Newswise — One morning last January, the Sapphire worm began dispatching copies of itself to the Internet with devastating effect. In just 10 minutes, Sapphire had spread to at least 70,000 computers, or 90 percent of all the vulnerable machines in the world.
The worm's paltry few hundred bytes carried no malicious payload and so deleted no data or software. But the sheer torrent of data coursing over the Internet, as computer after computer became infected and sent copies of the worm, consumed nearly all available capacity, crashing networks, bank ATMs, and flight scheduling systems. A few days later, after the dust had settled, one computer security firm estimated that Sapphire had caused about US $1 billion in damages, related mostly to lost productivity.
At IBM Zurich Research Laboratory, researchers are working on a remedy for worms that differs from other approaches. It targets worms specifically rather than trying to prevent all breaches of computer security.
Called Billy Goat, the system monitors a specific type of activity common to worms--the automated random searching through Internet addresses by which worms find new computers to target. Billy Goat works on a dedicated network computer to which the IBM researchers have assigned a large number of unused and unadvertised--and hence unknown--addresses. When the worm tries to infect Billy Goat, the system realizes something is amiss. The worm's identity and address are recorded and immediately reported to the network administrator.
Billy Goat is currently used in several large corporate intranets, and has been extremely effective at detecting worm-infected machines in a network. Development is continuing along two avenues. One seeks to create an active intrusion response system that automatically isolates infected machines, preventing further worm propagation. The second is to use Billy Goat as the basis for an early-warning system that allows rapid detection of new and emerging threats.
RSS