Storm Botnet Puts Up Defenses And Starts Attacking Back - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

IoT
IoT
Software // Information Management

Storm Botnet Puts Up Defenses And Starts Attacking Back

Researchers are warning universities that they're at risk of being hit with massive distributed denial-of-service attacks when they scan their own networks.

The Storm worm authors have another trick up their sleeves.

The massive botnet that the hackers have been amassing over the last several months actually is attacking computers that are trying to weed it out. The botnet is set up to launch a distributed denial-of-service (DDoS) attack against any computer that is scanning a network for vulnerabilities or malware. All this, according to Doug Pearson, technical director of Ren-Isac, which is a collaboration of higher-education security researchers.

Ren-Isac, which is supported largely through Indiana University, recently issued a warning to about 200 member educational institutions and then put out a much broader alert, warning colleges and universities that their networks could come under heavy attack.

The warning noted that researchers have seen "numerous" Storm-related DDoS attacks recently. As the new school year is about to get underway, Ren-Isac is advising security professionals that the new attack "represents a significant risk" for the educational sector.

With students returning to campus in the next few weeks, schools are expected to scan the servers on their network to find vulnerabilities and malware that the students are bringing back with them. When the scanner hits an infected computer that is part of the Storm botnet, the rest of the botnet directs a DDoS attack back against the computer running the scan, explained Pearson in an interview with InformationWeek. The attacks can last more than a day, and can involve "very significant" traffic.

"It's a new behavior for a botnet," said Pearson. "It's acting in a defensive manner. It is a little [scary], isn't it?"

He noted, however, that this is more of a danger to schools than it is to corporate enterprises simply because of the placement of the scanners. Often, explained Pearson, universities and colleges don't have their scanners on a private network so it's visible to the Internet at large. If it was protected on a private network, the way it's done with most enterprises, the botnet would not be able to find it so there wouldn't be an IP route to send the DDoS packets.

"This is the first time I've seen an automated response like this," said Gunter Ollmann, director of security strategy at IBM's Internet Security Systems. "It has less to do with the Storm worm and more to do with the structure of the botnet."

Since the beginning of the month, some researchers have been warning that as the Storm worm grows into a prolonged online siege 10 times larger than any other e-mail attack in the last two years -- amassing a very large botnet -- its authors could be setting themselves up to launch a damaging denial-of-service attack.

Researchers at SecureWorks and Postini have said they think the Storm worm authors are cultivating such an enormous botnet to do more than send out increasing amounts of spam. All of the bots are set up to launch denial-of-service attacks and that's exactly what they're anticipating. DoS attacks are designed to pound computers with countless questions that flood its ability to respond, effectively taking the machine down.

And the latest discovery about the botnet's ability to defend itself with DDoS attacks is perhaps another sign that the Storm worm authors are adept at changing tactics.

Last week, researchers at SecureWorks discovered that the Storm worm authors have taken their full attention off of e-mail-based attacks and have started creating malicious Web pages. E-mail-based attacks -- phony e-cards and fake news alerts -- have worked exceedingly well, helping the attackers build up a massive botnet.

Don Jackson, a security researcher at SecureWorks, said in an interview that slowly but surely IT managers and consumers are getting better at blocking or at least ignoring the e-mail attacks, so the Storm worm authors are setting up a secondary attack venue.

The Storm worm was first spotted this past January and has been picking up speed and ferocity in the past several months.

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Comment  | 
Print  | 
More Insights
Slideshows
Data Science: How the Pandemic Has Affected 10 Popular Jobs
Cynthia Harvey, Freelance Journalist, InformationWeek,  9/9/2020
Commentary
The Growing Security Priority for DevOps and Cloud Migration
Joao-Pierre S. Ruth, Senior Writer,  9/3/2020
Commentary
Dark Side of AI: How to Make Artificial Intelligence Trustworthy
Guest Commentary, Guest Commentary,  9/15/2020
White Papers
Register for InformationWeek Newsletters
Video
Current Issue
IT Automation Transforms Network Management
In this special report we will examine the layers of automation and orchestration in IT operations, and how they can provide high availability and greater scale for modern applications and business demands.
Slideshows
Flash Poll