Storm Worm Research

Commenting on eWeek articles:
NAC Can't Weather the Storm - October 26, 2007
http://www.eweek.com/article2/0,1895,2207921,00.asp
Storm Worm Botnet Lobotomizing Anti-Virus Programs - October 24, 2007
http://www.eweek.com/article2/0,1895,2205606,00.asp

Our Storm Worm Research

The Storm worm and other nameless worms roaming the Internet today are extremely capable and are not beating with brute force techniques; they don’t need to base on the techniques being deployed. These worms are intruding networks and systems almost at will without logins, passwords, or help from insiders. There are hundreds of new compromised IPs added to the attack every day using the same attack profile and techniques. Therefore blocking IPs and countries in your firewalls and other network access controls (NACs) from accessing your networks is a mission impossible. The actual attack is hidden is the overload of communications and probes that come from these compromised computers that intrude looking like normal expected communications. Anti-virus and anti-spyware solutions are being rendered worst than useless since they are reporting that all is OK.

Adjusting filters and behaviors in IPS systems and UTM systems is also nearly unproductive since these worms change their signature every 30 minutes or less. Once in, these worms are invisible because they comes with a rootkit built in and hide at the kernel level; and they are clever enough to change every few weeks (or days). These worms have built-in defense mechanisms and they know when they are being investigated, and it punishes and fights back.

We are finding that the best security defense in depth (DiD) architectures with many security appliances and software products are having equally difficult problems in stopping theses worms. The filter sensitivities are different in each tool and analyzing a single event has many gaps in what the logs are showing. Since there are some many short-burst probes and attacks each day, the logs are extremely lengthy. Often after identifying an suspicious event, they files are gone since they are already were installed, make critical O/S changes or download other malware via open ports looking like valid communications, and then deleted themselves.

So why is the information so vague about the storm worm? It’s because the storm worm knows the weaknesses of security products available today and it doing a grand job of defeating and confusing computer security analysts. A new security technology and approach is required by the industry. As you see form the posted cyber reports, we are able to prevent, capture forensics, and analyze these worms without much difficulty. No need for filter adjustments or new signature updates for us. We see these attacks like watching a video game in near real-time. By the way, we have not published our forensics and logs, but have provided this information through several channels. We will remain discrete about how these attacks are so successful.