Bloke says Internet is at risk from gathering StormHost of infectionBy Egan Orion: Friday, 05 October 2007, 9:45 AM IN A COLUMN at Wired, Bruce Schneier presents an analysis of the Storm worm that should scare anyone responsible for mission-critical functions connected to the Internet.Schneier is known as a knowledgable, articulate and readable writer on computer security topics, so if he's worried about the Storm botnet, and he is, that's worth noticing.The Storm worm first surfaced near the start of 2007. It's really a new, hybrid form of malware, that is a worm (spreads from host to host over a network), a Trojan (infects and takes over its hosts) and a bot (executes commanded activities) all in one.As opposed to previous worms such as Sasser, Slammer and Nimda that spread rapidly and could be easily detected and disinfected, this new form of malware represented by Storm is more subtle, stealthy and harder to catch and counteract. Schneier writes:"Symptoms don't appear immediately, and an infected computer can sit dormant for a long time. If it were a disease, it would be more like syphilis, whose symptoms may be mild or disappear altogether, but which will eventually come back years later and eat your brain."Schneier lists nine characteristics of the Storm botnet. If you're at all concerned about Internet security reading them is disquieting, sort of like speed reading the screenplay of a horror movie. Here they are, in abridged summary:Storm is stealthy, it's hard to detect because it's not always active. Storm is like an ant colony with separation of duties and division of labor. Storm doesn't cause damage or noticable performance impact to its hosts. Storm uses a distributed peer-to-peer network for command and control. Storm's controlling servers are in a constantly changing fast-flux network. Storm's payload that it uses to spread to new hosts changes form rapidly. Storm's infection mode changes regularly -- PDFs, e-cards, YouTube links. Storm's email changes, leveraging social engineering with different hooks. Storm has started attacking anti-spam websites trying to counteract it. Schneier doesn't yet see how the Storm botnet can be successfully countered. He points out that the antivirus vendors have been powerless against it for almost a year. He doesn't believe quarantining infected hosts would work, even if all ISPs could be made to do that.He does identify the underlying reason for Storm's success in spreading to perhaps as many as 50 million PCs in less than a year: Microsoft Windows. But he despairs to even think of fixing that, writing: "Redesigning the Microsoft Windows operating system would work, but that's ridiculous to even suggest." µ
ha ha why fix windows if it selling as it is right?
Storm worm strikes backThey thought it was a squallBy Nick Farrell: Thursday, 25 October 2007, 8:59 AMSECURITY experts who had written off the Storm worm as a thing of the past say that it is proving darn hard to kill.Apparently the worm has developed the ability to work out who is trying to probe its command-and-control servers, and it retaliates by launching DDoS attacks against them.Talking to Network World, Josh Korman, host-protection architect for IBM/ISS said the DdoS attacks can shut down security experts' PC's for days.He said that as you try to investigate Storm, it knows, and it punishes.Those who have reverse engineered their own versions of Storm have to connecting to these to these command-and-control servers to see if they are on the right track. However the servers seem to recognise these attempts as threatening.The researchers have found that Storm can interrupt applications as they boot up and either shut them down or allow them to appear to boot, but disable them. Antivirus software can be turned on, but it isn’t scan for viruses.
Corman referenced the case of Blue Security, an Israeli-based startup whose aggressive antispam measures in May 2006 drew a counterattack from spammers that was so vicious, it forced the company out of business."
