A hospice volunteer I talked to last week pointed
attacks finished? (Score:1)
Bob Bloom sums it up... (Score:2)
Hehe (Score:2, Funny)
Let billygoat's platform of choice be Linux! (Score:3, Insightful)
If it turned out to be a great product that would be a wonderful bit of irony. Linux working to say a messed up windows world.
Re:Let billygoat's platform of choice be Linux! (Score:1)
There was a report last week that MS DNS has been outsourced to company that runs Linux (to deal with the expected dos attack)
LaBrea (Score:2)
It is a program to 'tar-pit' worms. When something (Code Red was the initial reason) scans an ip address that isn't there, it sends an ack back spoofed to be from that machine, thus causing the worm to have to time out before it goes on, and it can knock the connection into persistant mode, thus locking up the thread on the attacking machine until the thread is killed.
Looks nasty, and there is a debian package. If it works as well as hoped, Li
Cheezborger, cheezborger, cheezborger! (Score:1, Offtopic)
[Sorry, but as a Chicagoan, I had to add that to this thread. I was obligated to.
Re:Cheezborger, cheezborger, cheezborger! (Score:2)
Interesting tool in a good toolset (Score:1)
1) It looks for computers that are trying to hit unassigned IP address (assuming these are local ones, btw).
2) When it finds a computer trying to hit unassigned IPs (unknown on the required frequencies), it acts to isolate the computer from the rest of the network.
Now, this could be a nice tool. #2 is problematical - if it automatically isolat
SCO? (Score:2)
NetScreen IDP has had this two years ago... (Score:2, Informative)
But we didn't get press coverage, because:
a) We're not IBM
b) We don't come up with cool codenames
c) This is so obvious it doesn't deserve cover
Does it not sound similar to tarpits ? (Score:1)
So what you're saying is... (Score:2)
ROFLMAO!
Ultimate virus (Score:2)
Yeah yeah, I will get modded troll for the word ' Ultimate' in the subject. See if I care.
A virus/worm I would write would:
Re:pure genius... (Score:1, Redundant)
Re:pure genius... (Score:2)
Re:Billy Goat? (Score:2)
Re:Will _he_ sue IBM now? (Score:1)