Radsoft
 About | Buy | News | Products | Rants | Search | Security
Home » News » Roundups » Zone Labs

Zone Labs: Anatomy of a Coverup

How angels stay clean and scandals stay silent.

Part One - Innocence Personified

This story is innocence personified - at least it started that way. Back in in mid-September 2001, a few days after the release of LaBrea, the network tarpitter, Tom Liston of the Hackbusters contacted Rick of Radsoft about the possibility of creating a 'LaBrea@Home' for ordinary home PC/Windows users. The tarpitting idea was the same, but the modus operandi had to be different - while the original LaBrea actually fabricated machines out of nothing, this version would have to use the real IP of the home PC surfer.

There was a problem. Ordinary PC surfers do not have IIS servers running on port 80 - in fact they have nothing running there. And the dutiful Microsoft TCP/IP stack, when confronted with a connection attempt, will correctly reset the connection and in effect inform the kiddie/worm that there is nothing at the IP to exploit.

But the whole idea behind LaBrea is to fool the kiddie/worm into thinking that there is something to exploit, and then fooling it into waiting forever to deliver its destructive payload. TCP/IP works wonderfully like that, as it turns out. It doesn't like to give up connections, especially when the other end keeps promising that there'll be joy REAL SOON NOW but PLEASE just wait a few more minutes?

The kiddie scanners and Code Red/Nimda worms sit their patiently, persisting as it's called, and keep trying again and again. If a kiddie scanner probes a lot of ports all at once and gets stuck in tar on each and every one, the kiddie scanner will overload and crash. If a Code Red/Nimda worm sends out 100 feelers and gets stuck on every one, it will crash too. The end of hacking and worms as we know it. That's the prospect, that's why the goal is so desirable.

But, as stated, Microsoft was screwing things up - by for once doing things correctly. As no service was installed on port 80, Microsoft was telling the kiddies and worms so, and they were leaving and moving on before LaBrea@Home could stick it to them.

Although both Tom and Rick are resourceful programmers, it took a bit of luck with an act of pure desperation for them to 'find' the light. Tom turned on his Zone Alarm and put on its Internet Lock - the lock that is supposed to stop all outbound and inbound traffic, no exceptions. 'Let's see if that blasted Microsoft TCP/IP can send those kiddies and worms away now!' he undoubtedly cursed to himself.

And he was right - Zone Alarm's Internet Lock did in fact stop Microsoft from replying to the incoming probes. But what happened next was something neither of them were prepared for - LaBrea@Home was still getting out.

TOC | Next

About | Buy | News | Products | Rants | Search | Security
Copyright © Radsoft. All rights reserved.