Mirage NACs Stave Off Storm Worm

Scrub · #1 11-22-07, 10:55 PM

Mirage NACs Stave Off Storm Worm

by David Kopf

Network Access Control systems from maker Mirage Networks can now recognize and isolate the Storm Worm, and variants thereof. The Storm Worm incorporates infected computers into a global, distributed botnet estimated to range in size anywhere between 250,000 and 10 million infected computers.

The e-mail-borne Storm Worm, which started affecting computers nearly a year ago in January, uses compelling subject lines to entice users to open up attached executables (.exe), which then infect the computer and makes it part of the botnet. Storm Worm's botnet is not centrally controlled and behaves in a peer to peer fashion, with infected machines receiving and acting upon commands from the malware's programmers without their users' knowledge, let alone permission.

Mirage said its research team acquired copies of Storm and its variants and ensured that its NACs detect and shut down the worm, which is key for Mirage "because several aspects of the worm's behavior suggest that its programmers designed it to thwart NAC applications specifically," said Grant Hartline, Mirage's chief technical officer, in a prepared statement.

The worm's behavior could indicate attempts to beat anti-virus (AV) and intrusion prevention systems (IPS), according to Mirage, which points to the fact that the code Storm uses to propagate changes every 30 minutes, which can foil signature-based AV and IPS. The distributed botnet also shifts the infected hosts' roles so that a host could cease functioning as a "command and control" server soon after it is detected, and that role reassigned to another zombified computer.

Storm Worm is also reputed to launch dedicated denial of Service (DDoS) attacks on security vendors that have purposely tried to get machines infected and connected to the botnet in order to reconnoiter the network.

Read More:

Scrub · #2 11-22-07, 10:59 PM

Quote:

Re: [IDS-9643684] DDoS attack -- scamfraudalerts.com
Inbox Verio
show details Oct 17

Hello Scrub,

Thank you for contacting Verio Support regarding your unresponsive server issues for scamfraudalerts.com. Your case number is IDS-9643684.

After taking a look at the server it appears the DDoS was set up with fragmented apache requests, which connect to the server but don't process enough information to let the server decide whether or not to drop it. As a result they stick around and cause quite a high load on the server.

I have added the following to block the three IP addresses that were the source of most of the traffic, as gathered from a netstat:

221.146.205.6
89.106.41.54
87.103.181.159

This blocks all apache (web) traffic from those three IP addresses. After performing this change the server has been running more normally, with a load between 1 and 2, which is normal.

If you have any other questions about this or see any further problems, please let us know.

Regards,

Verio VPS/MPS Support II
- Show quoted text -

Thread Tools
Show Printable Version Email this Page
Display Modes	Rate This Thread
Linear Mode Switch to Hybrid Mode Switch to Threaded Mode	Rate This Thread: