IBM is taking security software it created to handle its own exposure to viruses and worms and offering it as a commercial product through its consulting division.
The company recently announced the release of Billy Goat, developed at Big Blue’s research lab in Zurich and made available through a partnership called On Demand Innovation Services (ODIS). Named after an animal that was used as bait for a dinosaur in the film Jurassic Park, Billy Goat uses virtualization techniques to create a simulation of actual servers. This is intended to fool malicious software by allowing it to send requests to unused IP addresses, which then alerts IT departments responsible for protecting real IT infrastructure.
Guy Denton, worldwide manager of IBM’s ethical hacking practice, said the research team started working on Billy Goat in 2003, when the rise of “zero-day” attacks where worms and viruses are released the same day they are created were infecting its employee systems. Like most companies, IBM installs anti-virus on all its computers, but for laptops and other devices keeping abreast of updates was a challenge, he said.
“It was very painful for IBM. You could have sections of a company brought down to a complete standstill,” he said.
Billy Goat does not shut down ports or switches, Denton said, but it can be used as a networking monitoring and alert mechanism, which could be the first stage of preventing damage to an organization. IBM is hoping the tool will act as a complement to its consultants who help companies configure their network responses to attacks from worms or other malicious code, he added.
Joe Greene, vice-president of security research at IDC Canada in Ottawa, said he wasn’t aware of a tool quite like Billy Goat, though he noted that ethical hackers have deployed similar techniques for years. IBM’s technology would take what is commonly used in testing and apply it in real time, he said. “If it works as soundly as they say it does, any product that gives more information vis-a-vis security has got to help,” he said.
No guarantees
“The question is, how does (the worm) know to attack the fake network and not the real one?”
Denton said there were no guarantees that wouldn’t happen.
“It might see both at the same time,” he admitted, though Billy Goat is intended to create enough of a presence in terms of IP addresses that it becomes a significant target.
“There’s always some element of network discovery (by worms and viruses) in the first place and an effort to find what’s out there.”
Canadian security researchers are also interested in the idea of hacker bait.
The U of T, for example, recently said it was experimenting with photonic decoys in the form of laser light particles that would detect any attempt for a worm or virus to enter the data stream of a fibre-optic cable and warn network administrators.
Denton said IBM is using Billy Goat internally on a global basis, nothing that it has already developed some complementary software that may be released to customers as well.
