This message is in MIME format.  The first part should be readable text,
  while the remaining parts are likely unreadable without MIME-aware tools.

--1457021584-1380733017-1193303690=:25000
Content-Type: TEXT/PLAIN; CHARSET=UTF-8
Content-Transfer-Encoding: QUOTED-PRINTABLE
Content-ID:  

http://www.networkworld.com/news/2007/102407-storm-worm-security.html 

By Tim Greene
Network World
10/24/07

The Storm worm is fighting back against security researchers that seek 
to destroy it and has them running scared, Interop New York show 
attendees heard Tuesday.

The worm can figure out which users are trying to probe its 
command-and-control servers, and it retaliates by launching DDoS attacks 
against them, shutting down their Internet access for days, says Josh 
Korman, host-protection architect for IBM/ISS, who led a session on 
network threats.

=E2=80=9CAs you try to investigate [Storm], it knows, and it punishes,=E2=80=9D he says. 
=E2=80=9CIt fights back.=E2=80=9D

As a result, researchers who have managed to glean facts about the worm 
are reluctant to publish their findings. =E2=80=9CThey=E2=80=99re afraid. I=E2=80=99ve never 
seen this before,=E2=80=9D Korman says. =E2=80=9CThey find these things but never say 
anything about them.=E2=80=9D

And not without good reason, he says. Some who have managed to reverse 
engineer Storm in an effort to figure out how to thwart it have suffered 
DDoS attacks that have knocked them off the Internet for days, he says.

As researchers test their versions of Storm by connecting to Storm 
command-and-control servers, the servers seem to recognize these 
attempts as threatening. Then either the worm itself or the people 
behind it seem to knock them off the Internet by flooding them with 
traffic from Storm=E2=80=99s botnet, Korman says.

A recently discovered capability of Storm is its ability to interrupt 
applications as they boot up and either shut them down or allow them to 
appear to boot, but disable them. Users will see that, say, antivirus is 
turned on, but it isn=E2=80=99t scan for viruses, or as Korman puts it, it is 
brain-dead. "It=E2=80=99s running, but it=E2=80=99s not doing anything. You can 
brain-dead anything," he says.

The worm has created a botnet of slave machines whose latent size and 
power is unknown. The number of infected machines available to launch 
spam and DoS attacks is estimated from hundreds of thousands to 50 
million. Korman says he believes it=E2=80=99s between 6 million and 15 million.

One intimidating aspect of the botnet the worm commands is that it is 
used infrequently, indicating that it is for sale or lease to what he 
terms =E2=80=9Cprofit nation=E2=80=9D -- computer hackers who do their work for money 
not fame. The potential exists for the botnet to be used by political 
entities for cyberterror attacks, he says.

=E2=80=9CIt=E2=80=99s getting more serious the more I look at it,=E2=80=9D Korman says. =E2=80=9CI=E2=80=99m 
more concerned not so much about where Storm is today, but where it=E2=80=99s 
going.=E2=80=9D

Still, the power of Storm, also known as Peacomm, is still hotly 
debated. Earlier this week another expert said the worm had pretty much 
run its course and was subsiding.


--1457021584-1380733017-1193303690=:25000
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

__________________________________________________________________      
CSI 2007 is the only conference that delivers a business-focused
overview of enterprise security. It will convene 1,500+ delegates,
80 exhibitors and features 100+ sessions/seminars providing a
roadmap for integrating policies and procedures with new tools
and techniques.  Register now for savings on conference fees   
and/or free exhibits admission. - www.csiannual.com 

--1457021584-1380733017-1193303690=:25000--