Storm’s success is largely due to its ability to evolve beyond signature anti-virus (AV) capabilities. Although AV can detect some variants of the botnet, Storm has been able to demonstrate its knowledge and has outgrown the upper bounds of signature AV. Some of its innovations that have undermined AV include the use of polymorphism to self-modify every 15 minutes, the use of rootkits designed to hide from AV signatures and the operating system, and the ability to disable or even lobotomize signature AV products – to make the software appear that it is running when it isn’t.
Signature AV is ineffective in combating Storm, but some behavioral AV technologies within host intrusion prevention systems (HIPS) have been able to proactively detect and prevent Storm from infecting systems despite its innovative techniques to bypass traditional AV. We have seen that one of the most effective technologies to combat and detect Storm is combining strong virus prevention systems (VPS) with behavioral AV and heuristics in a multi-layered security approach.
What can consumers and enterprises do to protect themselves?
The first step is education. End users need to be aware of the dangers of visiting malicious sites, propagating spam and downloading “free” applications. At both the enterprise and at the consumer-level, a multi-layered security agent should be running on their endpoint that includes HIPS, VPS and behavioral AV. Awareness around major holidays is critical.
From the user’s point of view, a simple rule could be to stop clicking on links in email – period. One way to avoid being a victim of a social engineering tactic is by not following the links in the spam email messages. A higher degree of distrust for forwards, jokes, and unsolicited emails could stop the user from being infected in the first place. On the other hand, government authorities have the opportunity to investigate and take action against the person/s responsible for the Storm Worm – similar to what had been done against the authors of the Zotob worm.
How does someone know if its computer is part of the botnet?
In enterprises behavioral AV and HIPS have done a decent job of preventing infection. For detective purposes, IPS and network behavioral anomaly detection can identify the P2P protocols (eDonkey/OverNet) used by Storm and can in turn detect which systems are linked. In the consumer space, it is usually not possible to detect whether or not a computer is part of Storm. If a consumer’s AV has been defeated, and a rootkit has been leveraged, he may only know if his ISP complains about unusually high activity from his machine, indicating that he are sending a lot of spam. Keep in mind that this sort of notification could be another of Storm’s social engineering techniques, encouraging the user to visit a spoofed site or download a file with infected malcode to ‘clean’ the machine. Any actions on a consumer’s part should only be in response to talking with the ISP or visiting the ISP’s official Web. Storm will typically not damage a PC; as its parasitic nature needs the PC to be fully functional in order to thrive.
By subscribing to our early morning news update, you will receive a daily digest of the latest security news published on Help Net Security.
With over 500 issues so far, reading our newsletter every Monday morning will keep you up-to-date with security risks out there.