Interview with Josh Corman, Principal Security Strategist for IBM Internet Security Systems
by HNS - Tuesday, 29 April 2008.
How does someone know if its computer is part of the botnet?

In enterprises behavioral AV and HIPS have done a decent job of preventing infection. For detective purposes, IPS and network behavioral anomaly detection can identify the P2P protocols (eDonkey/OverNet) used by Storm and can in turn detect which systems are linked. In the consumer space, it is usually not possible to detect whether or not a computer is part of Storm. If a consumerís AV has been defeated, and a rootkit has been leveraged, he may only know if his ISP complains about unusually high activity from his machine, indicating that he are sending a lot of spam. Keep in mind that this sort of notification could be another of Stormís social engineering techniques, encouraging the user to visit a spoofed site or download a file with infected malcode to Ďcleaní the machine. Any actions on a consumerís part should only be in response to talking with the ISP or visiting the ISPís official Web. Storm will typically not damage a PC; as its parasitic nature needs the PC to be fully functional in order to thrive.

What can consumers and enterprises expect as the next wave of attacks?

One thing that is predictable about Storm is that it targets major holidays. Last year, it was Valentineís Day, Independence Day, Labor Day, Halloween, Christmas and New Year. This year, it has already targeted Valentineís Day. Though there are some ďout-of-bandĒ spam runs that doesnít occur on special days, major holidays are one of the sure targets as users are likely to be more vulnerable to social engineering attacks on these occasions. Beware of upcoming e-cards for Motherís Day, Fatherís Day, downloadable and freeware surrounding major sporting events, fantasy leagues, etc. Another wave of attacks could include a shift in Stormís architecture to transition to more covert channels of communication. Stealthier command and control channels such as http may be more difficult or impossible to detect. The increased use of common channels represents a serious problem and the industry hasnít even caught up to the obvious channels that are being utilized today.

What can be done to stop Storm and who should / can stop it?

The blueprint for fighting Storm may be Storm itself. We need to be nimble, adaptive and use the human factor to our advantage. The security industry needs a distributed presence and scalable ways to protect the masses and consumer base. We need a cross industry task force to brainstorm and consider new strategies for securing the Internet in the era of Storm. This issue needs participation from security vendors, networking organizations, telecommunications carriers and the government to get serious on how to adjust our security postures. There needs to be investment in a healthy debate about how to fight large scale DDOS attacks because currently no type of technology can block one.

We will never be able to secure every system out there on the Internet. Can we adapt, evolve, and do more? Yes.


Harnessing artificial intelligence to build an army of virtual analysts

PatternEx, a startup that gathered a team of AI researcher from MIT CSAIL as well as security and distributed systems experts, is poised to shake up things in the user and entity behavior analytics market.

Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.

Daily digest

Receive a daily digest of the latest security news.

Thu, Feb 4th