[IS&T Security-FYI] Newsletter, August 30, 2007: Special Issue

[Monique Yeaton]

The past couple months have seen the number of malware attacks and  
vulnerability exploits substantially rise. It's not just the number  
of malware attacks increasing but also the speed in which  
vulnerabilities are being exploited. This special issue of Security  
FYI will be the first in a series of issues discussing some of the  
more recent malware attacks.

In this issue: Storm Worm

What is Storm worm?
Storm worm has been around since last January, when it began  
infecting thousands of computers using an email with the subject  
line: "230 dead as storm batters Europe." It later developed into  
postcard spam with subject lines such as "You've received a postcard  
from a family member!",  invitations to Independence Day events  
around the holiday, and invitations to join various "clubs."

The most recent form of attack was done spoofing YouTube. A spam  
message invites recipients to see themselves in a YouTube video, but  
the included link directs them to a website that downloads a package  
of malware.

The Storm worm currently represents about 30% of all spam. From what  
I have read, the malware it downloads doesn't affect Mac computers,  
it only affects computers running Microsoft operating systems and  
especially those running Microsoft Internet Explorer.

How does it spread?
Whatever the email subject line used, the attackers count on a user's  
lack of concern with clicking on links or attachments in emails  
coming from a dubious source. Seven years after the "I Love You"  
attacks, users are still clicking at will hoping to read news, a  
postcard, watch a video, or join an event. Many of these invitations  
require that you click on a link that leads to an infected website.

Storm uses both image spam and spam with attachments to download the  
malware. Both types have their benefits for spammers. Image spam  
easily bypasses spam filters and, with some attachments, infected  
attachments are difficult to discern from legitimate ones.

A recent trick used by Storm is attacking networks that are scanning  
for malware and vulnerabilities with a massive distributed denial-of- 
service (DDos) attack. It is actually attacking computers that are  
trying to weed the Storm worm out. This puts universities at high  
risk because of the placement of their scanners on a non-private  
network, thereby making them visible to the Internet at large.

Earlier in August, researchers at SecureWorks discovered that the  
Storm worm authors have taken their full attention off of email-based  
attacks and have started creating more malicious Web pages.

What happens if infected?
The spam worked exceedingly well, helping the attackers build up a  
massive botnet. A compromised machine becomes merged into that botnet  
(a network of "zombie" computers run by host machines). Rather than  
there being one host of a centralized network of infected machines,  
there are multiple hosts. None of these hosts has a full list of the  
entire botnet, making it difficult to gauge the true extend of the  
zombie network. As the machine becomes part of this network, the  
attacks continue to grow as more and more machines are "recruited" to  
send out spam, often without the knowledge of the computer's owner or  
user.

Researchers at SecureWorks and Postini have said they think the Storm  
worm authors are cultivating such an enormous botnet to do more than  
send out increasing amounts of spam. They now estimate there are 1.7  
million infected PCs within the Storm worm botnet. All of the bots  
are set up to launch denial-of-service attacks and that's exactly  
what they're anticipating. DoS attacks are designed to pound  
computers with countless questions that flood its ability to respond,  
effectively taking the machine down.

What's being done about it?
The problem security researches are facing is that the tactics of the  
Storm worm spam change constantly using varying subject lines, "from"  
and "to" names, and type of email (either image-based, or with  
attachments or embedded links).

Anti-malware vendors are rolling out special updates for latest  
versions of Storm but must do so every few days as the worm mutates.  
According to F-secure and others, the malware code is modified every  
30 minutes, undermining standard signature-based AV's ability to  
block this threat. Additional ways to reduce risk can be done through  
spam filtering and URL filtering. However, a complete solution to the  
problem may still be a long way off.

Are you at risk at MIT?
The email servers at MIT block most of the spam at the border.  
However, because about 97% of email is spam, there is a great  
likelihood that some spam will still come through. The higher your  
spam threshold, the more likely spam will get through. If set lower,  
more spam will be caught, however, you also risk legitimate email  
from being blocked as well. See spam filtering: <http://web.mit.edu/ 
ist/services/email/nospam/ >

Because the malware can download from infected Web pages as well,  
spam filtering or avoiding dubious-looking email will not prevent  
infection. Stay away from dangerous sites such as those for  
downloading free software tools. Users can't count on search engines  
to protect them.

Prevention is the best medicine. Keep Windows and your antivirus,  
firewall, and other security software up-to-date. Those precautions  
will reduce the chances of infection.

To learn more about virus protection, firewall protection and  
software updates at MIT:

IT Security Web page: <http://web.mit.edu/ist/topics/security/>

To read more about the Storm worm:

Information Week: <http://www.informationweek.com/shared/ 
printableArticle.jhtml?articleID=201800635>

Security Focus: <http://www.securityfocus.com/news/11482>

PC World: <http://www.pcworld.com/article/id,136465-c,worms/ 
article.html>

How to tell if your computer is a zombie:

PC World: <http://www.pcworld.com/article/id,134988/article.html>

To read more about botnets:

Security Focus: <http://www.securityfocus.com/news/11473/1>



Monique
=========================
Monique Yeaton
IT Security Awareness Consultant
MIT Information Services & Technology (IS&T)
(617) 253-2715
http://web.mit.edu/ist/security



-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.mit.edu/pipermail/ist-security-fyi/attachments/20070830/d20198cb/attachment.htm