NEW YORK - A newly discovered capability of the Storm worm could invalidate results churned out by NAC products, attendees at Interop New York learned last week.

This new trick is Storm’s ability to interrupt applications as they boot up and either shut them down or allow them to appear to boot, but disable them, says Josh Corman, host protection architect for IBM/ISS.

Users will see that, for example, antivirus is turned on, but actually it isn’t scanning for viruses, or as Corman puts it, it is brain dead. “It’s running but it’s not doing anything. You can brain-dead anything," he says.

NAC vendors acknowledged at the show that this capability could thwart the endpoint checking that their products perform. NAC scans devices before they gain admission to networks looking for the likes of properly patched operating systems and personal firewalls and antivirus software that is updated and turned on.

Click to see: Storm fools NAC

If the software seems turned on but is doing nothing that would invalidate the scan, say representatives of NAC vendors ConSentry, Juniper and McAfee. “This is an example of why pre-admission NAC is not enough,” says Michelle McLean, director of marketing for Consentry.

Analyzing what devices attempt to do once they are on the network - post-admission NAC - is necessary as a backstop to pre-admission tests, says Vimal Solonki, senior director of product marketing for McAfee.

Storm also exemplifies the sophistication of new malware that retaliates against researchers studying it with the goal of stamping it out, Corman revealed at the show.

The worm can figure out which users are trying to probe its command-and-control servers, and it retaliates by launching distributed DoS attacks against them, shutting down their Internet access for days, he says.

“As you try to investigate [Storm], it knows, and it punishes,” he says. “It fights back.”

As a result, researchers who have managed to glean facts about the worm are reluctant to publish their findings. “They’re afraid. I’ve never seen this before,” says Corman. “They find these things but never say anything about them.”

And not without good reason, he says. Some who have managed to reverse engineer Storm in an effort to figure out how to thwart it have suffered distributed DoS attacks that have knocked them off the Internet for days, he says.