worm blog: Week in Review: Inqtana redux

« The Domain Name Service as an IDS The Domain Name Service as an IDS | Main | Entropy Based Worm and Anomaly Detection in Fast IP Networks »

Week in Review: Inqtana redux

It's been a busy week, but on the really interesting malware front, it's been pretty slow, so here are some comments on the Inqtana worm. A lot of hype surrounded it when it was first published a week ago Friday, but it turns out to be mostly hype.

In InqTana Through the eyes of Dr. Frankenstein, a post to the Full Disclosure mailing list, KF breaks down the malware and shows that it's not found in the wild, that it's nothing but a proof of concept sample and crippled to avoid spreading about the lab. While the press jumped on the "OS X malware" bandwagon, it appears to have been premature. Yes, the proof of concept is great, it demonstrates that there's a potential of a threat vector with Bluetooth of personal computers and there's a largely untested field of OS X malware, but the threat is not yet realized. It's some good analysis, although I dispute one of his claims:

"Putting all of that aside I think most people missed the point of this worm and its variants. The main focus was not on the usage of Bluetooth for the exploit medium, or the vulnerability used. The focus should have been on the usage of built in OSX facilities to spread malicious code. OSX contains features, which will certainly aid in the future of malware on OSX."

I think that it's just as important that it's Bluetooth on a personal, general purposes computer that makes it just as interesting as the fact that it's OS X. We've seen a lot of PDA and cellphone malware in 2005 (see the F-Secure weblog archives, it's quite interesting), mainly variants of a few families, and now we can have it on OS X, too.

Interesting times ...

Another interesting tidbot from the past week, it seems that MWCollect and Nepenthes are merging into one codebase. If you haven't looked at these tools to collect Windows malware, you should. They're useful and easy to deploy. It will be good to see efforts combined and the projects strengthen in the coming months.

And finally, another new tool to help network administrators defeat malware infestations. Quarantainenet looks lik a commercial tool to use your network segmentation tools to protect your network if you have untrusted or infected hosts on the net.

Quarantainenet provides network operators with a way of placing users in a quarantined environment, for example in case of a virus or worm infection.

Quarantainenet makes sure a user only retains the limited functionality that is necessary for fixing the problem. The big difference with simply disconnecting a user, is that quarantainenet usually enables the user to solve the problem himself while at the same time improving communication towards the user. The productivity of operators also heavily benefits from this.

If you run a network and have been looking for ways to implement quarantine segments, this may be useful for you.

February 26, 2006 in editorial | Permalink
Tell others: digg submit | del.icio.us this | Reddit