Until now, Internet worms have put enterprise IT managers on defense: Patch systems, improve filtering and firewall rules, use monitoring tools, and pray for the best. A new tool called LaBrea, however, can help IT stop worms in their tracks.
LaBrea is a free, open-source application that stops worms such as Nimda from spreading. When installed on a network, it looks for unused IP addresses, then creates virtual machines that pretend to be systems on those IP addresses. When a worm hits one of the virtual systems, LaBrea responds and keeps the worm connected indefinitely.
This traps the worm in, essentially, a tar pit, preventing it from continuing to scan and infect other systems. With enough networks running LaBrea, worms and other automated hacking scanners will find it more difficult to proliferate. Companies running LaBrea not only protect their own systems from worms but are also working to protect the entire Internet.
LaBrea is the brainchild of developer Tom Liston and is the result of work he started after the first appearance of the Code Red worm. After Code Red hit, Liston created a program called CodeRedneck that was similar to LaBrea but didnt use virtual systems.
With the help of other developers, Liston improved on his original design. eWEEK Labs tests show that the resulting LaBrea delivers on Listons initial goal of doing something to stop the proliferation of worms over the Internet.
We recommend that network administrators seriously consider implementing LaBrea, to finally relegate worms to the status their name implies. The program can be found at www.hackbusters.net/LaBrea/.
In tests, LaBrea was easy to use and implement. The application runs on Linux and has been ported to systems such as NetBSD, FreeBSD and Mac OS X. We ran LaBrea on Trinux, a RAM-based version of Linux used mainly for security tools.
After we installed and launched LaBrea, we waited to check the log files it generated. And therein was proof of the necessity for a tool like this: In 35 minutes, LaBrea captured 32 potential worm attacks, nearly one per minute.
There are a number of options that can be defined when running LaBrea that control how it handles worms and how it affects the network. For example, you can choose to throttle the amount of data a worm can send or control how much bandwidth LaBrea will use while capturing a worm. You can also instruct the LaBrea program to ignore certain IP addresses.
We ran LaBrea with all defaults, and the tool had no negative impact on network performance. It automatically found our unused IP addresses and was even able to move out of the way when a legitimate system came up and requested an IP address.
Still, the Readme file for the program makes it clear that LaBrea could cause problems for some network setups. For example, it might not surrender an IP it is using, and some routers can be confused by requests for IP addresses already in use.