[ISN] A 'Tarpit' That Traps Worms

From: InfoSec News (isnat_private)
Date: Thu Sep 20 2001 - 02:16:47 PDT

  • Next message: InfoSec News: "[ISN] [defaced-commentary] Commentary on "Patriotic Hacking""

    By Michelle Delio 
    9:35 a.m. Sep. 19, 2001 PDT 
    Network administrators now have a hacking tool that can help them
    strike back at malicious attackers. 
    "LaBrea" is a free, open-source tool that deters worms and other hack
    attacks by transforming unused network resources into decoy-computers
    that appear and act just like normal machines on a network. But when
    malicious hackers or mindless worms such as Nimda or Code Red attempt
    to connect with a LaBrea-equipped system, they get sucked into a
    virtual tarpit that grabs their computer's connection -- and doesn't
    release it. 
    Worms trapped in the tarpit are unable to move along to infect other
    computers. Stuck hackers first waste their time flailing away at a
    non-existent machine; they are then forced to shut down their hacking
    program or computer to escape. 
    Programmers hope LaBrea will be a big culture-changer and think that a
    sexy little hacking program intended for use only by the good guys
    could launch a wave of other interesting and unique security tools. 
    "LaBrea is like a total about-face in the hacking community," said
    Rick Downes, a programmer at RadSoft. "Up until now, the black hats
    were the Mick Jaggers of the Net. But Tom Liston's attitude changes
    that, and he backs it up with solid code. I think the LaBrea tarpit is
    Liston programmed LaBrea in response to Code Red, the worm that has
    been scouring the Internet since last June. On Tuesday, he began
    successfully using it to trap Nimda worms. 
    "When I finally decided to turn my attention from stopping worms and
    hackers to just slowing them down, that's when the idea for LaBrea
    came to me," Liston said. "Also, I think that there should be some
    tools available to network administrators that will allow them to even
    their odds against the black-hat hacker community." 
    Some of Liston's nasty little visitors have been stuck in his tarpit
    for over a week. 
    Most of the current visitors on Liston's sticky network are machines
    that were scanning the Internet trying to spread Code Red. Code
    Red-infested machines spawn threads -- small bits of programming code
    -- that look for other vulnerable machines to infect. 
    "I'm holding about 1,000 Nimda scanning threads and 300 Code Red
    scanning threads at the HackBusters site. I'm holding them hard and
    I'm not letting them go," Liston said. 
    "Honestly, I don't know what else to do with them. But I know they're
    better off stuck here playing with machines that don't really exist
    than out scanning for a machine run by someone without a clue." 
    Liston admits that his LaBrea network is probably only stopping a
    dozen or so computers from spreading Nimda and Code Red. He knows
    that's only a drop in the bucket; tens of thousands of machines are
    believed to be infected with these worms. 
    But Liston has only allocated a tiny amount -- 100 bytes per second --
    of his network bandwidth to LaBrea. But he firmly believes that if
    enough network administrators "get on the bandwagon," then LaBrea
    could make a serious dent in the spread of worms and other hack
    Some security experts doubt that LaBrea will have a big impact on the
    Internet as a whole. 
    "No, I don't think the concept of LaBrea will make a big difference at
    the global level. Not strategically and probably not even
    tactically," said Rob Rosenberger of vMyths a virus information
    ISN is currently hosted by Attrition.org
    To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY
    of the mail.

    This archive was generated by hypermail 2b30 : Thu Sep 20 2001 - 08:54:09 PDT