Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!


Forgot your password?
Worms Security

Day in the Life of the Internet Storm Center 123

An anonymous reader writes "Network World Fusion has an article about the Internet Storm Center's inner workings. The writer follows the ISC during the day of the MyDoom-O outbreak (the one that hit Google et al.). The article talks about running W2K in vmware on top of SuSe Linux. A practice very common in malware analysis to isolate yourself from various ill effects of the malware. Other open source software receiving a mention in the article is everybodies favorite packet analyzer Ethereal."
This discussion has been archived. No new comments can be posted.

Day in the Life of the Internet Storm Center

Comments Filter:
  • My Favourite Pony (Score:4, Informative)

    by B3ryllium ( 571199 ) on Tuesday September 07, 2004 @09:33AM (#10176272) Homepage
    An invaluable tool for PCs that are "public access" or even boot-partitions of computers at work:

    DeepFreeze [faronics.com]

    Just one reboot, and any malware infection is obliterated. (There are alternatives, too, but I like DeepFreeze the best)
    • Re:My Favourite Pony (Score:5, Interesting)

      by stratjakt ( 596332 ) on Tuesday September 07, 2004 @09:43AM (#10176347) Journal
      Nothing on that link tells you how the product works.

      The closest I read was "Deep Freeze instantly protects and preserves original computer configurations" which reads to me that it's kind of like Ghost, except it keeps an image local on the HDD?

      If so, I'd shy away from phrases like "Completely invulnerable to hacking".

      XP's system restore feature gives you the same functionalities, if it's used properly (of course, it never is). I'm in the habit of making a save point before I do anything that could potentially bork my machine (testing some new driver tweak, etc), and have rolled back successfully on more than one occasion.
      • Re:My Favourite Pony (Score:5, Informative)

        by ciroknight ( 601098 ) on Tuesday September 07, 2004 @09:55AM (#10176410)
        We happened opon this product at the school where I used to work, and as far as I can tell from using it and poking around at the program, it keeps a log of all harddrive transactions, then when rebooted, it plays back the log backwards, restoring to the state in which the system was before; no Ghost partitioning required, but none-the-less not invunerable to attack. We had kids bring in Knoppix CDs and obliterate hard drives for no other reason than they could.

        My suggestion is to use Deep Freeze with Ghost (It's a complex setup, but if you "un-freeze" the system for one reboot, then Ghost, all you have to do is cast the image, change the computer's name (we had a pretty complex naming scheme), then reboot the machine and it's ready to go.) It's a formittable combination, and far better than products like "Foolproof Security". Hope this helps.
        • Re:My Favourite Pony (Score:5, Interesting)

          by stratjakt ( 596332 ) on Tuesday September 07, 2004 @10:04AM (#10176461) Journal
          See, I have this co-worker who constantly fucks up his machines. He's supposed to be a programmer/analyst/tech support guy just like me (small company, you wear a lot of hats), but everytime something comes up, I have to handle it because his computer is broken.

          "I can't build a working EXE, my Visual Studio is screwed up!" "I can't dial into that customer, because my modem isnt working" "I can't VPN in because my computer crashes when I fire up the Cisco client".

          He's incompetent, but I'm dubious he's this incompetent. I traded him the machine in my office when I got a new one, everything worked perfectly. A week later, his VPN and Visual Studio are broken. I really dont have the time to keep rebuilding his machine for him. Of course, he claims he doesn't know how to reinstall Office or VStudio, etc..

          I think he does it so he won't have to do actual work. I end up doing everything because he always has an excuse. When he's on site, his laptop is broken, so he has to phone in all the code changes he wants, I have to do it, cut an EXE and email it out. Of course, it's double bonus for him. Anything he fucks up on site, he can just blame me for, since I'm actually doing the work remotely.

          It's pissing me off, and it makes our company look like a bunch of morons. My archetypal PHB thinks he's just the cats ass because he comes in "early" every morning (he shows up at 8:45 to drink coffee and read the paper, we open at 9. Sheesh).

          Anyhow, this sounds like a decent product. I'm downloading the evaluation version now. I'll reinstall his machine one last time, ghost it, install this. Next time I hear "I can't dial in because my modem is screwed up", I'll reboot his box and it'll be fixed.
          • And it'll work fine for that, as long as the asshat isn't insane enough to actually hack deepfreeze. But this is exactly what this product was made for, and it works wonders for keeping machines alive after a virus storm or freak driver accident.

            Hope it works out!
          • u know what, i think hes doing this on purpose..

            you also need to show him how to do it, and then here are no excuses.. However he WILL blame ghost for now fucking up his machine.

            I would make him sign off something that states he is happy with it before he breaks the keyboard and cannot press 'enter' to resetup the drive.. i f**king hate people like that.


          • So document what's going on with your cow-orker, then go to your PHB or PHB->PHB and get his sorry ass fired. If your direct PHB won't do anything, maybe he'll get fired too.
          • Re:My Favourite Pony (Score:3, Interesting)

            by Anonymous Coward
            Just to add to what the others have said, my father also runs a school computer lab, and I fix things for him when I come home to visit every couple months. He is a drafting teacher close to retirement and knows CAD software inside and out but less so when it comes to administrating the network etc, although he is still picking things up. Oh and the school district's computer people are incompetent.

            We use DeepFreeze in the lab and it works very well. I have yet to find or hear about any way for the student
            • I would call Deepfreeze a script kiddie deterent. I was given the task to break a machine with deepfreeze on it, just because our network administrators were really, well, not up to par.

              I took the task head on and found that Deepfreeze works (to my knowledge, I'm not exactly sure about the internals) on keeping a transaction record, and then playing it back. It also is almost continually checking checksums of access files so that it knows which ones to fix later. Destroy either the ability to keep the c
        • by Feng ( 63571 )
          Set the boot priority to boot the hard drive first and password protect the BIOS. That'll make it harder for them to mess things up!
          • 30sec with a screw driver and that password is history. You'll need a real lock (not the BS manufacturers tend to put on there) to keep that screw driver at bay. Heh, then it'll take a few minutes with a paperclip and a screw driver *grin*
          • if i can get into the system running windows i can get into the bios and change the password.

            Granted the average script kiddie would have dificulty in doing so but it is verry possible. Using a bios password to lock changes in boot order and such are really good for keeping people that shouldn't be on the computer in the first place off. If they have access to it in a working enviroment reguardless of user priviledges, it is hackable.

            Maybe,in cases with school children or the existance of co-workers that
          • Not practical. We store ghost images on bootable cds, so the only way to restore the system was to boot from cd. We tried PXE, but our network just didn't like that idea. We tried floppies, but nearly 90% of the machines either had bad floppy drives, wouldn't boot to floppy for some unknown reason, or were completely missing floppies. It's a wonder the kids could bring ANYTHING from home in, if they didn't have cd burners at home that is.
      • Try it, they have a free demo. Try and see if you can break it (let me know if you can :)).

        Assume that a competent system administrator has already disabled floppy/cd-rom booting and password-protected the bios. For the annoying people in a public place ("Ooh! Bonzai Buddy!"), that would be sufficient to prevent almost all malware.
        • It's easy enough to break, but for high school students it might be a little tough. All that needs to be done is corrupting the transaction log that it keeps, which can be done by either tampering with the checksum that it keeps of it, the checksum that it keeps of the old files, or tampering with the actual transactions, all of which would take a lot of work (and most likely wouldn't be worth the trouble, as it would require writing a program for the specific task of finding the memory space of the driver

        • Try it, they have a free demo. Try and see if you can break it (let me know if you can :)).

          That offer good for the OS X version of their product, too? If so, you're on.

          I'll also stipulate to disabling external booting via Firmware lock, disabling single user mode, and not having the root user enabled. I'll pretend that I can't defeat that by not changing the RAM--which is plausible on a workstation with a padlock (but not on a portable.)
      • Re:My Favourite Pony (Score:5, Interesting)

        by jrockway ( 229604 ) * <jon-nospam@jrock.us> on Tuesday September 07, 2004 @10:21AM (#10176596) Homepage Journal
        It's pretty good. I couldn't get around it in Windows after they blocked real mode programs. Before that I had to crack the BIOS password and then boot Knoppix, then delete key files. And sometimes the fucker still came back.

        So from my independent analysis, I'd say DeepFreeze is good. I haven't done any code-tracing, though, so I don't know if some buffer overflow would ruin the whole thing. It wouldn't surprise me, though.

        Closed source is what it is.
      • Re:My Favourite Pony (Score:3, Interesting)

        by RichardX ( 457979 )
        This is just a guess, but from the (very limited) description on the site - particularly the bit about only needing 2 Mb of drive space - I suspect than rather than keeping a rollback log, instead it redirects all writes elsewhere and somehow fools the system into combining them

        I don't really know if that makes sense, but basically what I'm saying is I think instead of allowing changes to the stuff that's already on the drive, instead it makes the system write the changes to a "scratch space", as it were,
        • I suspect that the 2MB requirement is for installation only. Whether it keeps a transaction log or saves the changes temporarily to a different location, that information still needs to be saved somewhere.

          Otherwise you'd end up with a read-only hard drive. From personal experience, I can tell you that the hard drive is writable while you're using the system. The first time I saw it, I just thought that the computer was being reimaged upon boot.

    • by scovetta ( 632629 ) on Tuesday September 07, 2004 @10:09AM (#10176503) Homepage
      Confucius say:
      "Never trust a product that includes the phrase:
      Completely invulnerable to hacking..."
    • At the cybercafe i work we use GoBack (http://www.goback.com/ [goback.com]) for instant hard drive restoration. It works fairly well and never gave us an issue; i didn't set up PCs, but i recall the guy who did had some problems with DeepFreeze.

      I hate that this kind of software has to exist, but if DF doesn't do it for you, GoBack works just right.
    • is at this URL. [cf13.com]

      Why use products like DeepFreeze after the malware has run and (irreperable?) damage is done when you can stop the malware from running in the first place.

      Since malware by email is extremely popular, my approach simply treats all file attachments as 'text files'. 'Running' a text file on an uncompromised machine will cause the file to be loaded into another (trusted?) program.

      These 'text files' can be safely handled, scanned for malware by trusted antivirus software, then deleted if inf
    • Re:My Favourite Pony (Score:2, Interesting)

      by JThundley ( 631154 )
      That's what I always thought.
      Just last week at my college I thought I'd throw a knoppix disc and not use their 2 year old installation of Windows 98. Knoppix was slow as fuck with the little amount of RAM it had, so I thought I'd install it to the hard drive so it would run faster, DeepFreeze is on this machine, when I reboot win98 will be right back where it was, right? Wrong. I hope nobody finds out that I did that or I'll get banned from using the college network... again. DeepFreeze wasn't deep enough.
  • Correct link (Score:5, Informative)

    by Tyrdium ( 670229 ) on Tuesday September 07, 2004 @09:33AM (#10176277) Homepage
    Ethereal's website is ethereal.com [ethereal.com], not ethereal.org [ethereal.org].
  • Malware (Score:5, Funny)

    by Ford Prefect ( 8777 ) on Tuesday September 07, 2004 @09:34AM (#10176283) Homepage
    A practice very common in malware analysis to isolate yourself from various ill effects of the malware

    Best description of Windows I've heard in ages... ;-)
    • Re:Malware (Score:5, Interesting)

      by The Jonas ( 623192 ) on Tuesday September 07, 2004 @10:02AM (#10176449)

      However, if anyone out there is running a honeypot as a hobby or are new to setting them up, some good advice on a more secure [keyfocus.net] Windows configuration can be found here [keyfocus.net]. Specifically, it details how to cripple DCOM using a hex editor and reconfiguring other networking services. Good advice, even if you don't use their product. Be careful, you may lose some desktop functionality.
  • by mkavanagh2 ( 776662 ) on Tuesday September 07, 2004 @09:36AM (#10176292)
    Is running them in WINE. Especially since it's not a virtual machine, and the virus might detect WINE then trash your lunix ;)
  • virus (Score:5, Interesting)

    by spotplace ( 811269 ) on Tuesday September 07, 2004 @09:37AM (#10176298) Homepage
    Windows 98 has largely been ignored by the virus writers for the past two years... The worms this year that took down my school districts entire network of w2k machines didnt harm the windows 98 machines at all!
    • Re:virus (Score:5, Interesting)

      by ciroknight ( 601098 ) on Tuesday September 07, 2004 @10:01AM (#10176431)
      Funny, we had the opposite take affect at our school district. We migrated all of the machines we could to Win2k (some were just not powerful enough, sadly), and then got hit by a virus that thrashed the remaining Win98 systems, but left the Win2k machines completely alone. Needless to say, it was an older virus that someone brought in on floppy, but the effect nonetheless was devistating for quite a while. It also seems that the Win9x virus protection programs weren't as effective at scanning the floppy's on mount, verses the Win2k scanners that worked flawlessly for us (Norton for both, 2k3 on the Win2k machines, 2k1? on the Win98 machines).
    • Re: virus (Score:5, Interesting)

      by Alwin Henseler ( 640539 ) on Tuesday September 07, 2004 @10:48AM (#10176767)
      Yes, still running Win98 here, and I have the same experience. Visited Windows Update after install, then stripped out IE (98lite), full backup, use Mozilla, regularly updated virusscanner, and rarely run binaries fresh of the 'net. Result: last worm infection was long ago (on a LAN party), lockups are rare, no weird problems of any kind.

      I guess a major factor is that many exploits are created by reverse engineering patches. As Microsoft has ended active support for Win9x systems, that also means no new patches for hackers to reverse engineer. Then there was this source code leak, wasn't it Win2k source code? So different code from what's in Win9x. And as Win9x systems are replaced with Win2k/XP, their smaller market share makes Win9x a less interesting target.

  • by p0 ( 740290 ) on Tuesday September 07, 2004 @09:39AM (#10176314)

    From TFA :
    He is the only full-time staffer among the 30 ISC handlers who span the globe and are on duty 24-7. The rest are volunteers who take turns watching over the Internet. Most have other jobs and aren't expected to be awake for their entire 24-hour shift.

    Who the hell is this Ulrich guy? R2D2?
    • "Who the hell is this Ulrich guy? R2D2"

      Funny you should ask...

      Here's a pic of Ullrich [homepc.org] and here's one of R2D2 [boomersint.org]. Although the picture of R2D2 is a bit old (taken june 12:th, Long Time Ago), it's still obvious that the two are identical or that I am full of shit.

  • by AndroidCat ( 229562 ) on Tuesday September 07, 2004 @09:40AM (#10176321) Homepage
    Does anyone really remember the difference between MyDoom-O and MyDoom-N? Perhaps they should start using first names like real storm centers do for tropical storms/hurricanes. They could issue warnings about incoming class 5 virus MyBad-Kevin.
    • Nope, because you would have to name the viruses with female names. We the /.'ers have enough problems to get a girl, I don't wanna know what could happen if they think that we geeks are male chauvinists...
  • by AcquaCow ( 56720 ) * <acquacow@@@hotmail...com> on Tuesday September 07, 2004 @09:41AM (#10176333) Homepage
    SANS Internet Storm Center [sans.org]
    Provides current Internet port graph history and advisories

    CERT's Vulnerabilities page [cert.org]
    Provides current Internet virus history and news.

    Keynote Internet Health Report [internetpulse.com]
    Provides a table of ping times between various Internet backbones and providers. Great for checking if it's your ISP, or the backbone they are attached to that's having a slow day.

    I advise everyone to check these out, as they provide a great wealth of information in a nice organized format.
  • by Saint Aardvark ( 159009 ) * on Tuesday September 07, 2004 @09:43AM (#10176350) Homepage Journal
    One of the first things I check out every day is the Storm Center's [sans.org] diary. Between that, and Microsoft's [microsoft.com] security page, and SecurityFocus [securityfocus.com], and Infosecdaily.net [infosecdaily.net], I've got more than enough paranoia (I hope...) to make it through BugTraq [securityfocus.com] and Full Disclosure [netsys.com].

    What about the rest of you? What links do you check out, and what am I missing?

  • by craznar ( 710808 ) on Tuesday September 07, 2004 @09:46AM (#10176368) Homepage
    If slashdot lives up to its reputation, I can imagine that today will not quite follow the usual pattern for the ISC.
  • Small code ... ? (Score:5, Interesting)

    by thrill12 ( 711899 ) * on Tuesday September 07, 2004 @09:58AM (#10176423) Journal
    From the article:
    "It's amazing how these virus writers get such small code," Ullrich says. "They should be working for some of the commercial code vendors."

    Why not: s/should/could
    And for the conspiracy-minded: s/working for/commanded by
    Really twisted addon to the latter: s/code vendors/anti-virus vendors

    Another episode in "preaching to the converted".
  • by little_fluffy_clouds ( 441841 ) on Tuesday September 07, 2004 @10:11AM (#10176517)

    From the article...

    Like previous versions of MyDoom, this one too seems to be listening on certain ports for commands. Ullrich pings each port, but the virus does not react.

    That's a neat trick.

    I guess they mean "ping" as in "connected to a TCP or UDP port in some manner", and not the usual "send ICMP ECHO_REQUEST", which I don't believe has anything to do with "ports".

    Ah, journalism.
  • Microsoft's "Virtual PC" for Windows. It gives you a complete virtualized PC that you can run on top of Windows. We use it a lot to test installs, to give ourselves a "clean machine" to make sure there are no dependencies that we didn't think of, and to test unknown software.
    • To bad that:

      "Virtual PC 2004 does not support universal serial bus (USB) connections. "

      (From the online help for Virtual PC 2004)
    • Microsoft's "Virtual PC" for Windows. It gives you a complete virtualized PC

      Well, not complete. Virtual PC is great if you need to run multiple versions/copies of Windows for testing purposes. However, VirtualPC isn't a complete VM -- if total isolation is required, Virtual PC isn't a good choice. However, if you don't need the total isolation of something like VMware, Virtual PC will probably work (and it performs better than VMware because it's not a complete VM).

      I use VMware for isolation testing (
      • by Anonymous Coward
        I am sorry, but you have been misinformed. Virtual PC is every bit as much a full virtualization as VMware. VMware and some Linux types seem to try to perpetuate the this incorrect meme.

        As for performance, although Virtual PC may have marginally better performance on Windows OSes than VMware, under Linux OSes, the reverse is often true. The products are truely very similar on the desktop. VPC has slightly better general compatibility, and VMware has an edge in USB and network configurability, either of
  • Forecast (Score:5, Funny)

    by dr_dank ( 472072 ) on Tuesday September 07, 2004 @10:50AM (#10176791) Homepage Journal
    from the Internet Storm center. Tonight, expect a high pressure system of script kiddies from the northeast to make the morning telecommute messy. Tomorrow, scattered DDOS showers, high of 10000 bots. Now, here's Glenn with sports.
  • Hahahhaha (Score:2, Interesting)

    by brennz ( 715237 )
    The first word that caught my attention was the word "handler".

    To paraphrase Dave Aitel, "handler = someone without a CS degree".

    $ans is all about cash. That is why their classes are packed to the brim, so people can watch powerpoint presentations...

    (yes I have attended one)

    Half of the SANS hardening guides were ripped straight from the US government (NSA/DISA STIGs). No credit given either btw.

    • Re:Hahahhaha (Score:2, Informative)

      by pbemfun ( 265334 )
      Obviously you didn't pay much attention in the class or attended a really bad one. I've attended a few SANS courses, and while they are expensive, they are worth every penny IMO. Every instructor I've had has gone beyond whats on the PPT presentations.
        • Your point being?

          Northcutt is one guy. Don't know of the actual situation being described, but there are more holes in that post than a piece of coagulated swiss dairy product.

          SANS _is_ a non-profit. It does pay it's people (most of the handlers are volunteers--so don't be too big of a tool, please.) and it's speakers, and has a heck of a lot of infrastructure to support. All things that cost $$. They're not the only non-profit org that actually makes (and then uses) a fair amount of money. Take a

    • So, what'd you do, go only to Track 1? Not that I'm saying that course is bad by any means, but it is only an introduction. The other tracks present far more information than is just included in the PPTs. SANS seems to use PPTs for just what they were designed for--as outlines to guide the discussion/presentation, not the full content.

      The GIAC certifications are also one of the few cert programs that I think are worth pursuing. You have to prove a decent command of the material before you can complete
    • I know this discussion is a day old, but I wanted to post in case anyone read your comments and accidentally thought you knew what the fcuk you were talking about.

      Just to clear the air - I am in no way affiliated with SANS, I just attended one of their classes recently.

      $ans is all about cash.
      Now, clever use of the dollar sign I agree - sure to lend much needed credibility to your ideas, but listen:
      Where does it say on their site that SANS is a charitable organization dedicated to bringing practicall

  • ..is a caterpillar, not a worm.
  • you insensitive clod!

Vitamin C deficiency is apauling.