Bubba to Driver: "Internet Virus Road Block Ahead"

News Press Release for immediate release -- all media

Bubba to Driver: "Internet Virus Road Block Ahead"

by Doctor Electron

A mysterious silence of self-propagating virus activity has been detected. What has happened to all the Nimda and Code Red virus variants?

The author has a system that listens for "callers" to an unadvertised web server. Over many months, dozens of computers have sent to this little server port hundreds of their "GET" requests. These requests either attempt to infect my system or try to determine if it is already infected.

But recently, these callers to my system have stopped calling. The little web server is not getting any more malicious traffic. What happened?

Has my reputation as "Mr. Clean" got around? Probably not. Have all the infected web servers that were trying to infect mine been cleaned up. I doubt it. Even if there has been a cleanup of infected web servers, there is still the group of wannabe hackers who download and run programs to scan for infected web servers. Certainly some of this cheery crowd would grace the threshold of my humble web server. Have they all been arrested? Don't bet on it.

So what could explain this mysterious silence? The following headlines are all similar:
"Web Server Virus Plague Ends."
"Police Report No Crime Last Month."
"Cancer Cured."
"Niagara Falls Stop."

With any of these headlines, one would want to know what happened and why.

The old-fashioned road block is one possible explanation. This is like Bubba saying, "Look at that road block up ahead. There are so many police cars there, you better slow down and stop" The driver replies, "Don't worry, I took the bootleg whiskey out of the trunk." After they stop, the officer in blue checks them out, explaining, "Well, boys, there's some rascals going through here that we want to nail and take in for questioning."

In short, my theory is that internet big wigs may have installed a filter to weed out the "GET" rascals that try to infect web servers or check if they are infected. If this is true, my little web server logs have spoken loudly. The lack of "GET" requests may have, in effect, detected a major internet development.

What exactly are we talking about here? Well, it's only a theory; but if true, we are talking about TCP packet filtering by someone -- could be routers and ISPs.

Holy smoke! Is that an internet virus road block up ahead?

What is required for such an internet road block? A four step process would do the trick:

(1) All packets would have to be examined to determine if they are TCP which carries most of the information to and from a user computer. In our road block example, this might be like stopping only passenger vehicles, and not trucks.

(2) If TCP, the destination port in the packet would have to be extracted and evaluated. For ordinary web servers (http://), this is port 80. For so-called secure web servers (https://), this would be port 443. We'll stop there. This is like the officer asking, "Where are you boys headed?"

(3) For the packets found to be traveling to web servers, our hypothetical road block would have to look at what request these packets will make when they arrive. Imagine being at a police road block and the officer says, "You say you are going to the movies. Now, son, I have to ask what movie are you going to see."

(4) Finally, if where one is going and what one is going to ask for when one gets there is not to the officer's satisfaction, then one is detained. An internet road block would work the same way. Namely, packets might be blocked and perhaps "detained for further questioning."

These four steps implement an internet road block, which is actually a program which screens packet traffic on the internet. Such a program could be installed at various locations (routers, hubs, major gateways, etc) to protect web servers by preventing the spread of malicious virus code.

To conclude, the silence of my unadvertised web server may resolve itself in two ways. First, a new influx of malicious "GET" commands may show up at any time. This would indicate this article may be totally foolish. Second, there is the "Cancer Cured" situation, which prompted my theory of possible internet road blocks.

If packet road blocks are installed, the implications are enormous and beyond the scope of this news flash about my little web server. Such screening and blocking software is similar to the controversial FBI Carnivore program. Reportedly, this program is used for court-authorized investigative purposes on a limited basis.

Both Carnivore and a packet road block would (or could) implement the first three procedural steps described above. [In the case of Carnivore, the author does not have specific information that destination ports are examined as in step 2 -- e.g., 25 and 110 for sending and receiving email respectively.] Both would also implement step 3 and examine textual content of the packet. Carnivore reportedly limits its data collection to the email header information. Our packet road block program would examine the specifics of any "GET" requests in the packets.

However, a packet road block to protect web servers would have to go further, much further -- namely, confiscate packets it deemed to be objectionable because of suspicious "GET" requests. An obvious conclusion is that the magnitude of controversy that might be associated with the FBI's Carnivore program, would look like a drop compared to the bucket of controversy that would be generated by the hypothesized packet road block, which actually would stop certain communications.

The issues include privacy and freedom of speech -- lack of government or business intrusion into information transmissions. For the heavy weights who run the internet infrastructure and ISPs, the tremendous damage done by malicious code would be abated and their reduced costs would benefit them and the general public who use these facilities in the long run.

Finally, if readers are still seeing malicious "GET" requests at press time, this may mean that their location does not yet have the hypothesized internet road block software installed. Stay tuned.

Postscript: In mid-July more "GET" requests looking for vulnerabilities were observed. The timing of these connections can have a random component. On the other hand, the author has come across reports that some blocking of NetBios packets is already in place at some locations. If this is true, then the basic methods described above would seem to be required; and perhaps similar issues might apply.

Copyright © 2002 Global Services

Last Modified: July 29, 2002

Back to Net Census