funsec mailing list archives
Re: FUD or Fact: Storm retaliates
From: Nick FitzGerald <nick () virus-l demon co uk>
Date: Fri, 26 Oct 2007 10:47:56 +1300
Dude VanWinkle wrote: The short answer to the question in your Subject: line is "Both". The detailed answer is much more complex...
The Storm worm is fighting back against security researchers ...
Fact... ...and anyone else dumb/ill-informed/etc enough to do various, shall we say "silly" things with respect to various parts of "the Storm network". Yes, that's deliberately vague but if I told you (here) what I know then the people behind Storm would quickly realize several weaknesses and set about fixing them...
... that seek to destroy it ...
FUD. Storm has no idea of the intentions of those "probing" it, NOR does it "care". It just retaliates if you are dumb/ill-informed/etc enough...
... and has them running scared, ...
I don't know any security researchers "scared" of Storm, so I will say this is FUD. Perhaps Josh Korman is scared and/or knows some security researchers scared of Storm -- if so, I'd like to know who they are (so I can make sure they never work with/for me etc in future).
... Interop New York show attendees heard Tuesday.
I wasn't there but will accept as a fact that the attendees did hear this claim.
The worm can figure out which users are trying to probe its command-and-control servers, and it retaliates by launching DDoS attacks against them, shutting down their Internet access for days, says Josh Korman, host-protection architect for IBM/ISS, who led a session on network threats. from: http://www.networkworld.com/news/2007/102407-storm-worm-security.html
Fact.
"As you try to investigate [Storm], it knows, and it punishes," he says. "It fights back."
Part fact, part FUD. The Storm network detects some kinds of "probes" and retaliates. To date there are other kinds of "probes" we know that it doesn't retaliate to. Whether it detects these or not -- ?????
As a result, researchers who have managed to glean facts about the worm are reluctant to publish their findings. ...
"Publish" as in _public_ation -- fact. Hmmmmm -- I wonder why that may be? Seems this may not affect Josh Korman though. Hmmmmmmm...
... "They're afraid. I've never seen this before," Korman says. ...
See comments above...
... "They find these things but never say anything about them."
"They" (presumably Josh means _other_ researchers than him here) may not say anything publicly (see above) _OR_ to Josh but that doesn't mean "they" aren't collaborating amongst themselves and sharing their discoveries, distributing their efforts and so on. That Josh is not aware of this and is scared might tell us more about Josh (and other researchers) than it does about Storm.
And not without good reason, he says. Some who have managed to reverse engineer Storm in an effort to figure out how to thwart it have suffered DDoS attacks that have knocked them off the Internet for days, he says.
As a "typical" security researcher, you don't have to reverse engineer anything to get DDoS'ed by the Storm network, and you can reverse engineer it thoroughly and NOT get DDoS'ed and you can reverse engineer it thoroughly _and_ publicly discuss some of what you've been doing and get DDoS'ed because of that rather then because of what you learned from your RE efforts and any "probing" you may have done of the Storm network based on the RE work. Yes -- all those scenarios have happened. So, again, Josh's reported comments here seem to be simplistic to bordering on alarmist, and thus probably contributing to the FUD.
As researchers test their versions of Storm by connecting to Storm command-and-control servers, the servers seem to recognize these attempts as threatening. Then either the worm itself or the people behind it seem to knock them off the Internet by flooding them with traffic from Storm's botnet, Korman says.
Josh should obviously take a great deal more care in what he is doing if this is his experience, or perhaps even better, stop playing with fire? Yes, Storm is a problem, but naive or simplistic tinkering with it may more quickly drive it (or its successors) to adopt much more difficult to investigate methods as a result of what the Storm developers learn from watching the noisy, ill-informed "approaches", "attacks" etc of those who think they are "helping"... Regards, Nick FitzGerald _______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Current thread:
- FUD or Fact: Storm retaliates Dude VanWinkle (Oct 25)
- Re: FUD or Fact: Storm retaliates Nick FitzGerald (Oct 25)