Latest news
Interview with Josh Corman, Principal Security Strategist for IBM Internet Security Systems
by HNS - Tuesday, 29 April 2008.
If an organization has an AV systems are they protected?
Storm’s success is largely due to its ability to evolve beyond signature anti-virus (AV) capabilities. Although AV can detect some variants of the botnet, Storm has been able to demonstrate its knowledge and has outgrown the upper bounds of signature AV. Some of its innovations that have undermined AV include the use of polymorphism to self-modify every 15 minutes, the use of rootkits designed to hide from AV signatures and the operating system, and the ability to disable or even lobotomize signature AV products – to make the software appear that it is running when it isn’t.
Signature AV is ineffective in combating Storm, but some behavioral AV technologies within host intrusion prevention systems (HIPS) have been able to proactively detect and prevent Storm from infecting systems despite its innovative techniques to bypass traditional AV. We have seen that one of the most effective technologies to combat and detect Storm is combining strong virus prevention systems (VPS) with behavioral AV and heuristics in a multi-layered security approach.
What can consumers and enterprises do to protect themselves?
The first step is education. End users need to be aware of the dangers of visiting malicious sites, propagating spam and downloading “free” applications. At both the enterprise and at the consumer-level, a multi-layered security agent should be running on their endpoint that includes HIPS, VPS and behavioral AV. Awareness around major holidays is critical.
From the user’s point of view, a simple rule could be to stop clicking on links in email – period. One way to avoid being a victim of a social engineering tactic is by not following the links in the spam email messages. A higher degree of distrust for forwards, jokes, and unsolicited emails could stop the user from being infected in the first place. On the other hand, government authorities have the opportunity to investigate and take action against the person/s responsible for the Storm Worm – similar to what had been done against the authors of the Zotob worm.
How does someone know if its computer is part of the botnet?
In enterprises behavioral AV and HIPS have done a decent job of preventing infection. For detective purposes, IPS and network behavioral anomaly detection can identify the P2P protocols (eDonkey/OverNet) used by Storm and can in turn detect which systems are linked. In the consumer space, it is usually not possible to detect whether or not a computer is part of Storm. If a consumer’s AV has been defeated, and a rootkit has been leveraged, he may only know if his ISP complains about unusually high activity from his machine, indicating that he are sending a lot of spam. Keep in mind that this sort of notification could be another of Storm’s social engineering techniques, encouraging the user to visit a spoofed site or download a file with infected malcode to ‘clean’ the machine. Any actions on a consumer’s part should only be in response to talking with the ISP or visiting the ISP’s official Web. Storm will typically not damage a PC; as its parasitic nature needs the PC to be fully functional in order to thrive.
Storm’s success is largely due to its ability to evolve beyond signature anti-virus (AV) capabilities. Although AV can detect some variants of the botnet, Storm has been able to demonstrate its knowledge and has outgrown the upper bounds of signature AV. Some of its innovations that have undermined AV include the use of polymorphism to self-modify every 15 minutes, the use of rootkits designed to hide from AV signatures and the operating system, and the ability to disable or even lobotomize signature AV products – to make the software appear that it is running when it isn’t.
Signature AV is ineffective in combating Storm, but some behavioral AV technologies within host intrusion prevention systems (HIPS) have been able to proactively detect and prevent Storm from infecting systems despite its innovative techniques to bypass traditional AV. We have seen that one of the most effective technologies to combat and detect Storm is combining strong virus prevention systems (VPS) with behavioral AV and heuristics in a multi-layered security approach.
What can consumers and enterprises do to protect themselves?
The first step is education. End users need to be aware of the dangers of visiting malicious sites, propagating spam and downloading “free” applications. At both the enterprise and at the consumer-level, a multi-layered security agent should be running on their endpoint that includes HIPS, VPS and behavioral AV. Awareness around major holidays is critical.
From the user’s point of view, a simple rule could be to stop clicking on links in email – period. One way to avoid being a victim of a social engineering tactic is by not following the links in the spam email messages. A higher degree of distrust for forwards, jokes, and unsolicited emails could stop the user from being infected in the first place. On the other hand, government authorities have the opportunity to investigate and take action against the person/s responsible for the Storm Worm – similar to what had been done against the authors of the Zotob worm.
How does someone know if its computer is part of the botnet?
In enterprises behavioral AV and HIPS have done a decent job of preventing infection. For detective purposes, IPS and network behavioral anomaly detection can identify the P2P protocols (eDonkey/OverNet) used by Storm and can in turn detect which systems are linked. In the consumer space, it is usually not possible to detect whether or not a computer is part of Storm. If a consumer’s AV has been defeated, and a rootkit has been leveraged, he may only know if his ISP complains about unusually high activity from his machine, indicating that he are sending a lot of spam. Keep in mind that this sort of notification could be another of Storm’s social engineering techniques, encouraging the user to visit a spoofed site or download a file with infected malcode to ‘clean’ the machine. Any actions on a consumer’s part should only be in response to talking with the ISP or visiting the ISP’s official Web. Storm will typically not damage a PC; as its parasitic nature needs the PC to be fully functional in order to thrive.
Spotlight
The security of WordPress plugins
Posted on 18 June 2013. | Checkmarx’s research lab identified that more than 20% of the 50 most popular WordPress plugins are vulnerable to common Web attacks, such as SQL Injection.
Information security executives need to be strategic thinkers
Posted on 17 June 2013. | George Baker, the Director of Information Security at Exostar, talks about the challenges in working in a dynamic threat landscape, offers tips for aspiring infosec leaders, and more.
Large orgs in denial about own security breaches?
Posted on 14 June 2013. | Over two thirds (66%) of large organizations said they either had not experienced a security incident in the last 12-18 months or were unsure if they had.
Vulnerability scanning with PureCloud
Posted on 12 June 2013. | nCircle PureCloud is a cloud-based network security scanning product built upon the companies' vulnerability and risk management system IP360.
Reactions from the security community to the NSA spying scandal
Posted on 11 June 2013. | Read on for comments on this scandal that Help Net Security received from a variety of security professionals and analysts.
Daily digest
By subscribing to our early morning news update, you will receive a daily digest of the latest security news published on Help Net Security.
By subscribing to our early morning news update, you will receive a daily digest of the latest security news published on Help Net Security.
Weekly newsletter
With over 500 issues so far, reading our newsletter every Monday morning will keep you up-to-date with security risks out there.
With over 500 issues so far, reading our newsletter every Monday morning will keep you up-to-date with security risks out there.
 |
