Linked by David Adams on Mon 1st Sep 2003 00:14 UTC, submitted by ajam
Bugs & Viruses IBM researchers in Zurich, Switzerland, have developed novel worm-squashing software the company says it wants to turn into a product to help guard against computer-network attacks such as those that slowed Internet traffic earlier this month . . . The system uses a unique approach to detecting malicious software by looking at traffic flowing to Internet addresses that aren't assigned to specific computers, trying to isolate computers on a network that attempt to infect others
Order by: Score:
by blitzoid on Mon 1st Sep 2003 00:54 UTC

Good for IBM... they're always coming out with really useful products. Just the other day I checked out their voice synthesiser, and the realism blew me away. great job.

by Nick on Mon 1st Sep 2003 01:59 UTC

if we can't count on MS to fix their own prblems I guess some will have to.
I know MS has had the patch out for a month now, but after having quite a few people come into our IT office and say that their computer STOPPED working after they patched I begin to wonder how effective it is.
WTG ibm.

We already do this, sort of...
by Ryan Moffett on Mon 1st Sep 2003 02:07 UTC

Where I work, we setup a "black hole" router that injects specific IP networks into our OSPF routing domain. These routes are the latest published Bogon routes, see: Part of the advertisements also advertise larger, less-specific RFC1918 address space. So, if a system attemps random scanning of unassigned public, or, private address space, it gets directed to this router. For example, if you try to scan and it really doesn't exist, this router is advertising, the next best thing. So packets for would go to this router. This works for our entire global network because all of our sites participate in the same OSPF routing domain. On the last leg to the sinkhole router, we have a Snort IDS system inspecting all traffic. Also, we log all traffic that the router receives. It turns out that this is a great early warning system for worms as well because most all traffic that this router receieves is automatically suspect.

A worm could simply avoid detection by this software
by Anonymous on Mon 1st Sep 2003 02:40 UTC

And very easily, as most admins will only use the bogon list instead of creating a few of their own, so ...

The software required to effectively stop virii and worms on windows would take 99% of resources. ha!

NOT the solution
by Yama on Mon 1st Sep 2003 03:19 UTC

Add-on software is not a substitute to a secure operating system. Of course Microsoft would have you believe otherwise...

RE: We already do this, sort of...
by pros on Mon 1st Sep 2003 03:19 UTC

Nice post ryan, good to see something informative here for a changes. One thing I'm confused about though.

This certainly helps to identify problems but in the case of a worm by the time you find out something is wrong, the network is already corrupted. All the IDS is going to do is tell you where it came from and what is doing right?

by trashcan on Mon 1st Sep 2003 05:05 UTC

Virii is not a word.

Re: wormkiller
by Shawna on Mon 1st Sep 2003 05:14 UTC

It would be an even better solution if it looked at the X-Mailer line of emails and if it said "Microsoft Outlook" or "Microsoft Outlook Express", instant blacklist.

It's sad that people take these kinds of worm infections to be a basic normal part of everyday internet life, when in reality the real culprit is Microsoft's unwavering belief that absolutely every piece of software they produce has to be able to execute scripts. These worms never affect Eudora, Mozilla Mail, Apple Mail, Kmail, or Evolution...can't the public put two and two together YET?

by Lemma on Mon 1st Sep 2003 05:50 UTC

Virii is plural for virus, it's latin and thus a word.

RE: Ryan Moffett (IP:
by BR on Mon 1st Sep 2003 06:41 UTC

I'm curious. Are home-grown routers the only ones that impliment such?

egress anyone?
by Nice on Mon 1st Sep 2003 06:42 UTC

what would definitely help the health of the internet would be egress filtering of src ip addresses at isp level. Why an isp lets traffic out with a spoofed netblock is beyond me!

re: virii
by Anonymous on Mon 1st Sep 2003 06:42 UTC

viri is latin

Nice to see
by CooCooCaChoo on Mon 1st Sep 2003 06:43 UTC

IBM is continuing to develop useful solutions vs. the crap that is coming out of Microsofts "Research Facility". I am all into research, but if a company is going to fund a project, I would (as a CEO) would like to actually see a practical application for it. If money is simply being poured down the drain because of some "coolness" factor then I really question some businesses priorities.

If these people WANT to expand into non-core related areas then by all means, become a university fellow and let the tax payer cough up the money.

by ret on Mon 1st Sep 2003 06:54 UTC


Despite frequent claims to the contrary, the only correct English plural of the word used in any of these senses is viruses, not virii. The "ii" is used to denote plurality in Latin words ending in "ius", not "us".

new or not?
by Anonymous on Mon 1st Sep 2003 09:12 UTC

<quote> . The system uses a unique approach to detecting malicious software by looking at traffic flowing to Internet addresses that aren't assigned to specific computers, trying to isolate computers on a network that attempt to infect others </quote>

Isn't that a just a version of a honeypot?

This system
by Jay Developer on Mon 1st Sep 2003 09:42 UTC

This is not going to be easy, it will require a lot of datamining to be correctly implemented.

Re : virii
by Tidlibi on Mon 1st Sep 2003 10:42 UTC

LEMMA you were so wrong!!!! HAHAHHAHA
How can you keep on living after such a STUPID mistake???!!!

...continued..blackhole routers.
by Ryan Moffett on Mon 1st Sep 2003 16:34 UTC

Yes, the bogon router/black hole router only gets hit when people misconfigure something, such as systems management tools walking large non-existant networks, nmap'ing of larger than needed (often erraneous) blocks of networks or when there is a genuine worm outbreak. Full IDS coverage is hard to achieve, especially with a few dozen sites around the world. This gives you a chance to see internal traffic related to the worm, close to the outbreak of the worm even for sites for which there is not full IDS coverage. For recent worms, it was effective because their internal propogation mechanisms weren't very fast and their scanning technique quickly led them out of their local subnet to go looking at random networks in their same prefix. SQL Slammer took seconds to get most networks into a state of chaos and this would do almost nothing for you for something like SQL Slammer which was based on UDP and the entire exploit and propogation code was contained in a single UDP packet.

Someone asked if "homebrew" routers are the only routers capable of this...Certainly not. All we did was set up a bunch of static routes to these bogus networks and redistribute (inject) them into OSPF. This could have been any vendor's router. We basically made the router lie about what it had reachability to.

If anything, this also provides you with a nice sanity check for existing IDS systems when it comes to scanning and worm-like activity because you don't have to contend very much with false positives. Anything received by the router/IDS pair is suspicious and can get more attention. The drawbacks to such a solution are understanding the limitations and what it can buy you in terms of IDS and making sure you keep the bogon route list up to date. If ARIN, APNIC or RIPE suddenly dish out new blocks that haven't been used up until now (it happens a few times a year) you could be misrouting that traffic.

by TheeOldeCrudge on Tue 2nd Sep 2003 02:57 UTC

Can SNORT be used to flag worm or virus traffic?

And why does none of the antivirus software flag spyware???