Idea for proactive worm protection
Hello guys,
first of all, let me describe my situation. I live in a pretty big dorm, it
features a LAN with about 1200 computers, of course, most of them run Windows
and their users don't know how to update the system. Various worms (most
notably Blaster, Welchia, Sasser and Agobot) regularly flood the lan, and at
the beginning of the outbreak they usually knock out our internet access
several times before the administrators find out what's going on. The user
also almost never knows (s)he is vulnerable/infected. Also, there are no
"real" administrators here, just some students doing this as a part time job,
so there is no hope of some strong action.
Last saturday I finally got fed up with the worms and wrote a perl script.
There is nothing special about it, I write perl scripts almost every day. But
this one actually worked :-) and also had such a tremendous impact and showed
so much potential, that I realized I shouldn't keep this to myself.
What does the script do?
- it binds to UDP port 138 and listens for NMB host and lmb announcements.
- if it detects one, it checks when it contacted sender IP last time, and if
it was at least an hour ago, it makes a connection to the sender TCP port
445 and checks whether the "sasser patch" (KB835732) is applied (I got this
check from nessus-plugins, and ported it to perl, so I don't pretend to
understand how it works, but it really does :-))
- if an unpatched version is detected, it uses smbclient to send a WinPopup
with the text: "Your computer is vulnerable to the Sasser Worm. Please visit
http://windowsupdate.microsoft.com and update your system."
- if a patched version is detected on an IP that was previously vulnerable, it
sends another WinPopup with the message "Thank you for updating your system
and keeping our network safe.\r\nThis free security service is brought to
you by shurdeek." (yeah, advertising myself isn't such a bad idea)
- data is stored in a tied GDBM hash, so isn't lost when the script crashes
(which unfortunately happens from time to time, so I check it from cron)
- every 5 minutes a website is generated with a complete status list
As the more experienced of you can see, this has very low requirements on
everything (CPU, RAM, disk, net, I run it on a Pentium 75MHz/32MB with barely
noticeable load), behaves very politely and still inspires the user to update
the damn thing. Moreover, it only detects those who actually run the server,
and if one has a vulnerable open version, one almost surely will receive the
WinPopup as well. Also, unlike most of the available solutions, it is a
preventive action (not infection or infection attempt but vulnerability is
detected).
At the beginning of the tests I found out a guy living next door was
vulnerable, so I walked over and talked to him. He thought the message came
from the system directly, and when I told him that it was me who sent it he
thanked me and told me he'll update (some time later, the computer was indeed
updated). So I decided to keep the program running.
The results are simply amazing. During the about 4 days it has been running
now, about 49% of the vulnerable users actually updated their systems (123 of
251). As not all the users use their computers constantly and we have internet
connection problems at the moment, and I assume this number will rise even
more. I don't think it will ever reach 100% (as you may know, sometimes
Windows is so fscked up that WindowsUpdate doesn't work, and some have "badly
stolen" XP on which you can't install SP1). Nevertheless, the IPs are on the
website and available to the administrators, who can take action whenever they
decide necessary. I recommended them to block Internet access to the machines
(except for *.microsoft.com) after 2 days of being vulnerable, and also
modified the script that after 2 days of continuous vulnerability it changes
the formulation to somewhat stricter one, like "if you don't update soon, the
computer administration will block your internet access".
In summary, this project is IMHO a big success, and I decided to add more
features when I find the time (checks for Blaster/Sasser/Agobot infection,
checks for weak passwords just as Agobot does, etc).
Right now I was browsing the web and found out yet some more articles came out
today about how the worms are bad and crashed this and overloaded that, and a
lot of experienced computer users in their posts blaming the poor "never
update"-guys. But I realized noone actually DOES anything to help (well,
antivirus vendors sell their programs :-)). This got me thinking: hey, perhaps
this script can be used to help on a global level. This would happen if a
substantial amount of "good guys" installs it on machines with a public IP,
preferably on various topological locations. That way a LOT of people with
vulnerable or infected machines will be bugged until they update. I would also
like to point out that at the moment the script is only running inside a LAN
with no access from the outside, so "live internet tests" will have to be
done.
However, I would like to avoid the current antivirus situation. As just about
everyone knows, there are thousands of old and/or incorrectly configured
antivirus mail filters that notify a faked sender (which unfortunately some
hundred times a day happens to be me). As clearly evident, it is not enough
when an bugfixed antivirus version is available from the vendor later, the
lame admins keep using the buggy one (and don't read abuse@/postmaster@). So,
I would like to prevent a similar situation happening to my script in forward
before I publish it (under GPLv2 of course :-)).
So, concluding my email, I would like to ask my fellow butraquers the
following:
- is a global deployment of such a program a good thing?
- how to program it so that misbehaviour is apriori prevented? I tried my best
but noone is perfect so maybe I'm missing something.
- what are the "right" values for waiting for
rescan/update_windows_now_message? Now it is at least 1 hour and only
happens when the remote machine sends a NMB announcement (I could perhaps
add a faked server that would detect an infection attempt and act on that as
well).
Happy to be hearing from you soon,
Peter Surda (Shurdeek) <shurdeek@xxxxxxxxxxxx>, ICQ 10236103, +436505122023
--
To understand recursion, one must first understand recursion.