Information Security News
mailing list archives
A 'Tarpit' That Traps Worms
From: InfoSec News <isn () c4i org>
Date: Thu, 20 Sep 2001 04:16:47 -0500 (CDT)
By Michelle Delio
9:35 a.m. Sep. 19, 2001 PDT
Network administrators now have a hacking tool that can help them
strike back at malicious attackers.
"LaBrea" is a free, open-source tool that deters worms and other hack
attacks by transforming unused network resources into decoy-computers
that appear and act just like normal machines on a network. But when
malicious hackers or mindless worms such as Nimda or Code Red attempt
to connect with a LaBrea-equipped system, they get sucked into a
virtual tarpit that grabs their computer's connection -- and doesn't
Worms trapped in the tarpit are unable to move along to infect other
computers. Stuck hackers first waste their time flailing away at a
non-existent machine; they are then forced to shut down their hacking
program or computer to escape.
Programmers hope LaBrea will be a big culture-changer and think that a
sexy little hacking program intended for use only by the good guys
could launch a wave of other interesting and unique security tools.
"LaBrea is like a total about-face in the hacking community," said
Rick Downes, a programmer at RadSoft. "Up until now, the black hats
were the Mick Jaggers of the Net. But Tom Liston's attitude changes
that, and he backs it up with solid code. I think the LaBrea tarpit is
Liston programmed LaBrea in response to Code Red, the worm that has
been scouring the Internet since last June. On Tuesday, he began
successfully using it to trap Nimda worms.
"When I finally decided to turn my attention from stopping worms and
hackers to just slowing them down, that's when the idea for LaBrea
came to me," Liston said. "Also, I think that there should be some
tools available to network administrators that will allow them to even
their odds against the black-hat hacker community."
Some of Liston's nasty little visitors have been stuck in his tarpit
for over a week.
Most of the current visitors on Liston's sticky network are machines
that were scanning the Internet trying to spread Code Red. Code
Red-infested machines spawn threads -- small bits of programming code
-- that look for other vulnerable machines to infect.
"I'm holding about 1,000 Nimda scanning threads and 300 Code Red
scanning threads at the HackBusters site. I'm holding them hard and
I'm not letting them go," Liston said.
"Honestly, I don't know what else to do with them. But I know they're
better off stuck here playing with machines that don't really exist
than out scanning for a machine run by someone without a clue."
Liston admits that his LaBrea network is probably only stopping a
dozen or so computers from spreading Nimda and Code Red. He knows
that's only a drop in the bucket; tens of thousands of machines are
believed to be infected with these worms.
But Liston has only allocated a tiny amount -- 100 bytes per second --
of his network bandwidth to LaBrea. But he firmly believes that if
enough network administrators "get on the bandwagon," then LaBrea
could make a serious dent in the spread of worms and other hack
Some security experts doubt that LaBrea will have a big impact on the
Internet as a whole.
"No, I don't think the concept of LaBrea will make a big difference at
the global level. Not strategically and probably not even
tactically," said Rob Rosenberger of vMyths a virus information
ISN is currently hosted by Attrition.org
To unsubscribe email majordomo () attrition org with 'unsubscribe isn' in the BODY
of the mail.
- A 'Tarpit' That Traps Worms InfoSec News (Sep 20)