[ISN] Storm worm strikes back at security pros

From: InfoSec News (alerts@private)
Date: Thu Oct 25 2007 - 03:06:50 PDT


http://www.networkworld.com/news/2007/102407-storm-worm-security.html

By Tim Greene
Network World
10/24/07

The Storm worm is fighting back against security researchers that seek 
to destroy it and has them running scared, Interop New York show 
attendees heard Tuesday.

The worm can figure out which users are trying to probe its 
command-and-control servers, and it retaliates by launching DDoS attacks 
against them, shutting down their Internet access for days, says Josh 
Korman, host-protection architect for IBM/ISS, who led a session on 
network threats.

“As you try to investigate [Storm], it knows, and it punishes,” he says. 
“It fights back.”

As a result, researchers who have managed to glean facts about the worm 
are reluctant to publish their findings. “They’re afraid. I’ve never 
seen this before,” Korman says. “They find these things but never say 
anything about them.”

And not without good reason, he says. Some who have managed to reverse 
engineer Storm in an effort to figure out how to thwart it have suffered 
DDoS attacks that have knocked them off the Internet for days, he says.

As researchers test their versions of Storm by connecting to Storm 
command-and-control servers, the servers seem to recognize these 
attempts as threatening. Then either the worm itself or the people 
behind it seem to knock them off the Internet by flooding them with 
traffic from Storm’s botnet, Korman says.

A recently discovered capability of Storm is its ability to interrupt 
applications as they boot up and either shut them down or allow them to 
appear to boot, but disable them. Users will see that, say, antivirus is 
turned on, but it isn’t scan for viruses, or as Korman puts it, it is 
brain-dead. "It’s running, but it’s not doing anything. You can 
brain-dead anything," he says.

The worm has created a botnet of slave machines whose latent size and 
power is unknown. The number of infected machines available to launch 
spam and DoS attacks is estimated from hundreds of thousands to 50 
million. Korman says he believes it’s between 6 million and 15 million.

One intimidating aspect of the botnet the worm commands is that it is 
used infrequently, indicating that it is for sale or lease to what he 
terms “profit nation” -- computer hackers who do their work for money 
not fame. The potential exists for the botnet to be used by political 
entities for cyberterror attacks, he says.

“It’s getting more serious the more I look at it,” Korman says. “I’m 
more concerned not so much about where Storm is today, but where it’s 
going.”

Still, the power of Storm, also known as Peacomm, is still hotly 
debated. Earlier this week another expert said the worm had pretty much 
run its course and was subsiding.



__________________________________________________________________      
CSI 2007 is the only conference that delivers a business-focused
overview of enterprise security. It will convene 1,500+ delegates,
80 exhibitors and features 100+ sessions/seminars providing a
roadmap for integrating policies and procedures with new tools
and techniques.  Register now for savings on conference fees   
and/or free exhibits admission. - www.csiannual.com



This archive was generated by hypermail 2.1.3 : Thu Oct 25 2007 - 03:17:18 PDT