Buyers guide: Network-based intrusion-detection systems
Network World Fusion:
Buyers guide: Network-based intrusion-detection systems. IDG Oct 8 2001 3:38AM ET [via Computer security news]
Archive for the ‘security’ Category.
Carnivore substitute keeps Feds honest
Carnivore substitute keeps Feds honest. NetWitness, a commercial alternative to Carnivore. [The Register]
Brief: Security firm issues warning about fake Nimda fix
Brief: Security firm issues warning about fake Nimda fix. IDG Oct 1 2001 12:51PM ET [Computer security news]
SANS Incidents handler of 2001/09/25 Vicki Irwin
SANS Incidents handler of 2001/09/25 Vicki Irwin:
A poster to the Handler’s list came to the following conclusion
after performing an analysis on the worm code with a disassembler:“After consuming a certain amount of CPU time [Nimda] goes dormant for 10
days. If counts the days as year*365 + month*30 + day_of_month. The
next wave of attacks will be on Sept 28, Oct 8, Oct 18, Oct 28….”The results of this analysis would explain the slowing very well, and
predicts that we should expect another ramp up in activity on Friday. Other
sources have noted that the use of Nimda’s “GetSystemTime” call is to initiate
the email propagation phase anew every 10 days; but have not said anything
about the worm stopping scanning for web servers upon reaching some defined
limit. In addition to explaining the observed drop off in scan activity, this
analysis would also potentially explain why the strings “Processor Time”,
“User Time”, “Privileged Time”, etc. are found in the worm binary.Note: The incidents.org Nimda report will be updated tomorrow (9/26)
with new information collected since 9/21.
Blocking Code Red Worm with Cisco IOS NBAR
IPonEverything.net Security Advisory:
Blocking Code Red Worm with Cisco IOS NBAR
Cisco: Using Network-Based Application Recognition and Access Control Lists for Blocking the “Code Red” Worm at Network Ingress Points
requires IOS 12.1(5)T on 7100, 7200 routers,
requires IOS 12.1(6)E on 7500 routers and FlexWAN interfaces
Gartner believes it’s time for businesses with Web applications to start investigating less vulnerable Web server products [than Microsoft IIS].
Gartner, quoted in News.Com: “With the emergence of the Nimda worm — the latest in a long series to attack Microsoft’s Internet Information Server (IIS) and other software — Gartner believes it’s time for businesses with Web applications to start investigating less vulnerable Web server products.” 
[Scripting News]
A ‘Tarpit’ That Traps Worms
Technology News from Wired News – A ‘Tarpit’ That Traps Worms.
Network administrators now have a hacking tool that can help them strike back at malicious attackers.
“LaBrea” is a free, open-source tool that deters worms and other hack attacks by transforming unused network resources into decoy-computers that appear and act just like normal machines on a network. But when malicious hackers or mindless worms such as Nimda or Code Red attempt to connect with a LaBrea-equipped system, they get sucked into a virtual tarpit that grabs their computer’s connection — and doesn’t release it.
Worms trapped in the tarpit are unable to move along to infect other computers. Stuck hackers first waste their time flailing away at a non-existent machine; they are then forced to shut down their hacking program or computer to escape.
[ … ]
LaBrea does need a really big playground to operate effectively. Elias Levy, Chief Technical Officer at Security Focus, a security news site, calculated that on smaller networks the odds of LaBrea being able to efficiently capture and trap worms isn’t very good. The larger the network, the greater the chance of success.
“For a tool like (LaBrea) to even make a dent into the infection rate of a worm, you would need to monitor an address space of the same size as a (class B) network,” Levy said. “That’s 65,536 addresses.”
