Interview with Josh Corman, Principal Security Strategist for IBM Internet Security Systems
by HNS - Tuesday, 29 April 2008.
Joshua Corman serves as Principal Security Strategist for IBM Internet Security Systems. With more than ten years of experience in security and networking software development, Corman is responsible for the technical vision and direction of host protection solutions. He is currently leading an industry charge to evolve defenses against the latest generations and innovations of malicious code. Corman is also charged with strategy for Data Security and End-Point Admission Control solutions.

In this Q&A session he discusses the Storm Worm.

Why is Storm so dangerous?

Its danger lies in the fact that it is a sleeping giant. The computational power of this system is tremendous. What could you do with the world’s largest supercomputer? The answer is, a lot. The current owners of Storm appear to be financially motivated. But if this same technology was in the hands of a politically motivated group it would represent a clear and present danger. Just look at recent independent cyber-attacks that have been carried out including the DDOS (distributed Denial of Service) attacks on Estonia, power outages in New Orleans, and the successful cyber reconnaissance on U.S. federal organizations. None of these were executed by Storm itself, but they give you a glimpse of what an organization like Storm could be capable of. Ultimately, despite the efforts of the security industry, Storm is still successful over one year from its birthday.

Why has Storm been so successful?

The social engineering capability of Storm is unprecedented. The true secret to its success is not technology based, it is the ability to understand human nature and what files users will open, forward and execute. Its delivery mechanisms are constantly changing from attached PDFs to mp3 files or spoofed YouTube videos to free NFL GameTrackers. Each download or execution adds another computer to its growing botnet network. The largest “recruitment” campaigns are seen around the holidays prompting users to download the dancing skeleton for Halloween or read the animated Valentines card from a secret admirer. Storm’s decentralized resilient peer to peer (P2P) botnet architecture allows it to adapt independently. It is like vapor, it just vanishes when you try to attack it.

Is it still the largest botnet? How large is it?

This security industry’s concern is not solely about the specific code that is Storm; it is about the phenomenon pioneered by Storm. The world of cyber-crime is not unlike any other emerging market, there is always an innovator and then there are copycats. As you eliminate elements of Storm, copycat versions such as MayDay, Mega-D, etc appear. The model is thriving despite the security industry’s best efforts. The archetype Storm pioneered is being improved upon.

Opinions vary on whether Storm is the largest network of its kind; estimates ran from half a million systems to 6.5 million systems over the past year with 2007 reports estimating botnet size of up to 1.8 million. On the lower end, one recent report shows that the number of Storm infected machines peaked at around 40,000 on January, 2008. The honeynet project had monitored botnets ranging in size of up to 50,000 machines. One issue is that accurate counting is very difficult. It is possible that Storm Worm is not the current largest botnet, but is one of the largest – and one of the most successful.


VPN protocol flaw allows attackers to discover users' true IP address

The team running the Perfect Privacy VPN service has discovered a serious vulnerability that affects all VPN providers that offer port forwarding, and which can be exploited to reveal the real IP address of users.

Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.

Daily digest

Receive a daily digest of the latest security news.

Tue, Dec 1st