[ISN] Storm Botnet Puts Up Defenses And Starts Attacking Back

From: InfoSec News (alerts@private)
Date: Fri Aug 17 2007 - 01:04:21 PDT


http://www.informationweek.com/news/showArticle.jhtml?articleID=201800635

By Sharon Gaudin
InformationWeek
August 16, 2007 

The Storm worm authors have another trick up their sleeves.

The massive botnet that the hackers have been amassing over the last 
several months actually is attacking computers that are trying to weed 
it out. The botnet is set up to launch a distributed denial-of-service 
(DDoS) attack against any computer that is scanning a network for 
vulnerabilities or malware. All this, according to Doug Pearson, 
technical director of Ren-Isac, which is a collaboration of 
higher-education security researchers.

Ren-Isac, which is supported largely through Indiana University, 
recently issued a warning to about 200 member educational institutions 
and then put out a much broader alert, warning colleges and universities 
that their networks could come under heavy attack.

The warning noted that researchers have seen "numerous" Storm-related 
DDoS attacks recently. As the new school year is about to get underway, 
Ren-Isac is advising security professionals that the new attack 
"represents a significant risk" for the educational sector.

With students returning to campus in the next few weeks, schools are 
expected to scan the servers on their network to find vulnerabilities 
and malware that the students are bringing back with them. When the 
scanner hits an infected computer that is part of the Storm botnet, the 
rest of the botnet directs a DDoS attack back against the computer 
running the scan, explained Pearson in an interview with 
InformationWeek. The attacks can last more than a day, and can involve 
"very significant" traffic.

"It's a new behavior for a botnet," said Pearson. "It's acting in a 
defensive manner. It is a little [scary], isn't it?"

He noted, however, that this is more of a danger to schools than it is 
to corporate enterprises simply because of the placement of the 
scanners. Often, explained Pearson, universities and colleges don't have 
their scanners on a private network so it's visible to the Internet at 
large. If it was protected on a private network, the way it's done with 
most enterprises, the botnet would not be able to find it so there 
wouldn't be an IP route to send the DDoS packets.

"This is the first time I've seen an automated response like this," said 
Gunter Ollmann, director of security strategy at IBM's Internet Security 
Systems. "It has less to do with the Storm worm and more to do with the 
structure of the botnet."

Since the beginning of the month, some researchers have been warning 
that as the Storm worm grows into a prolonged online siege 10 times 
larger than any other e-mail attack in the last two years -- amassing a 
very large botnet -- its authors could be setting themselves up to 
launch a damaging denial-of-service attack.

Researchers at SecureWorks and Postini have said they think the Storm 
worm authors are cultivating such an enormous botnet to do more than 
send out increasing amounts of spam. All of the bots are set up to 
launch denial-of-service attacks and that's exactly what they're 
anticipating. DoS attacks are designed to pound computers with countless 
questions that flood its ability to respond, effectively taking the 
machine down.

And the latest discovery about the botnet's ability to defend itself 
with DDoS attacks is perhaps another sign that the Storm worm authors 
are adept at changing tactics.

Last week, researchers at SecureWorks discovered that the Storm worm 
authors have taken their full attention off of e-mail-based attacks and 
have started creating malicious Web pages. E-mail-based attacks -- phony 
e-cards and fake news alerts -- have worked exceedingly well, helping 
the attackers build up a massive botnet.

Don Jackson, a security researcher at SecureWorks, said in an interview 
that slowly but surely IT managers and consumers are getting better at 
blocking or at least ignoring the e-mail attacks, so the Storm worm 
authors are setting up a secondary attack venue.

The Storm worm was first spotted this past January and has been picking 
up speed and ferocity in the past several months.


____________________________________
Attend HITBSecConf2007 - Malaysia 
Taking place September 3-6 2007 featuring seven tracks of technical 
training and a dual-track security conference with keynote speakers 
Lance Spitzner and Mikko Hypponen!  -  Book your seats today! 
http://conference.hitb.org/hitbsecconf2007kl/



This archive was generated by hypermail 2.1.3 : Fri Aug 17 2007 - 01:29:32 PDT