Become a fan of Slashdot on Facebook

 



Forgot your password?
typodupeerror
×
Security

Using Honeypots to Fight Worms 229

scubacuda writes "Laurent Oudout, an active member of the French Honeynet Project (part of the Honeynet Alliance), has written a paper evaluating the usefulness of using honeypots in fighting Internet worms. (Imagine a well-constructed honeypot framework capturing a worm, redirecting worm traffic to fake services, and launching counter attacks to clean infected hosts!)"
This discussion has been archived. No new comments can be posted.

Using Honeypots to Fight Worms

Comments Filter:
  • by rot26 ( 240034 ) * on Tuesday October 28, 2003 @10:44AM (#7328531) Homepage Journal
    Sounds like a lawsuit waiting to happen, unfortunately.
    • Could you argue self-defense? If somebody is hitting me over the head with a bat, and I shoot them in the arm to make them drop the bat, that is self defense. This seems to me to be very much the digital equivalent of the bat scenario. It would be interesting to watch it play out, anyway.

      • If somebody is hitting me over the head with a bat, and I shoot them in the arm to make them drop the bat, that is self defense. This seems to me to be very much the digital equivalent of the bat scenario.

        1) Shooting is only justified if you feel your life is in danger and you are incapable of running away. Pretty arguable point when the attacker is only weilding a bat.

        2) Unless your Iron Lung is hooked to the internet, no internet attack is an attack on your life. If I steal your laptop from your tru

        • Yeah, but If I do break into your trunk, what the hell are you going to do about it? Go tell the police that somebody stole your stolen laptop?

          In addition, that scenario is flawed. In the theft scenario, the crime is already complete, and what is being done is revenge (which is wrong). I think both of us have flawed analogies. A more accurate representation would be if somebody was breaking into my house, and I hit them with a fucking brick to make them stop.
        • That depends on what state you're in in the US. Say we're both in Louisiana and you come up trick-or-treating. I open the door and shoot you. That's legal in Louisiana. [hoboes.com] Or maybe that's only legal if I'm white and you're not. Although that sounds like I'm race baiting, I'm not.
        • Shooting is only justified if you feel your life is in danger and you are incapable of running away. Pretty arguable point when the attacker is only weilding a bat.

          Mostly wrong. For example, in the jurisdiction of New York, see this page [cornell.edu], or Google yourself. Quote:

          When one believes that the use of deadly force is justified, one has a duty to retreat before using such force if one knows one can do so with complete safety.

          Running away from a guy beating you with a bat is not "complete safety". You would

    • Honeypot (Score:5, Interesting)

      by Anonymous Coward on Tuesday October 28, 2003 @11:36AM (#7329141)
      I work for a large UK ISP and we have had honeypots in use since the blaster outbreak - they work well.

      If a user is infected and randomly attacks IPs within our network, they eventually hit one of the honeypots. The honeypots flag their account and when they next reconnected they are sent to a 'walled garden' - a dummy DNS RADIUS community where they can only get one webpage, that advises them that they have a virus and provides a download section for removal tools. When they have downloaded all necessary patches, they are automatically removed from the walled garden (using apache logs and RADIUS trace IPs to link the download with their account) and allowed back on the network.

      There's no legal issues involved with us - we are a residential ISP and stuff like this is covered in T&Cs.
      • While I can't moderate (I choose not to,) I can comment.

        WOW. I like that. I like that a lot. This should be standard practice. It's not invasive at all, and it forces the schmucks who never paid attention when they got their massively powerful infection node^W^Wcomputer to finally get up to date.

        Let's face it, as long as we have uneducated users, these problems will continue to crop up. If we can keep them offline until they learn the simplest parts of system maintenance, then maybe these problems wo
      • Re:Honeypot (Score:2, Insightful)

        by mbklein ( 86878 )
        When they have downloaded all necessary patches, they are automatically removed from the walled garden (using apache logs and RADIUS trace IPs to link the download with their account) and allowed back on the network.

        So as long as I get my prescription filled, you'll let me out of quarantine? Great! I don't actually have to take my antibiotics, as long as they're nearby.
        • Re:Honeypot (Score:2, Insightful)

          by VertigoAce ( 257771 )
          I assume that they can get themselves quarantined again if they continue to disrupt the network. And I'd imagine that your account would be flagged so that an administrator would know it's been taken off more than once.
  • by bobbabemagnet ( 247383 ) on Tuesday October 28, 2003 @10:46AM (#7328555)
    We are all well aware of Welchia and the fact that it caused nearly as much nuisance as Blaster. Let us learn from this and never again release a worm for good purposes.
    • Or at least one that isn't so enthusastic about finding hosts to clean.

      I'm still waiting for Jan. 1st, 2004.
    • by IncarnadineConor ( 457458 ) on Tuesday October 28, 2003 @10:51AM (#7328641)
      That was proactive, the solution described here is reactive. Rather then using network resources searching for infected computers, it would only respond to infected computers that attempt to infect it. Seems somewhat resonable to me.
      • Seems somewhat resonable to me.

        Unfortunately, what is reasonable and what is legal are not always the same thing. Anyone considering embarking on such a project would be very well advised to consult with a lawyer before getting too far into it.
        • Unfortunately, what is reasonable and what is legal are not always the same thing.

          Then the law needs to be revised - a definition of "an active, compromised machine" worked out, and a provision for designated organisations to be empowered to react to attacks from such compromised machines in such a way as to prevent the attacks. Whether this is patching the machine or crashing it, I really don't mind. Do IP blocks have email contact info associated with them in a similar way to domains?

      • It seems perfectly obvious (to me, anyway) that eventually we will reach a point where all this will have to be done by machines; in that light, this is a step in the right direction.

        When you have hackers using automated systems, remote controlled computers, etc, to do their hacking for them, we will eventually reach a point where we, too, will need to use automation to fight them.

        This is the exact same pattern you see in every other area where automation is now being used: nuclear power, jet aircraft, etc.

      • No. It is never acceptable for anyone to do anything on my computer without my express prior permission, end of story. It's not "somewhat reasonable," it's not reasonable at all. We need to clamp down on this hard before people start acting on their "good wishes." It only takes one or two people to cripple the entire Internet nowadays; we need to make it perfectly clear that this sort of thing is simply not acceptable and never will be.

        I will cheer just as loudly when the makers of "benevolent worms"

      • Seems somewhat resonable[sic] to me.

        Completely overlooking the fact that the response is to alter a system that is not under your control without the owner's permission. You can block at the router if you want, thereby denying traffic from the host, but I would argue that making alterations to another's system without permission is exactly as unethical (and probably illegal, depending on jurisdiction) as the original worm.
    • by gorfie ( 700458 ) on Tuesday October 28, 2003 @10:53AM (#7328653)
      There's a difference between Welchia and this concept though. Welchia *SEEKS OUT* infected hosts, which is why it was so damaging. The honeypot would only attempt to fix machines that are already infected, it wouldn't probe and spread like Welchia.

      However, as another poster said, it's a lawsuit waiting to happen. Even if the project were technically successful, some schmoe out there would try to abuse it somehow.
      • I think a honeypot such as this (or any honeypot) would be useful within an internal network. So set it up in your LAN, so that you can find out about a potential worm or intruder earlier. Launching a counterattack would be fine within an internal network, but it would be very foolish to do this on the internet -- that would get you in legal trouble.
    • The advantage here is that the server would *only* counter-attack a box with a fix if it was attacked first.

      Although decidedly risky legally-speaking, it would mean that only vulnerable hosts would get contacted and have fixes forcably deployed on them -- meaning that as the original infection dies down then so too will the number of forced deployments.

      The key problem with the Welchia worm is that it simply didn't go away. It continues to actively probe and scan for vulnerable machines indefinitely -- an
      • In fact the article even infers that it should be used in a department or organisation and not on the net, and mentions the ethics of such a procedure.

        This script, given strictly as an example, can be improved upon by using evolved programming languages such as VBS. A longer example [ref 13] has been tested on a research network, cleaning our infected hosts in a few minutes.

        Some SysAdmins were recently polled to determine if it is ethical to take active defense measures in such a targeted, counter offen

      • Yeah, unless the worms spoof IP addresses. That is going to open up the legal trouble when the "counter" action starts hitting wrong machines.
    • Whilst I agree with you in principle, it is hardly logical to argue 'some guy try once and and it didn't work, so it should never be attempted again...'
    • Actually although your point is unchanged by it, the welchia fallout was far far worse than blaster ever was. The simple reason is welchia clogged the bandwidth pipes in a way blaster never dreamed. Effectively cutting off most of net... at least for the state of IL where I work on these issues for users spread all over the state.
    • I look at the life-cycle of a worm as follows:
      • Infancy: The worm starts from one computer, and begins to spread.
      • Adult: The worm has tried all 2^32 addresses in the IPv4 internet. The worm continues to spread, however, as machines come and go, and may "leak" into networks not directly connected to the Internet.
      • Lingering: Patches are availible and national news covers the story, so everyone knows they need to update their machines, and almost everyone does. A few leftover machines (unadministered, p
  • Worms too?! (Score:4, Funny)

    by MeanE ( 469971 ) on Tuesday October 28, 2003 @10:47AM (#7328586) Homepage
    And here I thought they only caught bears named Poo.
  • Comment removed (Score:4, Interesting)

    by account_deleted ( 4530225 ) on Tuesday October 28, 2003 @10:48AM (#7328598)
    Comment removed based on user account deletion
    • otherwise this could cause some major legal problems...

      I assert my right to self-defense. You attack me, I'll attack you in exactly the same way (you see, I already know you're vulnerable to that exploit), and shut you down so you can't continue to attack. I won't wipe you or patch you or do any permanent damage.

      "you" and "me" can be either we as persons or our respective servers. It doesn't matter technically, so I fail to see why it should matter legally.

      That said, I practice what I preach. I've had a
      • All virus writers have to do is 'secure' the system they just compromized. This could be as easy as shutting down a service.
    • But you could, perhaps, make it do an automatic but thourough lookup of the infected domain, attempt to determine the associated admin email, and fire off an email to said admin.

      If attacks persist from a host after a month, then perhaps a flag for an automatic response would be appropriate
  • What about a P2P honeypot network? I'd think that would greatly increase the overall effectiveness.
  • Skynet! (Score:2, Funny)

    by scovetta ( 632629 )
    Imagine a well-constructed honeypot framework capturing a worm, redirecting worm traffic to fake services, and launching counter attacks to clean infected hosts
    Yeah, the honeypot could proactively install patches to systems that it deemed infected, all around the world!
    Sounds like Skynet. Run for the hills!
  • by DaneelGiskard ( 222145 ) on Tuesday October 28, 2003 @10:49AM (#7328606) Homepage
    Personally I don't like the "launching counter-attacks to clean infected hosts". It reminds me of what AOL did [slashdot.org].

    Still what can one do against users who do not care if they have a worm or not? Should we invet a driving-license thing for the internet, with fines for disregarding the rules? But then we would have the "internet must stay free"-activists on it again :-/

    Personally I'd vote for some sort of internet driving license, without having thought much about it. But it feels like the right thing.

    Oh well, babbled enough, back to work ;)
    • A nice concept, "internet driving license," but all it will do is:
      a) discourage new users
      b) make people afraid to try new things online
      c) create some kind of institution with an incredible amount of unwarranted power

      • Well, you are of course right. It would definitely reduce some of the "freedom" the internet users. But to keep the driving-license analogy, what would happen if no driving license would be needed and driving would generally be without any rules? It would be a similar situation as the one we have now on the internet, there would be some/many people who are rational and intelligent enough to do things right intuitively, but there would also be people who just do not care.

        It has not been much of a problem in

        • Well, you are of course right. It would definitely reduce some of the "freedom" the internet users. But to keep the driving-license analogy, what would happen if no driving license would be needed and driving would generally be without any rules? It would be a similar situation as the one we have now on the internet, there would be some/many people who are rational and intelligent enough to do things right intuitively, but there would also be people who just do not care.


          Yeah, they're perfectly similar, e
    • You may get into legal trouble for FIXING an attacker's computer. You can bet though if they don't patch, then they don't turn off unnecessary services either. Enter Windows Messaging Service. Just send them a quick note stating that their machine is infected and they would be best served to patch it.
      • Yea, because people who can't handle a simple patch procedure are going to understand the subtle stupidity of Windows Messenger. I can see my e-mail now...

        OMG! I'VE BEEN HACKED! lol!!! OM!G JIT SAYS SOMETHIGN ABOUT WORMS YOU HAVE TO COME FIX MY COMPUTER I DONT KNOW WHAT'S WRONG! LOL!!!!

        Attachment: "Latest Windows Security Update.exe"

    • Still what can one do against users who do not care if they have a worm or not? Should we invet a driving-license thing for the internet, with fines for disregarding the rules? But then we would have the "internet must stay free"-activists on it again :-/

      Personally I'd vote for some sort of internet driving license, without having thought much about it. But it feels like the right thing.


      Nice idea, but I was thinking of something more along the lines of a bat. You could put big letters on the side "CLUE"
    • While the idea of an internet driving license seems OK at first, it would end up being the ultimate person tracker.

      To make it worthwhile, people would be required to type in their I.D.L. # to use a computer, destroying the entire concept of privacy.


    • Personally I'd vote for some sort of internet driving license, without having thought much about it. But it feels like the right thing.
      Excuse me, but I already pay $50 a month for broadband, that's enough, thanks. I don't need to pay more for some stupid competency license. I know what I'm doing just fine, and to put it mildly, "..we don't need no stinkin' licences!"

      The conter-attacks to patch infected machines are a bad idea, most certainly illegal.
    • I'm not sure a license to use the internet is the right solution, but there IS a huge issue of accountability these days.

      I'm all for privacy and anonymity, but when 1 anonymous person has the potential to introduce a virus that can bring down a corporation's network (or neighborhood's broadband access) through sheer negligence, I very strongly start to question the limits of that privacy.

      Of course, a fantastic solution to the problem would be software that doesn't have 59,000 exploits and so many features

    • What AOL did was not wrong, they used there software to patch a bug. It wasn't like they opened up excell and downloaded your files. Mind you, aol could have told the users what they were planning/doing. Back to this discussion... If I'm running a network of 5000 computers, and 500 of them are dsl, or cable or dialup connections I have everyright to patch those computers on MY network, so long as I devulge this information in the Terms of the contract.!!!
    • At my university, if the router detects you launching traffic known to be a worm propagating, etc, it disables your wall jack. Clean. Simple. Effective. You go to a friend's computer and download the neccessary cleaning tools onto a CD, fix your machine, and call the computer center, and up you are again.
  • idiocy (Score:5, Insightful)

    by RMH101 ( 636144 ) on Tuesday October 28, 2003 @10:55AM (#7328666)
    so you have loads of honeypots out there waiting for worms to exploit them, then you redirect these to "fake services". Whoop-de-hoop.
    I don't think worm writers are going to care very much. If they're spammers, then some more of their spam will go in the bin - but it's not costing them, so who cares?

    On top of this you are definitely on crack if you think that "launching counter attacks to clean infected hosts!" is a) a good idea or b) legal.

    • Re:idiocy (Score:4, Interesting)

      by Afty0r ( 263037 ) on Tuesday October 28, 2003 @11:13AM (#7328857) Homepage
      On top of this you are definitely on crack if you think that "launching counter attacks to clean infected hosts!" is a) a good idea or b) legal.


      I understand where you're coming from, but let's take an analogy : in any other walk of life, if you are attacked you are allowed to take reasonable actions to defend yourself.

      If someone comes at you and other people in the street with a knife, you are allowed to wrestle the knife from him. Things such as punching him, pinning him or even breaking his arm might be viewed as perfectly reasonable by a judge - in order to prevent harm.

      In the same vein, we're talking about disarming the offensive person (host) without causing any collateral damage... So why might this not be considered legal by an enlightened society?
    • You think this is a bad idea. I have to agree, but for different reasons.

      There's nothing wrong with trying to clean up your own network. These boxes would be a great idea on a corporate network. When some new M$ transmitted disease comes springing out of LookOut of Internet Exploder, a central box could fix the problem.

      For all that, I still think projects like this are a waste of time. Why should prople spend their time fixing Windoze? The best you can hope for is the RAV fate, a buyout. Microsoft m

    • Re:idiocy (Score:2, Funny)

      by unixdad ( 704399 )
      On top of this you are definitely on crack if you think that "launching counter attacks to clean infected hosts!" is a) a good idea or b) legal.

      What if it's a tool that you have deployed in your network, and it just so happens that the honeypot is a little bit misconfigured, allowing it to respond to all hosts that attempt to infect it?

      How is this then different from desktops that are poorly written/designed or misconfigured allowing them to spread viruses on the internet?

      The purpose of the tool (vir
  • by Anonymous Coward on Tuesday October 28, 2003 @10:56AM (#7328688)
    When using your honeypot at the campgrounds, always practice safety.
    Surround your honeypot with rocks to keep the fire from spreading. Be sure when
    you're done with your honeypot to put it out with a bucket of water and make
    sure it has stopped smoking before you leave the area.

    Remember what Smokey the Bear says. Only you can prevent your honeypot from starting a forest fire.

  • Bad Idea (Score:5, Insightful)

    by Mortanius ( 225192 ) on Tuesday October 28, 2003 @10:56AM (#7328693) Homepage
    ...launching counter attacks to clean infected hosts!

    They're just that, 'attacks.' Unauthorized access to users' machines with the intent of installing software without the users' knowledge (even with, it makes no difference.)

    It's a nice idea in spirit, the Community (I hate that term) working to automatically protect those who can't help themselves (sounds rather elitist, doesn't it). But in the end, it's no better than your average hacker / skript kiddie futzing around with your machines.
    • For the method of counter attack described here, you might as well say it's self-defense. An infected computer tries to exploit vulnerabilities to install itself on one of your systems. Of course the most important things is always to make sure your machine is secure. But why should it be considered unethical to make sure the offending computer can't infect other, less secure, systems?

      If someone is randomly assaulting people in the street, should you just run away and lock yourself up at home, or should y

  • by Dark Fire ( 14267 ) <clasmc@@@gmail...com> on Tuesday October 28, 2003 @11:05AM (#7328768)
    Welchia proved that good intentions can be disasterous. Even well-intentioned actions could damage someone's livelihood or equipment and open up the vigilante to criminal/civil penalties. A better approach would be a quick legal remedy that would permit one party to obtain a court order ordering the ISP of another party to cut off their internet access until they complied with the remedy (fixing the issue). The ISP is given 10 business days to notify the customer of the court order. An ISP could then try and verify the claim and file a response themselves if they find the claim unsubstantiated, or they could pass on the claim to the customer who would then would be responsible for replying. If the customer or ISP replied without properly addressing the claim or fixing the issue, they would be liable for criminal penalties and fines under the law. Wow, this whole idea ended up sounding kind of draconian which is not at all what I was going for. Any thoughts?
    • This happened to me. (well, no court order or what not). My ISP monitors for network anomolies, and thought that I had welchia (I had actually ran a portscan against one of my servers). They put a flag on my account, and disconnected me, and waited for me to call them to find out what happened.

      What would be a good solution, is some kind of 'secure' winpopup. (ie, mabey an ISP gives you a public key, that your machine will accept messages from) ISPs could then give their users notice of suspected activi

  • It is obvious that 'attacks' can ony be made inside a corporate network or similar, or else one would probably face lega consequences.

    Apart from that, I think this is a great idea. You could use honeypots to automaticly update firewall filters and block further infection attempts!

    • Yes, but you have to be very, very careful. Otherwise, someone could deliberately (manually) attack your honeypot on a critical service port and trigger a firewall update... that knocks all of your critical systems offline.

    • Good luck. Name me one product you'd trust to automatically adjust your perimeter security.

      I nearly wet myself laughing when I first saw ISS present their ideas of reactive firewall configuration based on IDS alerts. There are a number of serious issues with this school of thinking, understandable though the initial logic may be.

      First off, there is currently no single piece of software in existence smart enough to intelligently distinguish malicious traffic with a high enough degree of reliability to tr
  • Know your enemy (Score:4, Insightful)

    by Twillerror ( 536681 ) on Tuesday October 28, 2003 @11:06AM (#7328785) Homepage Journal
    Half the time we don't know our network is infected until it is too late, or someone complains the internet is slow.

    Just having a honeypot that can alarm us to what boxes are infected is a big plus. We can take it from there.

    Somehow taking the computer off the network would be a bonus as well. I wish our firewall had this functionality.

  • by Tom ( 822 ) on Tuesday October 28, 2003 @11:07AM (#7328804) Homepage Journal
    It is a nice attempt at active worm defense.

    Unfortunately for him, I have just published a paper [lemuria.org] that shows that and how future worms will be much too fast for his - or anyone elses - manual defense methods.

    In short, I've demonstrated that by the time he's starting to analyze the worm, it has already infected 90%+ of the vulnerable machines.

    As soon as worm writers acquire some coding skills (most of the past worms were pathetic), all defenses that require manual actions will be too slow.

    Sorry.

    • You might want to have a look at Nick Weaver's Homepage [berkeley.edu]--How to 0wn the Internet in your Spare Time is a pretty good approach to this as well.

      Frankly, you're correct in your assumption. However, the author makes a good start in terms of preventing that initial spread. I agree that if you focus too much on 'reaction', dependent on identification of a worm, you're screwed to start out with. But there are several schools of thought related to detecting anomalous traffic and, for example, shutting it off at
      • by Tom ( 822 )
        How to 0wn the Internet in your Spare Time is a pretty good approach to this as well.

        I've read that one, and it is referenced in my paper. :)

        However, the author makes a good start in terms of preventing that initial spread.

        Chapter 4.5.1 of my paper shows how to circumvent that questionabe protection.

        But there are several schools of thought related to detecting anomalous traffic and, for example, shutting it off at source, or automatically rate limiting it.

        That is the correct approach. Until worms

        • I honestly had just scanned over your paper, but I will read it in detail asap.

          You might want to check out chapter 8.2 of my paper. There I show how to wipe out a corporate LAN in under 60 seconds.

          I don't doubt you at all. In fact, I am happy for yet another legitimate-looking piece of work which says this. In fact, this statement is one of the cornerstones of all the security incident response mechanisms and structures we've been putting together in my current project. You're preaching to the choir

    • Actually, that's only assuming that you have a relatively passive system.

      If you actively update the "defense boxes" with all the latest exploits and then configure it to use it's full arsenal to take down any attacking hosts (e.g. by making all exploits simply turn off networking on the target machine), then you'll have a very high success rate indeed. Then only worms exploiting previously unknown holes on otherwise fully patched machines will be able to run unchecked. This raises the bar for worm writer

    • In the "theoretical limits" section, several times you have too much in the superscript in your calculations. (This looks like a pure TeX typesetting error, not an error in your calculations) Also, for the final result I believe you meant:

      t = \log_{(r+1)} n_t - \log_{(r+1)} i

      Not, as you have there,

      t = log_{(r+1)} n_t
      • In section 5.1.1 you use your theoretical limit, but you forget that you started with 10 infected hosts. This leads to a theoretical best time-to-saturation of 29.499 seconds, not 36.506 seconds.

        I will concede that this point isn't crucial, however. It still makes a worm that hits saturation in under a minute very close to ideal.
        • Thanks to this correction (also to the other, which yes is a typo and was pointed out to me already).

          There has been much feedback from the community ever since I posted it, and I will update it soon (have a conference talk to do that takes priority right now).
  • Yes, imagine that.. (Score:5, Informative)

    by kcm ( 138443 ) on Tuesday October 28, 2003 @11:08AM (#7328817) Homepage
    wait, here it is [umich.edu].
  • by herrvinny ( 698679 ) on Tuesday October 28, 2003 @11:13AM (#7328861)
    This honeypot can either be a "sacrificial lamb" (a normal host without the very latest updates applied on, sacrificed in expectation of an attack), or just a simulation of services.

    If a host had the latest patches applied, wouldn't it be immune from attack? Didn't MS release the patch for the RPC exploit months before the virus came out? I think it would be better to have a small network of 6-8 computers (wouldn't have to be much, just get a rack off Ebay and a few of those mini-itx components, load em in, don't need a fan, case, etc) and have each computer at varying levels of patches. One computer is patched every day, one patched every two weeks, etc. There isn't enough time to customize a computer to be infected by the worm; by the time you hear about it, the worm has already infested millions of computers.

    They also should look more into that counterstrike idea. Seriously, if you attack my computer, even if you didn't know about the virus, then I have the right to self defense. I'll gladly install some of that counterstrike software when I set up a honeypot. You're PO'ed because I attacked your computer? You attacked me first. I'm only exploiting the same vulnerability the worm did. If you were a SMART web citizen, you would have gotten a firewall to protect yourself from the worm in the first place.
    • If a host had the latest patches applied, wouldn't it be immune from attack? Didn't MS release the patch for the RPC exploit months before the virus came out?

      Assuming that MS the infallible (random quote..."No one would ever need more than 640K") identifies EVERY flaw BEFORE worm writers do than yes, patching makes perfection. Please, do not assume that.
  • I think that the worms and viruses should be disected and once the origin is known, launch an all assault on the author. DDoS the SOB into oblivion.

    Or, for virus writers, how about giving them a good dose of SARS or AIDS?? That'll teach them to play games..

  • Good article (Score:5, Informative)

    by lamj ( 153635 ) <jasonlamNO@SPAMflashmail.com> on Tuesday October 28, 2003 @11:37AM (#7329154)
    Overall a very good article. The article could have touch upon the ability for honeypot to help create IDS signature. At current technology level, IDS are mostly still signature based and early detection with honeypot to help with creating IDS signature is very important.

    For active countermeasure (or attack), this has to be done VERY carefully. Remember Max Vision? It's good to fix your own machines, and make sure you only attack and fix yours. Access to unauthorized machines are almost always illegal. If one of your boxes got hacked, the incident response team should get involved and do their investigation, auto-patching without investigation can be a risky thing because you just don't know the extend of the problem. When you fix it, the hacker could have backdoor installed on your box.

  • Yeah... (Score:3, Interesting)

    by inertia187 ( 156602 ) * on Tuesday October 28, 2003 @11:58AM (#7329396) Homepage Journal
    I wrote [mac.com] about that too. Mine is implemented using a simple Servlet.
  • by Not_Wiggins ( 686627 ) on Tuesday October 28, 2003 @12:24PM (#7329635) Journal
    To be perfectly honest, there's no legislation to go after the "Joe Average Infected Computer User" for spreading the original worm. What makes you think they'd be all set to jump on (supposed) "White Hats" with systems that only respond to attacks in an effort to stem them (technically "illegal" or not)?

    Before I had a webserver up-n-running doing useful stuff, I had Code Red Vigilante [crazybob.org] running on port 80; it felt good knowing that machines that had tried to infect me were being warned that they were infected... you know, trying to be a good netizen and enlighten my fellow surfer.

    Of course, I was able to do that because I could look through the Java code I was installing and determine exactly what that code was doing (ie, not fall victim to a socially engineered attack where I mistakenly INSTALL someone's worm code on my computer!)

    No... the real question won't be how this all gets sorted out legally; we'll figure out how to use technology to stop this crap before any law gets passed to "protect me."

    The real question will be how do we protect the average person in the interim without making them easily exploitable targets for malicious anti-worm code that is, in essence, a socially-engineered worm attack in its own right.
  • The solution may be IPv6. These days scanning the 4 billion odd IPv4 addresses is not beyond the capability of a few machines on broadband. Yeah it won't reach NATed networks easily, though it only has to get inside via one machine.

    But the problem of scanning the IPv6 space is non-trivial. Not only is it easier to hide somewhere inside this much larger space, but serious folks, why don't we start from the beginning having routers to identify obvious scanning attempts (i.e. requests to a whole lot of di

  • (Imagine a well-constructed honeypot framework capturing a worm, redirecting worm traffic to fake services, and launching counter attacks to clean infected hosts!)

    As a matter of a fact it sounds an awful lot like the anti-blast worm some jackass wrote. That bit of well meaning cyber-carpentry got on my network despite being prepared for blast and it did very similar damage. The honey pot project should look for useful things to the community not to an individual.
    • As a matter of a fact it sounds an awful lot like the anti-blast worm some jackass wrote. That bit of well meaning cyber-carpentry got on my network despite being prepared for blast and it did very similar damage. The honey pot project should look for useful things to the community not to an individual.

      The key difference here is that the honeypot is passive, it does not go out looking for vulnerable hosts, it waits until after the three-way TCP handshake on TCP/135 is complete, and only then does it r

  • by skinfitz ( 564041 ) on Tuesday October 28, 2003 @01:18PM (#7330206) Journal
    We got caught out by Welchia by someone kindly connecting an infected laptop directly into the network behind the firewalling. Ironically this was possible due to a mistake in SMS package deployment (was done hastily - my fault).

    My solution was to deploy honeypot windows machines running snort which reported into a central SQL server database.

    Using Windows scripting host, I then wrote a script that ran periodically on a network management workstation which queried the database, creamed off the last machine that was an infector and using the wonderful free PS Tools [sysinternals.com] from Sysinternals [sysinternals.com] automatically determined what OS the machine was running (PSInfo), updated its antivirus signatures (PSExec), de-wormed the machine using the Symantec "FixWelch" [symantec.com] utility (again using PSExec), decided if the machine was up to service pack spec (data from PSInfo) and if not service packed it (PSExec) then applyed the patches to prevent re-infection (PSExec).

    All worked a treat.

    I'm kind of glad we got hit because as a result I can now insist machines get patched (previously people would complain about a "box on the screen" (SMS installer)) while also being able to remove machine admin rights across the board and ban any machines that are not ours from being connected on pain of a disciplinary offence.

    A lot of work but ultimately, I WIN. MOO HAR HAR!!
  • LaBrea extended (Score:2, Informative)

    by tliston ( 669910 )
    I have recently begun beta testing of an extended-functionalty version of my original Open Source application, LaBrea, mentioned in the article. The new software, known as LaBrea Sentry, uses the same methods of trapping and holding connection attempts by worms and scanners. It also proactively defends real machines from attack from those same worms and scanners as well as communicating all log information to a central server which provides updated "Bad Guy" lists to the entire network of Sentry boxes. S

In the future, you're going to get computers as prizes in breakfast cereals. You'll throw them out because your house will be littered with them.

Working...