A tool designed to at least partially curtail the scanning activities of malicious Internet worms like Nimda has been released.
The tool, called LaBrea, creates a tarpit ("sticky honeypot") by making use of unused IP addresses on a network and creates "virtual machines" that answer to connection attempts
LaBrea answers those connection attempts generated by worms in a way that causes an infected machine at the other end to get "stuck", sometimes for a very long time.
Tom Liston, the author of LaBrea, got the idea for the free, open source program after getting fed up with seeing his network scanned by the Code Red worm and the desire to provide a tool that would help beleaguered BOFHs fight back.
LaBrea (named after a region of LA) is also able to slow down the spread of the Nimda worm, though Liston admitted to Wired that his tool has probably only had a marginal effect on the spread of Nimda.
Still it's nice to see someone doing something practical that helps network admins fight back against worm infection, and the more BOFHs that use the tool the more effective it will be. You can find more information about LaBrea here.
As previously reported, Nimda (which affects both Windows PCs and servers running Microsoft IIS) most commonly spreads via either an email attachment or a web defacement download.
The worm takes advantage of vulnerabilities in IIS to stick copies of itself on servers before attempting to propagate via the Web. You can find more information about
Nimda here. ®