Hacker's tool combats killer viruses

A self-confessed "white hat" hacker has created a tool allowing network administrators to fight back against worms like Code Red and Nimda.

The open source Linux based 'LaBrea', named after the tar pits of Los Angeles, is designed to trap worms such as Code Red and Nimda while they're scanning for vulnerable hosts, effectively holding them in a 'tar pit' forever.

Tom Liston, the author of LaBrea and webmaster of the Hackbusters.net security site, described LaBrea as "a program that creates a tarpit or, as some have called it, a 'sticky honeypot'."

He explained that LaBrea takes over unused IP addresses on a network and creates "virtual machines" that answer to connection attempts sent out by infected machines.

LaBrea answers those connection attempts in a way that causes the machine at the other end to get "stuck" in the tar pit, for an indefinite period of time.

The tool is free under General Public License and basically transforms unused network resources into decoy machines that tie up malicious threads. It renders them harmless, as worm threads trapped in the tar pit are unable to move on to attack other machines.

It consumes next to nothing in terms of resources, hogging about 110 bytes per second of bandwidth.

Originally, LaBrea was created as a counter-measure to Code Red, but this week has successfully been tested on Nimda. There is no reason it could not be used to trap other worms.

Liston has a list of infected machines currently being held on the Hackbuster website. He claims to have over one thousand Nimda infected machines and 300 Code Red infected machines currently stuck in his tar pits. Some have been trapped for over a week.

Although his own efforts may be stopping just a handful of machines from infecting the internet, if the concept is taken up by the internet community, it could help to stop worms like Nimda in their tracks.

Rob Rosenberger, editor of virus information site Vmyths.com, said: "LaBrea gives its users a tactical advantage over 'zombie' computers like those compromised by the Code Red worms. The computer security industry will find it a very intriguing utility."

More information, and the tool itself, can be found at Hackbusters