Hackers, vendors put camouflage to use

The "MyParty" virus, masquerading as a URL for an online archive of photos, came as a shock last week to many people who didn't realize that a mass-mailer worm could disguise itself as a harmless-looking link in a message.

The virus, camouflaged as www.myparty.yahoo.com, urged e-mail recipients to click on it to see photos of what was said to be the sender's recent party. But the URL was actually a computer virus that left a dangerous back-door Trojan horse on infected machines before mailing itself off through the Microsoft Outlook directory.

"Not only did it e-mail to everyone, and I mean everyone, in my address book, but my computer crashed shortly thereafter," says one MyParty victim, who prefers to remain anonymous.

Antivirus software vendors quickly issued a signature update to stop MyParty last week, noting people are likely to suffer a new mistrust of URLs in messages in general.

"This mass-mailer worm will impact the credibility of all URLs, particularly for photo archives such as Yahoo and Shutterfly," says Chris Wraight, technical director at antivirus software vendor Sophos. Several vendors recalled they had seen a computer virus disguised once before, the "Coolside" virus of six months ago.

Fortunately, it's not only the bad guys making use of camouflage and artifice. Disguise and misinformation can help defend networks, too. Security vendor ForeScout Technologies next week will introduce a product called ActiveScout that combines an intrusion-detection system (IDS) with the capabilities of a "honeypot" to ward off hackers and worms such as Nimda and Code Red that scan for vulnerabilities.

The idea of a network-based honeypot is to provide would-be hackers with fake information about a network by means of a decoy server to confuse them, trace them back or keep a record for prosecution. The concept is still new, but a few companies, such as Recourse Technologies with its ManTrap product, have developed honeypots.

Now along comes ForeScout, an Israeli firm with offices in Palo Alto, with a slightly different twist of its own to fool hackers.

ActiveScout, a rules-based IDS, sits outside the corporate firewall to identify potential threats and block them, says Ayelet Steinitz, product marketing manager for ForeScout, which has raised $14 million since its inception in April 2000. "It also does discovery inside the network and watches traffic going back and forth," Steinitz says.

When an attacker scanning with tools - or hybrid worms that scan - seeks to gain information about the corporate network, the Linux-based ActiveScout device will give back false information.

"It creates a virtual IP address," says one ActiveScout beta-test customer, Barry Choisser, network manager at Risk Management Solutions, a Newark, Calif., developer of software applications for the insurance industry.

Steinitz says ActiveScout can insert unique "tagged" information into the stream of traffic back to an attacker scanning for open ports or other information. Sometimes an attacker conducts reconnaissance from many addresses, most of them fake, a trick used to fool an IDS. If an attacker returns to attempt a break-in, ActiveScout would recognize the real source of the attack with the tagged information, Steinitz says.

ActiveScout, which starts at about $9,000 with its management console, will be on display in two weeks at the RSA Conference in San Jose.

Choisser says his network is subject to dozens of scans and attempted break-ins each week. "I see Nimda and people trying to get through [Secure Shell (SSH)] ports," he says.

The SSH Service is used as a secure alternative to telnet because of its encryption and authentication options, but older versions of SSH are "plagued with several vulnerabilities," according to a threat-analysis report released by managed security services firm Riptech last week.

Hackers know about weaknesses in SSH and they probe for them, which is why SSH made Riptech's list of "Top Ten" attacks (see graphic).

The Riptech report found that each of its 300 customers surveyed suffered an average of 25 attacks per week, with 39% of the attacks appearing to be targeted at the companies. The rest of the attacks were random scans to search for vulnerable systems on the Internet.

"The problem is, when we get scanned, we don't know who it is; we just know it's from an ISP," says Mark Parquette, assistant vice president of information systems at Charter Bank in Wyandotte, Mich., whose Cisco PIX firewall and NetRanger IDS are monitored by managed services provider NetSolve.

Although Parquette says the ForeScout equipment sounds promising, it's an open question whether smaller companies such as Charter Bank will allocate funds to buy it.

ForeScout: www.forescout.com