A 'Tarpit' That Traps Worms
Network administrators now have a hacking tool that can help them strike back at malicious attackers.
"LaBrea" is a free, open-source tool that deters worms and other hack attacks by transforming unused network resources into decoy-computers that appear and act just like normal machines on a network. But when malicious hackers or mindless worms such as Nimda or Code Red attempt to connect with a LaBrea-equipped system, they get sucked into a virtual tarpit that grabs their computer's connection -- and doesn't release it. Worms trapped in the tarpit are unable to move along to infect other computers. Stuck hackers first waste their time flailing away at a non-existent machine; they are then forced to shut down their hacking program or computer to escape.
Programmers hope LaBrea will be a big culture-changer and think that a sexy little hacking program intended for use only by the good guys could launch a wave of other interesting and unique security tools.
"LaBrea is like a total about-face in the hacking community," said Rick Downes, a programmer at RadSoft. "Up until now, the black hats were the Mick Jaggers of the Net. But Tom Liston's attitude changes that, and he backs it up with solid code. I think the LaBrea tarpit is fantastic."
Liston programmed LaBrea in response to Code Red, the worm that has been scouring the Internet since last June. On Tuesday, he began successfully using it to trap Nimda worms.
"When I finally decided to turn my attention from stopping worms and hackers to just slowing them down, that's when the idea for LaBrea came to me," Liston said. "Also, I think that there should be some tools available to network administrators that will allow them to even their odds against the black-hat hacker community."
Some of Liston's nasty little visitors have been stuck in his tarpit for over a week.
Most of the current visitors on Liston's sticky network are machines that were scanning the Internet trying to spread Code Red. Code Red-infested machines spawn threads -- small bits of programming code -- that look for other vulnerable machines to infect.
"I'm holding about 1,000 Nimda scanning threads and 300 Code Red scanning threads at the HackBusters site. I'm holding them hard and I'm not letting them go," Liston said.
"Honestly, I don't know what else to do with them. But I know they're better off stuck here playing with machines that don't really exist than out scanning for a machine run by someone without a clue."
Liston admits that his LaBrea network is probably only stopping a dozen or so computers from spreading Nimda and Code Red. He knows that's only a drop in the bucket; tens of thousands of machines are believed to be infected with these worms.
But Liston has only allocated a tiny amount -- 100 bytes per second -- of his network bandwidth to LaBrea. But he firmly believes that if enough network administrators "get on the bandwagon," then LaBrea could make a serious dent in the spread of worms and other hack attacks.
Some security experts doubt that LaBrea will have a big impact on the Internet as a whole.
"No, I don't think the concept of LaBrea will make a big difference at the global level. Not strategically and probably not even tactically," said Rob Rosenberger of vMyths a virus information website.
Rosenberger points to the concept of the "Realtime Blackhole List" (RBL) as an example. RBL was intended to exile servers that sent a lot of spam from the rest of the Internet.
"RBL works in theory but it fails in practice -- because society doesn't care enough about spam to want to tackle the problem," Rosenberger said. "The same thing goes for LaBrea. Code Red compromised hundreds of thousands of machines because society doesn't care enough about computer security."
"No offense to RBL or LaBrea," Rosenberg added. "Society is the real problem here."
LaBrea does need a really big playground to operate effectively. Elias Levy, Chief Technical Officer at Security Focus, a security news site, calculated that on smaller networks the odds of LaBrea being able to efficiently capture and trap worms isn't very good. The larger the network, the greater the chance of success.
"For a tool like (LaBrea) to even make a dent into the infection rate of a worm, you would need to monitor an address space of the same size as a (class B) network," Levy said. "That's 65,536 addresses."
But Levy also pointed out that a LaBrea tarpit can be composed of bits of smaller networks, even single IP addresses. "So, if you can convince enough people to combine their address space to run LaBrea, then yes, it could have a beneficial impact," Levy said.
Others said LaBrea's real benefit is that it gives irritated network administrators a valid and ethical way to fight low-level hack attacks.
Many network administers are frustrated by Code Red. They knew what computers were attacking their networks but were often unable to contact or convince some owners of those machines to apply the patch that would close the security hole Code Red exploited.
During the height of Code Red's spread, some network administrators even considered engaging in "hack-back" activities to stop the worm, such as writing a new worm that would enter and automatically patch compromised machines.
But that's exactly the same action that landed Max Vision, a self-described "white hat" hacker, in jail last May. Vision is now serving time on charges that he wrote and released a worm in 1998, which was programmed to close a security hole that was being exploited by another worm.
Radsoft's Downes said that while LaBrea's effectiveness as a tool to clean up the Net has yet to be proved, it's certainly an effective culture changer.
"I am hoping more people will come up with more clever ideas for further deterrents," Downes said. "LaBrea is fun."
