funsec mailing list archives

Previous By Date Next
Previous By Thread Next

Re: FUD or Fact: Storm retaliates

From: Nick FitzGerald <nick () virus-l demon co uk>
Date: Fri, 26 Oct 2007 10:47:56 +1300
Dude VanWinkle wrote:

The short answer to the question in your Subject: line is "Both".  The 
detailed answer is much more complex...


The Storm worm is fighting back against security researchers ...


Fact...

...and anyone else dumb/ill-informed/etc enough to do various, shall we 
say "silly" things with respect to various parts of "the Storm 
network".  Yes, that's deliberately vague but if I told you (here) what 
I know then the people behind Storm would quickly realize several 
weaknesses and set about fixing them...


... that seek
to destroy it ...


FUD.

Storm has no idea of the intentions of those "probing" it, NOR does it 
"care".  It just retaliates if you are dumb/ill-informed/etc enough...


... and has them running scared, ...


I don't know any security researchers "scared" of Storm, so I will say 
this is FUD.  Perhaps Josh Korman is scared and/or knows some security 
researchers scared of Storm -- if so, I'd like to know who they are (so 
I can make sure they never work with/for me etc in future).


... Interop New York show
attendees heard Tuesday.


I wasn't there but will accept as a fact that the attendees did hear 
this claim.


The worm can figure out which users are trying to probe its
command-and-control servers, and it retaliates by launching DDoS attacks
against them, shutting down their Internet access for days, says Josh
Korman, host-protection architect for IBM/ISS, who led a session on
network threats.
from: http://www.networkworld.com/news/2007/102407-storm-worm-security.html


Fact.


"As you try to investigate [Storm], it knows, and it punishes," he says.
"It fights back."


Part fact, part FUD.

The Storm network detects some kinds of "probes" and retaliates.  To 
date there are other kinds of "probes" we know that it doesn't 
retaliate to.  Whether it detects these or not -- ?????


As a result, researchers who have managed to glean facts about the worm
are reluctant to publish their findings.  ...


"Publish" as in _public_ation -- fact.

Hmmmmm -- I wonder why that may be?

Seems this may not affect Josh Korman though.  Hmmmmmmm...


...  "They're afraid. I've never
seen this before," Korman says.  ...


See comments above...


...  "They find these things but never say
anything about them."


"They" (presumably Josh means _other_ researchers than him here) may 
not say anything publicly (see above) _OR_ to Josh but that doesn't 
mean "they" aren't collaborating amongst themselves and sharing their 
discoveries, distributing their efforts and so on.

That Josh is not aware of this and is scared might tell us more about 
Josh (and other researchers) than it does about Storm.


And not without good reason, he says. Some who have managed to reverse
engineer Storm in an effort to figure out how to thwart it have suffered
DDoS attacks that have knocked them off the Internet for days, he says.


As a "typical" security researcher, you don't have to reverse engineer 
anything to get DDoS'ed by the Storm network, and you can reverse 
engineer it thoroughly and NOT get DDoS'ed and you can reverse engineer 
it thoroughly _and_ publicly discuss some of what you've been doing and 
get DDoS'ed because of that rather then because of what you learned 
from your RE efforts and any "probing" you may have done of the Storm 
network based on the RE work.

Yes -- all those scenarios have happened.

So, again, Josh's reported comments here seem to be simplistic to 
bordering on alarmist, and thus probably contributing to the FUD.


As researchers test their versions of Storm by connecting to Storm
command-and-control servers, the servers seem to recognize these
attempts as threatening. Then either the worm itself or the people
behind it seem to knock them off the Internet by flooding them with
traffic from Storm's botnet, Korman says.


Josh should obviously take a great deal more care in what he is doing 
if this is his experience, or perhaps even better, stop playing with 
fire?

Yes, Storm is a problem, but naive or simplistic tinkering with it may 
more quickly drive it (or its successors) to adopt much more difficult 
to investigate methods as a result of what the Storm developers learn 
from watching the noisy, ill-informed "approaches", "attacks" etc of 
those who think they are "helping"...


Regards,

Nick FitzGerald

_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.
Previous By Date Next
Previous By Thread Next

Current thread: