Storm worm can befuddle NAC

NEW YORK - A newly discovered capability of the Storm worm could invalidate results churned out by NAC products, attendees at Interop New York learned last week.

This new trick is Storm’s ability to interrupt applications as they boot up and either shut them down or allow them to appear to boot, but disable them, says Josh Corman, host protection architect for IBM/ISS.

Users will see that, for example, antivirus is turned on, but actually it isn’t scanning for viruses, or as Corman puts it, it is brain dead. “It’s running but it’s not doing anything. You can brain-dead anything," he says.

NAC vendors acknowledged at the show that this capability could thwart the endpoint checking that their products perform. NAC scans devices before they gain admission to networks looking for the likes of properly patched operating systems and personal firewalls and antivirus software that is updated and turned on.

Click to see: Storm fools NAC

If the software seems turned on but is doing nothing that would invalidate the scan, say representatives of NAC vendors ConSentry, Juniper and McAfee. “This is an example of why pre-admission NAC is not enough,” says Michelle McLean, director of marketing for Consentry.

Analyzing what devices attempt to do once they are on the network - post-admission NAC - is necessary as a backstop to pre-admission tests, says Vimal Solonki, senior director of product marketing for McAfee.

Storm also exemplifies the sophistication of new malware that retaliates against researchers studying it with the goal of stamping it out, Corman revealed at the show.

The worm can figure out which users are trying to probe its command-and-control servers, and it retaliates by launching distributed DoS attacks against them, shutting down their Internet access for days, he says.

“As you try to investigate [Storm], it knows, and it punishes,” he says. “It fights back.”

As a result, researchers who have managed to glean facts about the worm are reluctant to publish their findings. “They’re afraid. I’ve never seen this before,” says Corman. “They find these things but never say anything about them.”

And not without good reason, he says. Some who have managed to reverse engineer Storm in an effort to figure out how to thwart it have suffered distributed DoS attacks that have knocked them off the Internet for days, he says.

As researchers test their versions of Storm by connecting to Storm command-and-control servers, the servers seem to recognize these attempts as threatening. Then either the worm itself or the people behind it seem to knock them off the Internet by flooding them with traffic from Storm’s botnet, Corman says.

The sheer variety of attacks against corporate networks is also soaring, according to a study released at the show. The number of new pieces of malware has spiked dramatically starting in February, marking a new phase in attack production, security experts say.

“That’s the change in motivation,” says Ryan Sherstobitoff, product technology officer for security vendor Panda Software, which presented the results of its security survey at the show. “That’s where the business model kicks in.”