- 10 Microsoft research projects
- 10 kitchen gadgets for the geek gourmet
- Verizon trounces competition
- Smartphone smackdown: Storm vs. iPhone
- FBI warns of holiday cyber scams
NEW YORK - A newly discovered capability of the Storm worm could invalidate results churned out by NAC products, attendees at Interop New York learned last week.
This new trick is Storm’s ability to interrupt applications as they boot up and either shut them down or allow them to appear to boot, but disable them, says Josh Corman, host protection architect for IBM/ISS.
Users will see that, for example, antivirus is turned on, but actually it isn’t scanning for viruses, or as Corman puts it, it is brain dead. “It’s running but it’s not doing anything. You can brain-dead anything," he says.
NAC vendors acknowledged at the show that this capability could thwart the endpoint checking that their products perform. NAC scans devices before they gain admission to networks looking for the likes of properly patched operating systems and personal firewalls and antivirus software that is updated and turned on.
If the software seems turned on but is doing nothing that would invalidate the scan, say representatives of NAC vendors ConSentry, Juniper and McAfee. “This is an example of why pre-admission NAC is not enough,” says Michelle McLean, director of marketing for Consentry.
Analyzing what devices attempt to do once they are on the network - post-admission NAC - is necessary as a backstop to pre-admission tests, says Vimal Solonki, senior director of product marketing for McAfee.
Storm also exemplifies the sophistication of new malware that retaliates against researchers studying it with the goal of stamping it out, Corman revealed at the show.
The worm can figure out which users are trying to probe its command-and-control servers, and it retaliates by launching distributed DoS attacks against them, shutting down their Internet access for days, he says.
“As you try to investigate [Storm], it knows, and it punishes,” he says. “It fights back.”
As a result, researchers who have managed to glean facts about the worm are reluctant to publish their findings. “They’re afraid. I’ve never seen this before,” says Corman. “They find these things but never say anything about them.”
And not without good reason, he says. Some who have managed to reverse engineer Storm in an effort to figure out how to thwart it have suffered distributed DoS attacks that have knocked them off the Internet for days, he says.
Partner Content
Brilliantly simple security and control solutions for email, web and endpoint
www.sophos.com
Stopping data leakage
Learn how to exploit your current security investment to control the information that flows into, through and out of your network.
Download the white paper.
Why detection rates aren't enough
Evaluating endpoint security products is a time-consuming and daunting task. Learn the six critical questions you need to ask prospective vendors to get the right endpoint solution.
Download the white paper.
Applications: taking back control
Employees installing unauthorized applications is a growing threat to business security and productivity. Cost-effectively reduce this threat by integrating control into your malware protection.
Learn more today.
Comments (1)
Storm Befuddles Net Security - But Not For Long!By Dana Hendrickson on October 27, 2007, 9:55 pmWhile the Storm bot is important it's not something network admission control (i.e, small NAC) was ever expected to stop. This is simply another opportunity for...
Reply | Read entire comment
View all comments