[IS&T Security-FYI] Newsletter, August 30, 2007: Special Issue
Monique Yeaton
myeaton at MIT.EDU
Thu Aug 30 16:33:59 EDT 2007
The past couple months have seen the number of malware attacks and
vulnerability exploits substantially rise. It's not just the number
of malware attacks increasing but also the speed in which
vulnerabilities are being exploited. This special issue of Security
FYI will be the first in a series of issues discussing some of the
more recent malware attacks.
In this issue: Storm Worm
What is Storm worm?
Storm worm has been around since last January, when it began
infecting thousands of computers using an email with the subject
line: "230 dead as storm batters Europe." It later developed into
postcard spam with subject lines such as "You've received a postcard
from a family member!", invitations to Independence Day events
around the holiday, and invitations to join various "clubs."
The most recent form of attack was done spoofing YouTube. A spam
message invites recipients to see themselves in a YouTube video, but
the included link directs them to a website that downloads a package
of malware.
The Storm worm currently represents about 30% of all spam. From what
I have read, the malware it downloads doesn't affect Mac computers,
it only affects computers running Microsoft operating systems and
especially those running Microsoft Internet Explorer.
How does it spread?
Whatever the email subject line used, the attackers count on a user's
lack of concern with clicking on links or attachments in emails
coming from a dubious source. Seven years after the "I Love You"
attacks, users are still clicking at will hoping to read news, a
postcard, watch a video, or join an event. Many of these invitations
require that you click on a link that leads to an infected website.
Storm uses both image spam and spam with attachments to download the
malware. Both types have their benefits for spammers. Image spam
easily bypasses spam filters and, with some attachments, infected
attachments are difficult to discern from legitimate ones.
A recent trick used by Storm is attacking networks that are scanning
for malware and vulnerabilities with a massive distributed denial-of-
service (DDos) attack. It is actually attacking computers that are
trying to weed the Storm worm out. This puts universities at high
risk because of the placement of their scanners on a non-private
network, thereby making them visible to the Internet at large.
Earlier in August, researchers at SecureWorks discovered that the
Storm worm authors have taken their full attention off of email-based
attacks and have started creating more malicious Web pages.
What happens if infected?
The spam worked exceedingly well, helping the attackers build up a
massive botnet. A compromised machine becomes merged into that botnet
(a network of "zombie" computers run by host machines). Rather than
there being one host of a centralized network of infected machines,
there are multiple hosts. None of these hosts has a full list of the
entire botnet, making it difficult to gauge the true extend of the
zombie network. As the machine becomes part of this network, the
attacks continue to grow as more and more machines are "recruited" to
send out spam, often without the knowledge of the computer's owner or
user.
Researchers at SecureWorks and Postini have said they think the Storm
worm authors are cultivating such an enormous botnet to do more than
send out increasing amounts of spam. They now estimate there are 1.7
million infected PCs within the Storm worm botnet. All of the bots
are set up to launch denial-of-service attacks and that's exactly
what they're anticipating. DoS attacks are designed to pound
computers with countless questions that flood its ability to respond,
effectively taking the machine down.
What's being done about it?
The problem security researches are facing is that the tactics of the
Storm worm spam change constantly using varying subject lines, "from"
and "to" names, and type of email (either image-based, or with
attachments or embedded links).
Anti-malware vendors are rolling out special updates for latest
versions of Storm but must do so every few days as the worm mutates.
According to F-secure and others, the malware code is modified every
30 minutes, undermining standard signature-based AV's ability to
block this threat. Additional ways to reduce risk can be done through
spam filtering and URL filtering. However, a complete solution to the
problem may still be a long way off.
Are you at risk at MIT?
The email servers at MIT block most of the spam at the border.
However, because about 97% of email is spam, there is a great
likelihood that some spam will still come through. The higher your
spam threshold, the more likely spam will get through. If set lower,
more spam will be caught, however, you also risk legitimate email
from being blocked as well. See spam filtering: <http://web.mit.edu/
ist/services/email/nospam/ >
Because the malware can download from infected Web pages as well,
spam filtering or avoiding dubious-looking email will not prevent
infection. Stay away from dangerous sites such as those for
downloading free software tools. Users can't count on search engines
to protect them.
Prevention is the best medicine. Keep Windows and your antivirus,
firewall, and other security software up-to-date. Those precautions
will reduce the chances of infection.
To learn more about virus protection, firewall protection and
software updates at MIT:
IT Security Web page: <http://web.mit.edu/ist/topics/security/>
To read more about the Storm worm:
Information Week: <http://www.informationweek.com/shared/
printableArticle.jhtml?articleID=201800635>
Security Focus: <http://www.securityfocus.com/news/11482>
PC World: <http://www.pcworld.com/article/id,136465-c,worms/
article.html>
How to tell if your computer is a zombie:
PC World: <http://www.pcworld.com/article/id,134988/article.html>
To read more about botnets:
Security Focus: <http://www.securityfocus.com/news/11473/1>
Monique
=========================
Monique Yeaton
IT Security Awareness Consultant
MIT Information Services & Technology (IS&T)
(617) 253-2715
http://web.mit.edu/ist/security
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.mit.edu/pipermail/ist-security-fyi/attachments/20070830/d20198cb/attachment.htm
More information about the ist-security-fyi
mailing list