Feeds

The Nortel anti-worm defence system

Catch-all

  • alert
  • submit to reddit

The Power of One eBook: Top reasons to choose HP BladeSystem

Nortel Networks yesterday revealed the anti-computer worm defences it had developed in-house after it was hit hard by last year's outbreaks of Nimda and Code Red 2.

According to John Morris, an IT manager at Nortel Networks, the anti-worm system could help large institutions and even ISPs. He challenged vendors to develop a commercial equivalent to the bespoke system designed by Nortel.

When Nortel was hit by Code Red 2, the outbreak was manageable - for the first 30 minutes, following which the worm spread exponentially. The spread of Code Red 2 was curtailed only when the worm ran out of worm food (vulnerable servers to infect) and as its actions pulled down the network services it needed to propagate.

Speaking at the Virus Bulletin Conference in New Orleans yesterday, Norris said no single strategy is enough to constitute an effective countermeasure for the spread of such worms.

AV tools and personal firewalls can mitigate the risk against spreading worm, software patching restricts exposure and traffic filtering and tarpitting help slow down the spread on malware, but even all three on their own are not enough.

Shutting down port 80 traffic in a network as a cure may allow other traffic, such as email, to continue across a network but represents a cure worse than the disease from the point of view of many end-users.

Detect worms and taking infected servers off the network is very time consuming, so Morris and his colleagues developed a variety of early warning systems to catch worm in the crucial, early stage of infection. This allows Nortel to quickly quarantine infected machines, preventing incidents becoming outbreaks.

In many ways Nortel's anti-worm defence is very similar to an intrusion detection system, albeit designed specifically to look out for network-aware worms.

Among the measures Nortel implemented are worm lures, honeypot servers placed directly in the path of likely paths of worm infection; honeypot email accounts, designed to catch email-borne worms that send themselves to the first addresses in users address books and SMB lures, designed to flag up machines attempting to spread across file shares. Nortel also uses what Norris described as a Black Widow tool to detect worms crawling the Web.

Lastly, with the spread of possible successors to Nimda in mind, Nortel has established a large number of IP addresses on one machine, which will therefore show early signs of a large-scale worm assault on the companies network.

Nortel has had the system in production for six months and reports considerable success, with the SMB Lure proving to be the most effective tool in isolating problems (it accounts for four out of five quarantine events thus far).

Doubts were expressed about whether Nortel's systems led to an unacceptable level of false positives, but Morris said that tuning the system minimises this risk.

Other end users attending the conference said they used some, but not all, of the techniques deployed by Nortel. But there was a marked scepticism from vendors about Nortel's ideas, and no particular appetite to rise to Morris challenge to commercialise an anti-worm defence system. ®

Designing a Defense for Mobile Applications

More from The Register

next story
Mozilla fixes CRITICAL security holes in Firefox, urges v31 upgrade
Misc memory hazards 'could be exploited' - and guess what, one's a Javascript vuln
How long is too long to wait for a security fix?
Synology finally patches OpenSSL bugs in Trevor's NAS
Don't look, Snowden: Security biz chases Tails with zero-day flaws alert
Exodus vows not to sell secrets of whistleblower's favorite OS
Roll out the welcome mat to hackers and crackers
Security chap pens guide to bug bounty programs that won't fail like Yahoo!'s
HIDDEN packet sniffer spy tech in MILLIONS of iPhones, iPads – expert
Don't panic though – Apple's backdoor is not wide open to all, guru tells us
Researcher sat on critical IE bugs for THREE YEARS
VUPEN waited for Pwn2Own cash while IE's sandbox leaked
Four fake Google haxbots hit YOUR WEBSITE every day
Goog the perfect ruse to slip into SEO orfice
prev story

Whitepapers

Designing a Defense for Mobile Applications
Learn about the various considerations for defending mobile applications - from the application architecture itself to the myriad testing technologies.
Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Top 8 considerations to enable and simplify mobility
In this whitepaper learn how to successfully add mobile capabilities simply and cost effectively.
Seven Steps to Software Security
Seven practical steps you can begin to take today to secure your applications and prevent the damages a successful cyber-attack can cause.
Boost IT visibility and business value
How building a great service catalog relieves pressure points and demonstrates the value of IT service management.