InfoWorld
Lead with Knowledge
HOME/ SITEMAP
SUBJECT INDEXES
ABOUT US
WHITE PAPERS

Learn to secure your PCs from new and unknown hacker attacks.

Free IDC White Paper - Discover Secure File Sharing for the Enterpriseattacks.

SEARCH:  
Home  //  Community //  Opinions //  Article
Print Article    Email Article
Window Manager
Brian Livingston
As the worm turns

I WROTE LAST WEEK that a new company called Descan.net is making available free software that detects malicious port scanners in real time (see "Descan your network".)

The company's "listening agent" forwards only SYN packets to Descan.net's servers, ignoring all other Internet traffic. Unusual patterns indicate that a "script kiddie" is probing your network for weaknesses. The agent software currently runs on Linux, but a Windows version is coming soon.

The objective is for ISPs to ban -- and for authorities to prosecute -- a few hundred real sickos, such as whoever launched this year's SQLSnake worm. But a larger goal is to notify thousands of people whose computers have been infected by "zombie scanners" in order to eradicate the beasts.

"Because of all the zombies out there, the initiators are [the ones] hidden by all this activity," said David Graves, engineering manager at Descan.net in Seattle.

When Descan.net finds evidence of port scanning, it sends an e-mail alert to the administrator of the ISP responsible. Although only a handful of listening agents have been in operation during the testing stage, Descan.net has already detected thousands of zombies. Spokesman Tom Wolf showed me evidence that numerous administrators around the world have gratefully responded that their problems have been traced and halted.

Although Descan.net's real-time detection is no magic bullet, it is the beginning of what must become a serious effort to rid the Internet of its vulnerabilities. I asked security specialists to comment on this approach. One anonymous consultant said, "This appears to represent the type of paradigm shift we've been seeking in IT to combat the baddies effectively."

The threat is very real. Besides stealing passwords, as SQLSnake did, zombies enable a perpetrator to launch DoS (denial of service) attacks that can cripple portions of the Internet for hours or days.

Most such assaults have been launched by pathetic amateurs. But a paper for the 2002 USENIX Security Conference says a determined attacker with advance planning "could arguably subvert upwards of 10 million Internet hosts" (see http://www.icir.org/vern/papers/cdc-usenix-sec02/index.html). Multithreaded code with only a moderately sophisticated "hit list" could spread to many vulnerable machines in less than 15 minutes.

Such a creation has been dubbed the Warhol Worm. But I believe this artsy name trivializes the threat. I prefer to call it the Doomsday Worm, and it may already be coming. The Washington Post last month reported on coordinated scans of U.S. nuclear power plants, digital control switches, and the like originating from Saudi Arabia, Indonesia, and Pakistan.

Scared yet? Go to http://www.descan.net/joinin.html and take the first step in stopping scanners.




RELATED ARTICLES

Descan your network


RELATED SUBJECTS

Security

MORE >
SUBSCRIBE TO:    E-mail Newsletters  InfoWorld Mobile InfoWorld Magazine
Home  //  Community //  Opinions //  Article Print Article    Email Article
Back to Top
 ADVERTISEMENT
 

SPONSORED LINKS

Learn to secure your PCs from new and unknown hacker attacks.
SPEED, PERSONALIZATION AND INTEGRATION: THE KEY TO E-COMMERCE SUCCESS.
Protect Your Data: Get your FREE Enterprise Backup Intelligence Kit from ADIC.
New HP digital projectors — click now for limited-time introductory offers.
SeeBeyond Webinar - Topic: UCCnet, Thurs., 9/26/02 , 8-9 am PST

SUBSCRIBE
E-mail Newsletters
InfoWorld Mobile
Print Magazine
Web-based training
ABOUT INFOWORLD  |  SITE MAP  |  EMPLOYMENT  |  PRIVACY  |   CONTACT US

Copyright 2002 InfoWorld Media Group, Inc.