Feeds

The Nortel anti-worm defence system

Catch-all

  • alert
  • submit to reddit

SANS - Survey on application security programs

Nortel Networks yesterday revealed the anti-computer worm defences it had developed in-house after it was hit hard by last year's outbreaks of Nimda and Code Red 2.

According to John Morris, an IT manager at Nortel Networks, the anti-worm system could help large institutions and even ISPs. He challenged vendors to develop a commercial equivalent to the bespoke system designed by Nortel.

When Nortel was hit by Code Red 2, the outbreak was manageable - for the first 30 minutes, following which the worm spread exponentially. The spread of Code Red 2 was curtailed only when the worm ran out of worm food (vulnerable servers to infect) and as its actions pulled down the network services it needed to propagate.

Speaking at the Virus Bulletin Conference in New Orleans yesterday, Norris said no single strategy is enough to constitute an effective countermeasure for the spread of such worms.

AV tools and personal firewalls can mitigate the risk against spreading worm, software patching restricts exposure and traffic filtering and tarpitting help slow down the spread on malware, but even all three on their own are not enough.

Shutting down port 80 traffic in a network as a cure may allow other traffic, such as email, to continue across a network but represents a cure worse than the disease from the point of view of many end-users.

Detect worms and taking infected servers off the network is very time consuming, so Morris and his colleagues developed a variety of early warning systems to catch worm in the crucial, early stage of infection. This allows Nortel to quickly quarantine infected machines, preventing incidents becoming outbreaks.

In many ways Nortel's anti-worm defence is very similar to an intrusion detection system, albeit designed specifically to look out for network-aware worms.

Among the measures Nortel implemented are worm lures, honeypot servers placed directly in the path of likely paths of worm infection; honeypot email accounts, designed to catch email-borne worms that send themselves to the first addresses in users address books and SMB lures, designed to flag up machines attempting to spread across file shares. Nortel also uses what Norris described as a Black Widow tool to detect worms crawling the Web.

Lastly, with the spread of possible successors to Nimda in mind, Nortel has established a large number of IP addresses on one machine, which will therefore show early signs of a large-scale worm assault on the companies network.

Nortel has had the system in production for six months and reports considerable success, with the SMB Lure proving to be the most effective tool in isolating problems (it accounts for four out of five quarantine events thus far).

Doubts were expressed about whether Nortel's systems led to an unacceptable level of false positives, but Morris said that tuning the system minimises this risk.

Other end users attending the conference said they used some, but not all, of the techniques deployed by Nortel. But there was a marked scepticism from vendors about Nortel's ideas, and no particular appetite to rise to Morris challenge to commercialise an anti-worm defence system. ®

High performance access to file storage

More from The Register

next story
Obama allows NSA to exploit 0-days: report
If the spooks say they need it, they get it
Putin tells Snowden: Russia conducts no US-style mass surveillance
Gov't is too broke for that, Russian prez says
Snowden-inspired crypto-email service Lavaboom launches
German service pays tribute to Lavabit
Mounties always get their man: Heartbleed 'hacker', 19, CUFFED
Canadian teen accused of raiding tax computers using OpenSSL bug
One year on: diplomatic fail as Chinese APT gangs get back to work
Mandiant says past 12 months shows Beijing won't call off its hackers
Heartbleed exploit, inoculation, both released
File under 'this is going to hurt you more than it hurts me'
Arts and crafts store Michaels says 3 million credit cards exposed in breach
Meanwhile, Target investigators prepare for long process in nabbing hackers
prev story

Whitepapers

SANS - Survey on application security programs
In this whitepaper learn about the state of application security programs and practices of 488 surveyed respondents, and discover how mature and effective these programs are.
Combat fraud and increase customer satisfaction
Based on their experience using HP ArcSight Enterprise Security Manager for IT security operations, Finansbank moved to HP ArcSight ESM for fraud management.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Top three mobile application threats
Learn about three of the top mobile application security threats facing businesses today and recommendations on how to mitigate the risk.
3 Big data security analytics techniques
Applying these Big Data security analytics techniques can help you make your business safer by detecting attacks early, before significant damage is done.