As the worm turns
- 30 July, 2002 10:46
I wrote last week that a new company called Descan.net is making available free software that detects malicious port scanners in real time.
The company's "listening agent" forwards only SYN packets to Descan.net's servers, ignoring all other Internet traffic. Unusual patterns indicate that a "script kiddie" is probing your network for weaknesses. The agent software currently runs on Linux, but a Windows version is coming soon.
The objective is for ISPs to ban -- and for authorities to prosecute -- a few hundred real sickos, such as whoever launched this year's SQLSnake worm. But a larger goal is to notify thousands of people whose computers have been infected by "zombie scanners" in order to eradicate the beasts.
"Because of all the zombies out there, the initiators are [the ones] hidden by all this activity," said David Graves, engineering manager at Descan.net in Seattle.
When Descan.net finds evidence of port scanning, it sends an e-mail alert to the administrator of the ISP responsible. Although only a handful of listening agents have been in operation during the testing stage, Descan.net has already detected thousands of zombies. Spokesman Tom Wolf showed me evidence that numerous administrators around the world have gratefully responded that their problems have been traced and halted.
Although Descan.net's real-time detection is no magic bullet, it is the beginning of what must become a serious effort to rid the Internet of its vulnerabilities. I asked security specialists to comment on this approach. One anonymous consultant said, "This appears to represent the type of paradigm shift we've been seeking in IT to combat the baddies effectively."
The threat is very real. Besides stealing passwords, as SQLSnake did, zombies enable a perpetrator to launch DoS (denial of service) attacks that can cripple portions of the Internet for hours or days.
Most such assaults have been launched by pathetic amateurs. But a paper for the 2002 USENIX Security Conference says a determined attacker with advance planning "could arguably subvert upwards of 10 million Internet hosts" (see www.icir.org/vern/papers/cdc-usenix-sec02/index.html). Multithreaded code with only a moderately sophisticated "hit list" could spread to many vulnerable machines in less than 15 minutes.
Such a creation has been dubbed the Warhol Worm. But I believe this artsy name trivializes the threat. I prefer to call it the Doomsday Worm, and it may already be coming. The Washington Post last month reported on coordinated scans of U.S. nuclear power plants, digital control switches, and the like originating from Saudi Arabia, Indonesia, and Pakistan.
Scared yet? Go to http://www.descan.net/joinin.html and take the first step in stopping scanners.