Close
  • Latest News
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
Read Down
Sign in
Close
Welcome!Log into your account
Forgot your password?
Read Down
Password recovery
Recover your password
Close
Search
Logo
Logo
  • Latest News
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
More
    Home Cybersecurity
    • Cybersecurity
    • Networking
    • PC Hardware

    Storm Worm Botnet Lobotomizing Anti-Virus Programs

    By
    Lisa Vaas
    -
    October 24, 2007
    Share
    Facebook
    Twitter
    Linkedin

      Storm Worm Botnet Lobotomizing

      Anti-Virus Programs”> NEW YORK—The ever-mutating, ever-stealthy Storm worm botnet is adding yet another trick to its vast repertoire: Instead of killing anti-virus products on target systems, its now doing a hot fix with a memory patch to render them brain-dead.

      The finding was made by Sophos and was mentioned by Joshua Corman, a principal security strategist for IBM Internet Security Systems, Oct. 23 in his presentation here at Interop on the challenge of evolving cyber-threats.

      According to an Oct. 22 posting by Sophos analyst Richard Cohen, the Storm botnet—Sophos calls it Dorf, and its also known as Ecard malware—is dropping files that call a routine that gets Windows to tell it every time a new process is started. The malware checks the process file name against an internal list and kills the ones that match—sometimes. But Storm has taken a new twist: It now would rather leave processes running and just patch entry points of loading processes that might pose a threat to it. Then, when processes such as anti-virus programs run, they simply return a value of 0.

      “Programs, including not just AV exes, dlls and sys files, but also software such as the P2P applications BearShare and eDonkey, will appear to run successfully, even though they didnt actually do anything, which is far less suspicious than a process that gets terminated suddenly from the outside,” Cohen wrote in the posting.

      The strategy means that users wont be alarmed by their anti-virus software not running. Even more ominously, the technique is designed to fool NAC (network access control) systems, which bar insecure clients from registering on a network by checking to see whether a client is running anti-virus software and whether its patched.

      “Its running but brain-dead. Its worse than shutting it off,” as it opens the door for Storm bots to waltz past even networks considered to be hardened with NAC, Corman said during his Interop presentation.

      Its the latest evidence of why Storm is “the scariest and most substantial threat” security researchers have ever seen, he said. Storm is patient, its resilient, its adaptive in that it can defeat anti-virus products in multiple ways (programmatically, it changes its signature every 30 minutes), its invisible because it comes with a rootkit built in and hides at the kernel level, and its clever enough to change every few weeks.

      It has its own mythology: Composed of up to 50 million zombie PCs, it has as much power as a supercomputer, the stories go, with the brute strength to crack Department of Defense encryption schemes.

      Click here to read more about how the Storm worm botnet is being segmented into networks of zombie PCs.

      In reality, security researchers in the know peg the size of the peer-to-peer botnet at 6 million to 15 million PCs, and not on par with a supercomputer. And it cant break encryption keys. Still, it has security researchers terrified, Corman said.

      “[Storm is] the scariest and most substantial threat weve ever seen,” he said. “Theres a lot of exaggerations of how many systems are infected … [and how its power is like that of a supercomputer]. Thats fiction. Its still a lot of power, though. … Some of my best and highest-profile clients are very concerned about Storm right now.”

      Page 2: Storm Worm Botnet Lobotomizing Anti-Virus Programs

      Page 2

      Storms mystique comes in part from one of the most challenging aspects to dealing with the botnet: its rabid self-defense mechanisms.

      “If you try to attach a debugger, or query sites its reporting into, it knows and punishes you instantaneously,” he said. “[Over at] SecureWorks, a chunk of it DDoS-ed [directed a distributed-denial-of-service attack] a researcher off the network. Every time I hear of an investigator trying to investigate, theyre automatically punished. It knows its being investigated, and it punishes them. It fights back.”

      Those researchers who have devised ways to accurately research the scope, techniques and technologies of the botnet are hushed up by their superiors who are well-aware of the retribution that botnet herders have already wrought on those who tried to defeat them, Corman said.

      Hence the hush-hush nature of research around Storm. Corman said he can tell us that its now accurately pegged at 6 million, but he cant tell us who came up with the figure, or how. Besides retribution, Storms ability to morph means that those who know how to watch it are jealously guarding their techniques. “None of the researchers wanted me to say anything about it,” Corman said. “Theyre afraid of retaliation. They fear that if we disclose their unique means of finding information on Storm,” the botnet herder will change tactics yet again and the window into Storm will slam shut.

      What really has his clients worried, though, is what Storm hasnt yet done, Corman said, with the exception of small hits such as that against SecureWorks or other researchers—ransom sites with DDoS.

      Theres precedent for such a scenario, and the results havent been cheering. When it comes to the war of good guys (security researchers) versus bad guys (botnet herders), botnets have won, hands down.

      Corman referenced the case of Blue Security, an Israeli-based startup whose aggressive anti-spam measures in May 2006 drew a counterattack from spammers that was so vicious, it forced the company out of business.

      “Somebody wrote a [botnet], and Blue Security did a really good job of fighting,” Corman said. “So [the attackers] did a DDoS and took it off the Net for awhile. Blue Security went to the best anti-DDoS technology on earth. The next onslaught came and [Blue Securitys defenses] worked. So the botnet herder stole two other peoples botnets. With three botnets, [the attack] worked, to the point where the ISP said, Im not going to let you take down my entire ISP to protect you, youre on own. And Blue Security is now out of business.”

      A particularly disturbing point to keep in mind, Corman said: Botnets in May 2006 were very, very small, compared with Storm.

      Check out eWEEK.coms Security Center for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEKs Security Watch blog.

      Lisa Vaas
      Lisa Vaas is News Editor/Operations for eWEEK.com and also serves as editor of the Database topic center. Since 1995, she has also been a Webcast news show anchorperson and a reporter covering the IT industry. She has focused on customer relationship management technology, IT salaries and careers, effects of the H1-B visa on the technology workforce, wireless technology, security, and, most recently, databases and the technologies that touch upon them. Her articles have appeared in eWEEK's print edition, on eWEEK.com, and in the startup IT magazine PC Connection. Prior to becoming a journalist, Vaas experienced an array of eye-opening careers, including driving a cab in Boston, photographing cranky babies in shopping malls, selling cameras, typography and computer training. She stopped a hair short of finishing an M.A. in English at the University of Massachusetts in Boston. She earned a B.S. in Communications from Emerson College. She runs two open-mic reading series in Boston and currently keeps bees in her home in Mashpee, Mass.

      MOST POPULAR ARTICLES

      Big Data and Analytics

      Alteryx’s Suresh Vittal on the Democratization of...

      James Maguire - May 31, 2022 0
      I spoke with Suresh Vittal, Chief Product Officer at Alteryx, about the industry mega-shift toward making data analytics tools accessible to a company’s complete...
      Read more
      Cybersecurity

      Visa’s Michael Jabbara on Cybersecurity and Digital...

      James Maguire - May 17, 2022 0
      I spoke with Michael Jabbara, VP and Global Head of Fraud Services at Visa, about the cybersecurity technology used to ensure the safe transfer...
      Read more
      Cloud

      IGEL CEO Jed Ayres on Edge and...

      James Maguire - June 14, 2022 0
      I spoke with Jed Ayres, CEO of IGEL, about the endpoint sector, and an open source OS for the cloud; we also spoke about...
      Read more
      Applications

      Cisco’s Thimaya Subaiya on Customer Experience in...

      James Maguire - May 10, 2022 0
      I spoke with Thimaya Subaiya, SVP and GM of Global Customer Experience at Cisco, about the factors that create good customer experience – and...
      Read more
      Cloud

      Yotascale CEO Asim Razzaq on Controlling Multicloud...

      James Maguire - May 5, 2022 0
      Asim Razzaq, CEO of Yotascale, provides guidance on understanding—and containing—the complex cost structure of multicloud computing. Among the topics we covered:  As you survey the...
      Read more
      Logo

      eWeek has the latest technology news and analysis, buying guides, and product reviews for IT professionals and technology buyers. The site’s focus is on innovative solutions and covering in-depth technical content. eWeek stays on the cutting edge of technology news and IT trends through interviews and expert analysis. Gain insight from top innovators and thought leaders in the fields of IT, business, enterprise software, startups, and more.

      Facebook
      Linkedin
      RSS
      Twitter
      Youtube

      Advertisers

      Advertise with TechnologyAdvice on eWeek and our other IT-focused platforms.

      Advertise with Us

      Menu

      • About eWeek
      • Subscribe to our Newsletter
      • Latest News

      Our Brands

      • Privacy Policy
      • Terms
      • About
      • Contact
      • Advertise
      • Sitemap
      • California – Do Not Sell My Information

      Property of TechnologyAdvice.
      © 2022 TechnologyAdvice. All Rights Reserved

      Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.

      ×