Infrastructure // Networking
News
8/16/2007
04:23 PM
Connect Directly
RSS
E-Mail
50%
50%
Repost This

Storm Botnet Puts Up Defenses And Starts Attacking Back

Researchers are warning universities that they're at risk of being hit with massive distributed denial-of-service attacks when they scan their own networks.

The Storm worm authors have another trick up their sleeves.

The massive botnet that the hackers have been amassing over the last several months actually is attacking computers that are trying to weed it out. The botnet is set up to launch a distributed denial-of-service (DDoS) attack against any computer that is scanning a network for vulnerabilities or malware. All this, according to Doug Pearson, technical director of Ren-Isac, which is a collaboration of higher-education security researchers.

Ren-Isac, which is supported largely through Indiana University, recently issued a warning to about 200 member educational institutions and then put out a much broader alert, warning colleges and universities that their networks could come under heavy attack.

The warning noted that researchers have seen "numerous" Storm-related DDoS attacks recently. As the new school year is about to get underway, Ren-Isac is advising security professionals that the new attack "represents a significant risk" for the educational sector.

With students returning to campus in the next few weeks, schools are expected to scan the servers on their network to find vulnerabilities and malware that the students are bringing back with them. When the scanner hits an infected computer that is part of the Storm botnet, the rest of the botnet directs a DDoS attack back against the computer running the scan, explained Pearson in an interview with InformationWeek. The attacks can last more than a day, and can involve "very significant" traffic.

"It's a new behavior for a botnet," said Pearson. "It's acting in a defensive manner. It is a little [scary], isn't it?"

He noted, however, that this is more of a danger to schools than it is to corporate enterprises simply because of the placement of the scanners. Often, explained Pearson, universities and colleges don't have their scanners on a private network so it's visible to the Internet at large. If it was protected on a private network, the way it's done with most enterprises, the botnet would not be able to find it so there wouldn't be an IP route to send the DDoS packets.

"This is the first time I've seen an automated response like this," said Gunter Ollmann, director of security strategy at IBM's Internet Security Systems. "It has less to do with the Storm worm and more to do with the structure of the botnet."

Since the beginning of the month, some researchers have been warning that as the Storm worm grows into a prolonged online siege 10 times larger than any other e-mail attack in the last two years -- amassing a very large botnet -- its authors could be setting themselves up to launch a damaging denial-of-service attack.

Researchers at SecureWorks and Postini have said they think the Storm worm authors are cultivating such an enormous botnet to do more than send out increasing amounts of spam. All of the bots are set up to launch denial-of-service attacks and that's exactly what they're anticipating. DoS attacks are designed to pound computers with countless questions that flood its ability to respond, effectively taking the machine down.

And the latest discovery about the botnet's ability to defend itself with DDoS attacks is perhaps another sign that the Storm worm authors are adept at changing tactics.

Last week, researchers at SecureWorks discovered that the Storm worm authors have taken their full attention off of e-mail-based attacks and have started creating malicious Web pages. E-mail-based attacks -- phony e-cards and fake news alerts -- have worked exceedingly well, helping the attackers build up a massive botnet.

Don Jackson, a security researcher at SecureWorks, said in an interview that slowly but surely IT managers and consumers are getting better at blocking or at least ignoring the e-mail attacks, so the Storm worm authors are setting up a secondary attack venue.

The Storm worm was first spotted this past January and has been picking up speed and ferocity in the past several months.

Comment  | 
Print  | 
More Insights
2014 Private Cloud Survey
2014 Private Cloud Survey
Respondents are on a roll: 53% brought their private clouds from concept to production in less than one year, and 60% ­extend their clouds across multiple datacenters. But expertise is scarce, with 51% saying acquiring skilled employees is a roadblock.
Register for InformationWeek Newsletters
White Papers
Current Issue
InformationWeek Elite 100 - 2014
Our InformationWeek Elite 100 issue -- our 26th ranking of technology innovators -- shines a spotlight on businesses that are succeeding because of their digital strategies. We take a close at look at the top five companies in this year's ranking and the eight winners of our Business Innovation awards, and offer 20 great ideas that you can use in your company. We also provide a ranked list of our Elite 100 innovators.
Video
Slideshows
Twitter Feed
Audio Interviews
Archived Audio Interviews
GE is a leader in combining connected devices and advanced analytics in pursuit of practical goals like less downtime, lower operating costs, and higher throughput. At GIO Power & Water, CIO Jim Fowler is part of the team exploring how to apply these techniques to some of the world's essential infrastructure, from power plants to water treatment systems. Join us, and bring your questions, as we talk about what's ahead.