NAC Cant Weather the Storm

NAC vendors say they can't stop Storm-infected clients, but behavior-based detection can. Fat chance, an expert says, given antiquated detection methods.

Vendor representatives on a panel Oct. 25 at Interop boasted that behavior-based observations can stop Storm-infected clients, even after NAC has given them carte blanche admission to a network.

Fat chance, an expert said, given the vendors three-year-old detection methods.

"A lot of guys who made claims that theyre doing more than AV, theyre doing a form of anomaly detection or [intrusion prevention]," by analyzing network traffic," said Joshua Corman, a principal security strategist for IBM Internet Security Systems, in an interview with eWEEK. "[But new Storm bots] dont recruit that way."

Instead, Corman said, the Storm botnet is lurking on subnets, watching and waiting to see systems talking there. "Theyre not wasteful … in their search for new targets," Corman said.

He added that the kinds of worms that would trigger behavior-based rules to show this is traffic coming from a bad actor are old school, and date to pre-2004 worm profiles that are "not even close" to the way security researchers are seeing infections now.

"Theyre much stealthier, much quieter," he said.

Corman on Oct. 23 gave a presentation at Interop on the challenge of evolving cyber-threats, emphasizing the threat from the Storm worm botnet, which is now eschewing anti-virus murder in favor of using a hot fix with a memory patch to render the protective AV programs brain-dead but still running.

According to an Oct. 22 posting by Sophos analyst Richard Cohen, the Storm botnet—Sophos calls it Dorf, and its also known as Ecard malware—is dropping files that call a routine that gets Windows to tell it every time a new process is started. The malware checks the process file name against an internal list and kills the ones that match—sometimes.

But Storm has taken a new twist: It now would rather leave processes running and just patch entry points of loading processes that might pose a threat to it. Then, when processes such as anti-virus programs run, they simply return a value of 0.

"Programs, including not just AV exes, dlls and sys files, but also software such as the P2P applications BearShare and eDonkey, will appear to run successfully, even though they didnt actually do anything, which is far less suspicious than a process that gets terminated suddenly from the outside," Cohen wrote in the posting.

The strategy means that users wont be alarmed by their anti-virus software not running. Even more ominously, the technique is designed to fool NAC (network access control) systems, which bar insecure clients from registering on a network by checking to see whether a client is running anti-virus software and whether its patched.

"Its running, but brain-dead. Its worse than shutting it off," as it opens the door for Storm bots to waltz past even networks considered to be hardened with NAC, Corman said during his Interop presentation.

Vendors on the NAC panel—Consentry, Juniper and McAfee—admitted that their technologies cant stop an infected device thats still running AV from getting onto the network. Its a clear illustration of why behavior-based detection is needed as a backup, they said.

"This is an example of why pre-admission NAC is not enough," said Michelle McLean, director of marketing for Consentry.

Vimal Solonki, senior director of product marketing for McAfee, agreed that analyzing what devices are up to after network access control technologies have let them in is necessary as a safety backup to pre-admission tests.

Corman said that would be fine if IPSes didnt have antiquated worm detection abilities.

One NAC user on the panel—Jeremy Hobbs, CIO for the Upper Canada District School Board—agreed with the NAC vendors, saying that its necessary to analyze behavior after network admittance.


Critical business information is going unsecured. Click here to read more.

That doesnt mean its practical, however. The UCDSB, which encompasses 30,000 students, 5,000 staff and 9,000 Windows PCs at 120 schools, has an IT staff of a paltry 34 employees to do everything from managing PeopleSoft and Exchange deployments to fixing PCs in the field.

One of them—just one—checks the network and NAC for anomalous behavior alerts, "on a part-time basis," he said. And even then, discerning truly threatening traffic from slightly weird traffic is a continual challenge.

Given the difficulty of weeding out threats such as Storm activity from the normal static of network traffic, Hobbs advised the audience to grill vendors on the ability to fine-tune alerting capabilities in their products.

As far as NAC and the Storm botnet go, Corman said, the best that the technology can do is to find out if a device coming onto the network is running AV and if its patched.

And that, obviously, is just not good enough, given the real potential of Storm lobotomizing AV on a device.

Check out eWEEK.coms Security Center for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEKs Security Watch blog.