In enterprises behavioral AV and HIPS have done a decent job of preventing infection. For detective purposes, IPS and network behavioral anomaly detection can identify the P2P protocols (eDonkey/OverNet) used by Storm and can in turn detect which systems are linked. In the consumer space, it is usually not possible to detect whether or not a computer is part of Storm. If a consumer’s AV has been defeated, and a rootkit has been leveraged, he may only know if his ISP complains about unusually high activity from his machine, indicating that he are sending a lot of spam. Keep in mind that this sort of notification could be another of Storm’s social engineering techniques, encouraging the user to visit a spoofed site or download a file with infected malcode to ‘clean’ the machine. Any actions on a consumer’s part should only be in response to talking with the ISP or visiting the ISP’s official Web. Storm will typically not damage a PC; as its parasitic nature needs the PC to be fully functional in order to thrive.
What can consumers and enterprises expect as the next wave of attacks?
One thing that is predictable about Storm is that it targets major holidays. Last year, it was Valentine’s Day, Independence Day, Labor Day, Halloween, Christmas and New Year. This year, it has already targeted Valentine’s Day. Though there are some “out-of-band” spam runs that doesn’t occur on special days, major holidays are one of the sure targets as users are likely to be more vulnerable to social engineering attacks on these occasions. Beware of upcoming e-cards for Mother’s Day, Father’s Day, downloadable and freeware surrounding major sporting events, fantasy leagues, etc. Another wave of attacks could include a shift in Storm’s architecture to transition to more covert channels of communication. Stealthier command and control channels such as http may be more difficult or impossible to detect. The increased use of common channels represents a serious problem and the industry hasn’t even caught up to the obvious channels that are being utilized today.
What can be done to stop Storm and who should / can stop it?
The blueprint for fighting Storm may be Storm itself. We need to be nimble, adaptive and use the human factor to our advantage. The security industry needs a distributed presence and scalable ways to protect the masses and consumer base. We need a cross industry task force to brainstorm and consider new strategies for securing the Internet in the era of Storm. This issue needs participation from security vendors, networking organizations, telecommunications carriers and the government to get serious on how to adjust our security postures. There needs to be investment in a healthy debate about how to fight large scale DDOS attacks because currently no type of technology can block one.
We will never be able to secure every system out there on the Internet. Can we adapt, evolve, and do more? Yes.
Reading our newsletter every Monday will keep you up-to-date with security news.
Receive a daily digest of the latest security news.