http://www.informationweek.com/news/showArticle.jhtml?articleID=201800635
By Sharon Gaudin
InformationWeek
August 16, 2007
The Storm worm authors have another trick up their sleeves.
The massive botnet that the hackers have been amassing over the last
several months actually is attacking computers that are trying to weed
it out. The botnet is set up to launch a distributed denial-of-service
(DDoS) attack against any computer that is scanning a network for
vulnerabilities or malware. All this, according to Doug Pearson,
technical director of Ren-Isac, which is a collaboration of
higher-education security researchers.
Ren-Isac, which is supported largely through Indiana University,
recently issued a warning to about 200 member educational institutions
and then put out a much broader alert, warning colleges and universities
that their networks could come under heavy attack.
The warning noted that researchers have seen "numerous" Storm-related
DDoS attacks recently. As the new school year is about to get underway,
Ren-Isac is advising security professionals that the new attack
"represents a significant risk" for the educational sector.
With students returning to campus in the next few weeks, schools are
expected to scan the servers on their network to find vulnerabilities
and malware that the students are bringing back with them. When the
scanner hits an infected computer that is part of the Storm botnet, the
rest of the botnet directs a DDoS attack back against the computer
running the scan, explained Pearson in an interview with
InformationWeek. The attacks can last more than a day, and can involve
"very significant" traffic.
"It's a new behavior for a botnet," said Pearson. "It's acting in a
defensive manner. It is a little [scary], isn't it?"
He noted, however, that this is more of a danger to schools than it is
to corporate enterprises simply because of the placement of the
scanners. Often, explained Pearson, universities and colleges don't have
their scanners on a private network so it's visible to the Internet at
large. If it was protected on a private network, the way it's done with
most enterprises, the botnet would not be able to find it so there
wouldn't be an IP route to send the DDoS packets.
"This is the first time I've seen an automated response like this," said
Gunter Ollmann, director of security strategy at IBM's Internet Security
Systems. "It has less to do with the Storm worm and more to do with the
structure of the botnet."
Since the beginning of the month, some researchers have been warning
that as the Storm worm grows into a prolonged online siege 10 times
larger than any other e-mail attack in the last two years -- amassing a
very large botnet -- its authors could be setting themselves up to
launch a damaging denial-of-service attack.
Researchers at SecureWorks and Postini have said they think the Storm
worm authors are cultivating such an enormous botnet to do more than
send out increasing amounts of spam. All of the bots are set up to
launch denial-of-service attacks and that's exactly what they're
anticipating. DoS attacks are designed to pound computers with countless
questions that flood its ability to respond, effectively taking the
machine down.
And the latest discovery about the botnet's ability to defend itself
with DDoS attacks is perhaps another sign that the Storm worm authors
are adept at changing tactics.
Last week, researchers at SecureWorks discovered that the Storm worm
authors have taken their full attention off of e-mail-based attacks and
have started creating malicious Web pages. E-mail-based attacks -- phony
e-cards and fake news alerts -- have worked exceedingly well, helping
the attackers build up a massive botnet.
Don Jackson, a security researcher at SecureWorks, said in an interview
that slowly but surely IT managers and consumers are getting better at
blocking or at least ignoring the e-mail attacks, so the Storm worm
authors are setting up a secondary attack venue.
The Storm worm was first spotted this past January and has been picking
up speed and ferocity in the past several months.
Received on Fri Aug 17 03:04:21 2007