[Infowarrior] - Storm worm strikes back at security pros

Thu Oct 25 00:48:27 UTC 2007

This story appeared on Network World at
http://www.networkworld.com/news/2007/102407-storm-worm-security.html

Storm worm strikes back at security pros
Researcher says those discovered trying to defeat worm suffer DDoS attacks

By Tim Greene, Network World, 10/24/07

The Storm worm is fighting back against security researchers that seek to
destroy it and has them running scared, Interop New York show attendees
heard Tuesday.

The worm can figure out which users are trying to probe its
command-and-control servers, and it retaliates by launching DDoS attacks
against them, shutting down their Internet access for days, says Josh
Korman, host-protection architect for IBM/ISS, who led a session on network
threats.

³As you try to investigate [Storm], it knows, and it punishes,² he says. ³It
fights back.²

As a result, researchers who have managed to glean facts about the worm are
reluctant to publish their findings. ³They¹re afraid. I¹ve never seen this
before,² Korman says. ³They find these things but never say anything about
them.²

And not without good reason, he says. Some who have managed to reverse
engineer Storm in an effort to figure out how to thwart it have suffered
DDoS attacks that have knocked them off the Internet for days, he says.

As researchers test their versions of Storm by connecting to Storm
command-and-control servers, the servers seem to recognize these attempts as
threatening. Then either the worm itself or the people behind it seem to
knock them off the Internet by flooding them with traffic from Storm¹s
botnet, Korman says.

A recently discovered capability of Storm is its ability to interrupt
applications as they boot up and either shut them down or allow them to
appear to boot, but disable them. Users will see that, say, antivirus is
turned on, but it isn¹t scan for viruses, or as Korman puts it, it is
brain-dead. "It¹s running, but it¹s not doing anything. You can brain-dead
anything," he says.

The worm has created a botnet of slave machines whose latent size and power
is unknown. The number of infected machines available to launch spam and DoS
attacks is estimated from hundreds of thousands to 50 million. Korman says
he believes it¹s between 6 million and 15 million.

One intimidating aspect of the botnet the worm commands is that it is used
infrequently, indicating that it is for sale or lease to what he terms
³profit nation² -- computer hackers who do their work for money not fame.
The potential exists for the botnet to be used by political entities for
cyberterror attacks, he says.

³It¹s getting more serious the more I look at it,² Korman says. ³I¹m more
concerned not so much about where Storm is today, but where it¹s going.²

Still, the power of Storm, also known as Peacomm, is still hotly debated.
Earlier this week another expert said the worm had pretty much run its
course and was subsiding.