The massive botnet that the hackers have been amassing over the last several months actually is attacking computers that are trying to weed it out. The botnet is set up to launch a distributed denial-of-service (DDoS) attack against any computer that is scanning a network for vulnerabilities or malware. All this, according to Doug Pearson, technical director of Ren-Isac, which is a collaboration of higher-education security researchers.
Ren-Isac, which is supported largely through Indiana University, recently issued a warning to about 200 member educational institutions and then put out a much broader alert, warning colleges and universities that their networks could come under heavy attack.
The warning noted that researchers have seen "numerous" Storm-related DDoS attacks recently. As the new school year is about to get underway, Ren-Isac is advising security professionals that the new attack "represents a significant risk" for the educational sector.
With students returning to campus in the next few weeks, schools are expected to scan the servers on their network to find vulnerabilities and malware that the students are bringing back with them. When the scanner hits an infected computer that is part of the Storm botnet, the rest of the botnet directs a DDoS attack back against the computer running the scan, explained Pearson in an interview with InformationWeek. The attacks can last more than a day, and can involve "very significant" traffic.
"It's a new behavior for a botnet," said Pearson. "It's acting in a defensive manner. It is a little [scary], isn't it?"
He noted, however, that this is more of a danger to schools than it is to corporate enterprises simply because of the placement of the scanners. Often, explained Pearson, universities and colleges don't have their scanners on a private network so it's visible to the Internet at large. If it was protected on a private network, the way it's done with most enterprises, the botnet would not be able to find it so there wouldn't be an IP route to send the DDoS packets.
"This is the first time I've seen an automated response like this," said Gunter Ollmann, director of security strategy at IBM's Internet Security Systems. "It has less to do with the Storm worm and more to do with the structure of the botnet."
Since the beginning of the month, some researchers have been warning that as the Storm worm grows into a prolonged online siege 10 times larger than any other e-mail attack in the last two years -- amassing a very large botnet -- its authors could be setting themselves up to launch a damaging denial-of-service attack.
Researchers at SecureWorks and Postini have said they think the Storm worm authors are cultivating such an enormous botnet to do more than send out increasing amounts of spam. All of the bots are set up to launch denial-of-service attacks and that's exactly what they're anticipating. DoS attacks are designed to pound computers with countless questions that flood its ability to respond, effectively taking the machine down.
And the latest discovery about the botnet's ability to defend itself with DDoS attacks is perhaps another sign that the Storm worm authors are adept at changing tactics.
Last week, researchers at SecureWorks discovered that the Storm worm authors have taken their full attention off of e-mail-based attacks and have started creating malicious Web pages. E-mail-based attacks -- phony e-cards and fake news alerts -- have worked exceedingly well, helping the attackers build up a massive botnet.
Don Jackson, a security researcher at SecureWorks, said in an interview that slowly but surely IT managers and consumers are getting better at blocking or at least ignoring the e-mail attacks, so the Storm worm authors are setting up a secondary attack venue.
The Storm worm was first spotted this past January and has been picking up speed and ferocity in the past several months.