Open source solution to detect worms
9th September 2003 (The Star)

LOCAL antivirus company Extol has announced a tool to detect which IP addresses are infected by MSBlaster. The company's research and development manager, Mark Vyner, compiled and wrote the tool based on Snort (a free IDS tool) and open-BSD.

The program can run from any computer connected to a network. It will automatically detect which IP addresses are infected by the MSBlaster worm. Extol claims this tool can also detect variants of Blaster like Nachi (a.k.a. Welchia), the Sobig family of worms and most Trojans.

The tool, which is 151MB, can be downloaded for free from Extol's website at www.extol.com.my/support/updates/Dload_files/FreeSBIE.ISO.

Alternatively, it can also be downloaded at www.mycert.org.my/other_resources/wormhandling.html and my-snort.org/modules.php?name=News&file=article&sid=158 The program is digitally signed; the MD5 hash is e24ddb47d6c0ade80c79b53bbe 88735b. Extol recommends that users who download the program verify the integrity of the download with this key.

According to Extol, numerous organisations are using this solution to detect and identify the worms in large enterprise networks. The tool identifies the IP addresses of infected hosts using an open-source IDS tool. Network administrators can then locate the infected host through a dhcp list or their own IP list. Extol claims one major bank has successfully reduced their virus related network congestion to normal levels using this solution.

The tool is said to be simple to use and no prior experience with IDS Snort or Unix is needed to operate it.

Systems administrators just need to follow these instructions:

Make a CD out of the iso image.

Boot a standard PC with the tool.

Login as 'root' (no password required).

Type 'tail -f /home/alert'

It will then display (if any) alerts on the screen if the worms are present on the network. However, in a switch network, system administrators are required to mirror the ports. Instructions to do so should be obtained with the relevant switch vendors.
   

COPYRIGHT © - CYBERSECURITY MALAYSIA
CONTACT US PRIVACY NOTICE DISCLAIMER SITEMAP