http://www.wired.com/news/technology/0,1282,46964,00.html By Michelle Delio 9:35 a.m. Sep. 19, 2001 PDT Network administrators now have a hacking tool that can help them strike back at malicious attackers. "LaBrea" is a free, open-source tool that deters worms and other hack attacks by transforming unused network resources into decoy-computers that appear and act just like normal machines on a network. But when malicious hackers or mindless worms such as Nimda or Code Red attempt to connect with a LaBrea-equipped system, they get sucked into a virtual tarpit that grabs their computer's connection -- and doesn't release it. Worms trapped in the tarpit are unable to move along to infect other computers. Stuck hackers first waste their time flailing away at a non-existent machine; they are then forced to shut down their hacking program or computer to escape. Programmers hope LaBrea will be a big culture-changer and think that a sexy little hacking program intended for use only by the good guys could launch a wave of other interesting and unique security tools. "LaBrea is like a total about-face in the hacking community," said Rick Downes, a programmer at RadSoft. "Up until now, the black hats were the Mick Jaggers of the Net. But Tom Liston's attitude changes that, and he backs it up with solid code. I think the LaBrea tarpit is fantastic." Liston programmed LaBrea in response to Code Red, the worm that has been scouring the Internet since last June. On Tuesday, he began successfully using it to trap Nimda worms. "When I finally decided to turn my attention from stopping worms and hackers to just slowing them down, that's when the idea for LaBrea came to me," Liston said. "Also, I think that there should be some tools available to network administrators that will allow them to even their odds against the black-hat hacker community." Some of Liston's nasty little visitors have been stuck in his tarpit for over a week. Most of the current visitors on Liston's sticky network are machines that were scanning the Internet trying to spread Code Red. Code Red-infested machines spawn threads -- small bits of programming code -- that look for other vulnerable machines to infect. "I'm holding about 1,000 Nimda scanning threads and 300 Code Red scanning threads at the HackBusters site. I'm holding them hard and I'm not letting them go," Liston said. "Honestly, I don't know what else to do with them. But I know they're better off stuck here playing with machines that don't really exist than out scanning for a machine run by someone without a clue." Liston admits that his LaBrea network is probably only stopping a dozen or so computers from spreading Nimda and Code Red. He knows that's only a drop in the bucket; tens of thousands of machines are believed to be infected with these worms. But Liston has only allocated a tiny amount -- 100 bytes per second -- of his network bandwidth to LaBrea. But he firmly believes that if enough network administrators "get on the bandwagon," then LaBrea could make a serious dent in the spread of worms and other hack attacks. Some security experts doubt that LaBrea will have a big impact on the Internet as a whole. "No, I don't think the concept of LaBrea will make a big difference at the global level. Not strategically and probably not even tactically," said Rob Rosenberger of vMyths a virus information website. [...] - ISN is currently hosted by Attrition.org To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY of the mail.
This archive was generated by hypermail 2b30 : Thu Sep 20 2001 - 08:54:09 PDT