Gathering 'Storm' Superworm Poses Grave Threat to PC Nets

[TheNuker]

http://www.wired.com/politics/security/commentary/securitymatters/2007/10/securitymatters_1004

Pretty interesting, like some people said, technically it's a piece of art, and it seems to be scaring a lot of people. But like most stuff it is "zombie user's" fault like always, clicking on every attachment on e-mails that makes this kind of thing spread so much.

 

[Hollow4]

That is a really interesting article. But my question is, if they know that it exist, shouldnt they also know what files it lies in?? why cant they scrub those files??

 

[Xipher]

Part of the problem is it's constantly changing it's signature, and location, etc. Tracking it down is very difficult, and the worst part is people rarely notice they are infected because it just lays dormant, not doing a damn thing, until it receives marching orders to do otherwise.

 

[Madwand]

Here's a wiki on it:

http://en.wikipedia.org/wiki/Storm_botnet

Note the MS statistics at the end:

The Storm botnet was observed to be defending itself, and attacking computer systems that scanned for Storm virus-infected computer systems online.[19] The botnet will defend itself with DDoS counter-attacks, to maintain its own internal integrity.[7] On September 25th, it was estimated that a Microsoft update to the Windows Malicious Software Removal Tool they offer may have helped reduce the size of the botnet by up to 20%.[20] The new patch, as claimed by Microsoft, removed Storm from approximately 274,372 infected systems out of 2.6 million scanned Windows systems.[21] However, according to senior security staff at Microsoft, "the 180,000+ additional machines that have been cleaned by MSRT since the first day are likely to be home user machines that were not notably incorporated into the daily operation of the 'Storm' botnet," indicating that the MSRT cleaning may have been symbolic at best.

It's a war being fought, and the thing is that the criminals seem to be winning this one for now.

 

[XOR != OR]

Here's a wiki on it:

http://en.wikipedia.org/wiki/Storm_botnet

Note the MS statistics at the end:



It's a war being fought, and the thing is that the criminals seem to be winning this one for now.

They always have been. The "good guys" can't react as fast as the bad guys, and that latency is where the bad guys win.

I just hunker down, protect what I can where I can and keep my head out of the line of fire.

 

[Xipher]

You know, this worm might not be as effective if we could stop stupid people from using the Internet.

 

[Ranma_Sao]

Microsoft's Blog about the Storm "Worm":
http://blogs.technet.com/antimalware/archive/2007/09/20/storm-drain.aspx

The Microsoft Write Up:
http://www.microsoft.com/security/portal/Entry.aspx?ThreatId=1073746027

The Nuwar guys are good at social engineering, but as to prevelence of this trojan? I don't rate it as high as other people do.

If you guys have specific questions about Nuwar, I'd be happy to answer them to the best of my knowledge.

This posting is provided "AS IS" with no warranties, and confers no rights.

 

[Sometwo]

Removing executeables from email and having a default deny firewall policy for outbound traffic would probably do a lot to mitigate the risk posed by storm.

 

[Rabidfox]

Removing executeables from email and having a default deny firewall policy for outbound traffic would probably do a lot to mitigate the risk posed by storm.

a default deny for outbound? HAHAHAHAHA, you've never admin'd a firewall(ASA/PIX/Checkpoint), have you? Why would you even have an internet facing circuit with a default deny? As a security engineer, that'd be a nightmare. Everytime some dipshit wanted access to a site, you'd have to go in and add to the ACL, it would be gi-normous and ridiculous and not human readable within a week. That would be a huge project, sucking up alot of man-hours, it would actually be easier to switch to BSD and train everyone how to use it and also change your entire infrastructure., lol.

 

[MorfiusX]

a default deny for outbound? HAHAHAHAHA, you've never admin'd a firewall(ASA/PIX/Checkpoint), have you? Why would you even have an internet facing circuit with a default deny? As a security engineer, that'd be a nightmare. Everytime some dipshit wanted access to a site, you'd have to go in and add to the ACL, it would be gi-normous and ridiculous and not human readable within a week. That would be a huge project, sucking up alot of man-hours, it would actually be easier to switch to BSD and train everyone how to use it and also change your entire infrastructure., lol.

I don't know what world you live in, but this is the way every enterprise network I have ever worked on was set up. No new rules or changes are implemented with out a change control process that validates the reason for the change. I've worked on some pretty large (4000+ node) networks as well.

 

[kumquat]

a default deny for outbound? HAHAHAHAHA, you've never admin'd a firewall(ASA/PIX/Checkpoint), have you? Why would you even have an internet facing circuit with a default deny? As a security engineer, that'd be a nightmare. Everytime some dipshit wanted access to a site, you'd have to go in and add to the ACL, it would be gi-normous and ridiculous and not human readable within a week. That would be a huge project, sucking up alot of man-hours, it would actually be easier to switch to BSD and train everyone how to use it and also change your entire infrastructure., lol.

Default deny on everything except ports that are necessary for business use.

Do you think this worm operates on port 80?

My organization does a default deny on all outbound ports but 80, 443, and 21. Works great for us.

 

[Rabidfox]

so, uh, smtp, DNS(!), pop3 and everything else doesn't work....wow, what a productive office. VPN doesn't work, ssh, telnet, any sort of telnet....lol, I'm glad I work where I do, then...

Usually, you deny any inbound connections and allow all outbound connections, unless you have an ACL in place, but denying outbound? Have fun with that, oh, btw, TCP isn't the only thing out there, there alot of other protocols that use IP...some important ones: TCP/UDP/ICMP/ESP/AH just to mention a few, not everything has a port...lol

 

[Rabidfox]

dup

 

[Xipher]

I would guess the majority of the infected hosts aren't in an enterprise setting either, but rather on random joes computer sitting at home.

 

[kumquat]

so, uh, smtp, DNS(!), pop3 and everything else doesn't work....wow, what a productive office. VPN doesn't work, ssh, telnet, any sort of telnet....lol, I'm glad I work where I do, then...

Usually, you deny any inbound connections and allow all outbound connections, unless you have an ACL in place, but denying outbound? Have fun with that, oh, btw, TCP isn't the only thing out there, there alot of other protocols that use IP...some important ones: TCP/UDP/ICMP/ESP/AH just to mention a few, not everything has a port...lol

Our employees have no need to VPN, SSH, or telnet out of the office, no.

We deny all inbound connections except certain ports to certain IPs. We allow incoming VPN to our VPN concentrator, SSL and SMTP connections to our mail server, and a few assorted others.

We run a very secure network. We don't "have fun" with it - we perform work with it. But it's quite an effective setup.

 

[TheNuker]

The funniest thing is reading people's comments. You geniuses at computer tech telling how to stop it and stuff, while nobody that actually works on this field has found a way to stop this worm.

 

[kumquat]

The funniest thing is reading people's comments. You geniuses at computer tech telling how to stop it and stuff, while nobody that actually works on this field has found a way to stop this worm.

Stopping it on your own PC and your own network is a very different thing than stopping it for everyone on the entire internet

 

[Rabidfox]

yeah, it just sounds like a ridiculous headache, plus, I work at a NOC, so I need to do random things on the internet, so a restrictive firewall would be a pain in the dick, so I'd probably just go into our ASA and whack that ACL. There's a difference between running a secure network, and just being a nazi that hurts productivity. There's a reason why some really smart guys made IDS/IPS stuff like SNORT or CSMARS. So you wouldn't have to limit everything, then do some good troubleshooting when something didn't make it past the firewall.



Oh, and have fun not using ftp, you need 20-21 for active and a huge headache for passive.

 

[Rabidfox]

Stopping it on your own PC and your own network is a very different thing than stopping it for everyone on the entire internet

yeah, solving the worlds problems, lol, I should just do that for free rather than protect the network that pays me, amirite? I work in the field, have not run into it, and don't really give a shit. When I run across it, I'll worry, until then, I have plenty of work to do. Welcome to IT, watch your step.

 

[Ranma_Sao]

The funniest thing is reading people's comments. You geniuses at computer tech telling how to stop it and stuff, while nobody that actually works on this field has found a way to stop this worm.

I do work in the Field, and it's fairly easy to stop, have active AV software. The Mass mailing part contains links to compromised web servers, so it's hard for Anti-Spam software to block the links.

The Nuwar guys make new variants and find new ways to trick people into clicking their links. It's an entirely Social Engineered trojan.

As to the Storm "Worm" problem, the media has blown it out of proportion.

http://www.microsoft.com/security/portal/

Shows the top threats removed by MSMRT, the tool I own testing off. Nuwar isn't on the list of Top 10 Removals. It is a problem, I don't want to make it seem like it isn't a problem, but there are bigger malware families causing problems then Nuwar. (Zlob for example)

This posting is provided "AS IS" with no warranties, and confers no rights.

 

[MorfiusX]

yeah, it just sounds like a ridiculous headache, plus, I work at a NOC, so I need to do random things on the internet, so a restrictive firewall would be a pain in the dick, so I'd probably just go into our ASA and whack that ACL. There's a difference between running a secure network, and just being a nazi that hurts productivity. There's a reason why some really smart guys made IDS/IPS stuff like SNORT or CSMARS. So you wouldn't have to limit everything, then do some good troubleshooting when something didn't make it past the firewall.



Oh, and have fun not using ftp, you need 20-21 for active and a huge headache for passive.

All the things you mention are not a one-size-fits-all solutions. There is not silver bullet in IT and a single product can be customized to fit the needs of an organization. To say the a default deny is nazi and hurts productivity is naive. Sure it may not meet your needs, but it does meet the needs of most organizations. It fact, default deny is pretty much a security principle (Link).

IT happens to be a usual exception to some of these policies. That's normal and you deal with exceptions and they occur. Generally, they don't occur that often. The big idea here is the IT sets security policy in conjunction with the business (executives and managers) to define what is and is not acceptable.

 

[Madwand]

As to the Storm "Worm" problem, the media has blown it out of proportion.

Perhaps, but to some extent, occasional media exposure helps overall by waking up some people into installing updates, running the MS scanner, updating expired malware scanners, etc..

 

[Sometwo]

Thanks to everyone who tried to enlighten Rabidfox, even though it apparently had no effect.

 

[The-One]

Very interesting discussion going on here

 

[Rabidfox]

Thanks to everyone who tried to enlighten Rabidfox, even though it apparently had no effect.

ha ha, wow, have fun with your default deny for outbound, I guess all you 18 y/o engineer's have me beat.


Oh, and look into IPS/IDS solutions, it's alot less of a headache than creating an acl for every network you want to have access to. They'll find your worm quick enough to stop any productivity loss.

 

[kumquat]

ha ha, wow, have fun with your default deny for outbound, I guess all you 18 y/o engineer's have me beat.


Oh, and look into IPS/IDS solutions, it's alot less of a headache than creating an acl for every network you want to have access to. They'll find your worm quick enough to stop any productivity loss.

Man, you just don't get it. You seem to think that we're just discussing our network security practices in theory.

The reality is that this is how we run networks. What you are telling us to "have fun" with is what we do day in and day out. This is reality - this is how people out there, in the real world - how security professionals run secure networks.

Do you think that the NSA's core routers are default permit? No, they're not. You permit incoming and outgoing connections over ports and protocols that you need to use, and you turn everything else off. Exceptions are rare with good planning and easily handled.

That's The Real World. You're obviously quite excited about getting into this field, and you think the way your network runs is the way all serious professionals run their networks. Well, wake up, kid. It's not.

My network *uses* default deny. It actually does. It uses web content filtering. It uses IPS and IDS. It uses encrypted, secure tunnels between sites. It uses locked down desktop machines with active malware scanning and firewalls. These are fundamental needs for a good, secure network. This is what you learn at security conferences and workshops taught by top security professionals. This is what we do, day in and day out, in the real world.

This is security - and you seem to think it's just too big of a hassle to implement effectively. Your opinion went out of style 10 years ago and is responsible for the sorry state of enterprise network security in the world.

 

[MorfiusX]

Your opinion went out of style 10 years ago and is responsible for the sorry state of enterprise network security in the world.

Not to fuel a flame fest, but AMEN!

 

[Xipher]

While I don't disagree that default deny is a good thing, I think it truly depends on the situation. While in an enterprise there are different sectors that need different restrictions, and it's about keeping those in mind that you can do the most good. In some situations a default deny really doesn't help, such as in the case of a dedicated hosting support staff, in that situation you have to do a lot of testing that a default deny would just make it a big hassle to get done. In the end though, I don't think the problem needs to be addressed in the entirprise. The problems are with the average person with cable or DSL and doesn't know how to keep themselves secure and clean, that's where the problem exists and where it really needs to be addressed.

Sorry for the crappy formating/wording.

 

[Whatsisname]

clearly you do not know how tcp/ip works

a default deny for outbound? HAHAHAHAHA, you've never admin'd a firewall(ASA/PIX/Checkpoint), have you? Why would you even have an internet facing circuit with a default deny? As a security engineer, that'd be a nightmare. Everytime some dipshit wanted access to a site, you'd have to go in and add to the ACL, it would be gi-normous and ridiculous and not human readable within a week. That would be a huge project, sucking up alot of man-hours, it would actually be easier to switch to BSD and train everyone how to use it and also change your entire infrastructure., lol.

 

[rxteenager]

LoL, you can lock down a network all the way you want, but somehow somewhere, someone is going to find a way to screw things up. It's the human factor that poses the biggest danger, and yeah most of these "bot nets" are made up of people who don't know crap about security and they'll click on any stupid link out on their my space. I'm just tired of telling my wife over and over again not to download crap, but I just have to keep cleaning. Even I blame myself, i'm dumb enough to click on random stuff from time to time. I guess here curiosity did kill the cat. There is a magic bullet, ELIMINATE THE HUMAN FACTOR! . man it's 4am and i'm at work, that's just not right. Oh and i work at a helpdesk, so everyday I have to help some guy cause he's not even able to remember an alpha numerical 8 digit password...

 

[Sometwo]

While I don't disagree that default deny is a good thing, I think it truly depends on the situation. While in an enterprise there are different sectors that need different restrictions, and it's about keeping those in mind that you can do the most good. In some situations a default deny really doesn't help, such as in the case of a dedicated hosting support staff, in that situation you have to do a lot of testing that a default deny would just make it a big hassle to get done. In the end though, I don't think the problem needs to be addressed in the entirprise. The problems are with the average person with cable or DSL and doesn't know how to keep themselves secure and clean, that's where the problem exists and where it really needs to be addressed.

Sorry for the crappy formating/wording.

Exactly. However, the problem with Rabidfox is that he seems to think that his network and business is representative of every other network out there, ignoring what other people are saying about how they run their network. Using half a firewall might be adequate, and in some cases legally mandatory for say a university, but that probably won't suffice for a company like Boeing and many others.

 

[Rabidfox]

ok, I see what you're saying. My network is smaller, but does do L2L with other larger custs. We also firewall/segment our VLANS out so we don't have to worry about a default deny for outbound traffic. When you said Boeing, that means govt regulations, and they get a bit crazy about things. And it's really not half a firewall, it's the granularity that I like. I'd rather see the hit counter on the traffic I want to drop and specify what I don't want to happen, rather than the other way around, at least on the internet facing firewall, which is what we were talking about. Internal FW's segment of VLANS and have their own rules. So, I geuss I can see your points, but a blanket deny would seem a bit excessive in some areas, I've seen ASA configs that were 9MB when I pulled them down, I nearly choked.

I guess I blew up because we don't normally have to do a default deny on the outbound on our internet facing ASA. It gets taken care of by the VLAN FW's, we always try to stop traffic as close to the source as possible. We're also a NOC, so we don't have obnoxious users clicking on everything in sight so we don't need to lock everything down. If you were in that situation, I guess you'd find it pretty helpful to add a default deny on the outbound, but it still seems wasteful. Why let it get all the way there?