Interview with Josh Corman, Principal Security Strategist for IBM Internet Security Systems
by HNS - Tuesday, 29 April 2008.
However, Storm is not static. Three hundred thousand PCs may be cleaned up while Storm is recruiting another half a million. It is like a never-ending cyber game of whack-a-mole. Part of the Storm DNA is to recruit to replace fallen or patched machines. In older botnet systems, a system administrator cleaned and patched a system and it was cured. Storm is a new epidemic; a network can get cleaned of one version and get re-infected tomorrow. Regardless of its actual current size Storm and its archetype represents a substantial risk in computational power.

What makes it different from other malware?

Past malware iterations were one trick ponies, focusing on a single method of attack that, once discovered, was easily patched and mitigated by the security industry. Storm is unprecedented in the elegant combination of independently innovative tricks it uses to obfuscate signature anti-virus. Just as unique and impressive, is Storm’s masterful use of effective Social Engineering to deliver its malware.

Is Storm just being used to send spam?

No. Storm has three recognized revenue opportunities, but is not limited to these:

1. Botnet Rentals: The large scale of the botnet is being used as real-estate for the spam community, with portions being rented/or leased by spammers to send spam using Storm as the middleman.
2. Stock Market Manipulation: Penny stock trades are being performed through mass-marketed phishing schemes to artificially inflate stock prices, creating a profit scheme for those playing the “pump and dump” stock game.
3. DDoS for Hire: Although this does not appear to be a primary source of revenue, the massive size of Storm could easily take down any Fortune 50 company, holding the servers out for ransom or simply disrupting business. Additionally, as a form of self-preservation, Storm has launched DDOS attacks on companies that have security researchers working to mitigate the botnet.

If an organization has an AV systems are they protected?

Storm’s success is largely due to its ability to evolve beyond signature anti-virus (AV) capabilities. Although AV can detect some variants of the botnet, Storm has been able to demonstrate its knowledge and has outgrown the upper bounds of signature AV. Some of its innovations that have undermined AV include the use of polymorphism to self-modify every 15 minutes, the use of rootkits designed to hide from AV signatures and the operating system, and the ability to disable or even lobotomize signature AV products – to make the software appear that it is running when it isn’t.

Signature AV is ineffective in combating Storm, but some behavioral AV technologies within host intrusion prevention systems (HIPS) have been able to proactively detect and prevent Storm from infecting systems despite its innovative techniques to bypass traditional AV. We have seen that one of the most effective technologies to combat and detect Storm is combining strong virus prevention systems (VPS) with behavioral AV and heuristics in a multi-layered security approach.

What can consumers and enterprises do to protect themselves?

The first step is education. End users need to be aware of the dangers of visiting malicious sites, propagating spam and downloading “free” applications. At both the enterprise and at the consumer-level, a multi-layered security agent should be running on their endpoint that includes HIPS, VPS and behavioral AV. Awareness around major holidays is critical.

From the user’s point of view, a simple rule could be to stop clicking on links in email – period. One way to avoid being a victim of a social engineering tactic is by not following the links in the spam email messages. A higher degree of distrust for forwards, jokes, and unsolicited emails could stop the user from being infected in the first place. On the other hand, government authorities have the opportunity to investigate and take action against the person/s responsible for the Storm Worm – similar to what had been done against the authors of the Zotob worm.


Harnessing artificial intelligence to build an army of virtual analysts

PatternEx, a startup that gathered a team of AI researcher from MIT CSAIL as well as security and distributed systems experts, is poised to shake up things in the user and entity behavior analytics market.

Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.

Daily digest

Receive a daily digest of the latest security news.

Thu, Feb 4th