<HTML><BODY style="word-wrap: break-word; -khtml-nbsp-mode: space; -khtml-line-break: after-white-space; "><DIV><BR></DIV><DIV>The past couple months have seen the number of malware attacks and vulnerability exploits substantially rise. It's not just the number of malware attacks increasing but also the speed in which vulnerabilities are being exploited. This special issue of Security FYI will be the first in a series of issues discussing some of the more recent malware attacks.</DIV><DIV><BR></DIV><DIV><B>In this issue: Storm Worm</B></DIV><DIV><BR></DIV><DIV><B>What is Storm worm?</B></DIV><DIV>Storm worm has been around since last January, when it began infecting thousands of computers using an email with the subject line: "230 dead as storm batters Europe." It later developed into postcard spam with subject lines such as "You've received a postcard from a family member!", invitations to Independence Day events around the holiday, and invitations to join various "clubs." </DIV><DIV><BR></DIV><DIV>The most recent form of attack was done spoofing YouTube. A spam message invites recipients to see themselves in a YouTube video, but the included link directs them to a website that downloads a package of malware.</DIV><DIV><BR></DIV><DIV>The Storm worm currently represents about 30% of all spam. From what I have read, the malware it downloads doesn't affect Mac computers, it only affects computers running Microsoft operating systems and especially those running Microsoft Internet Explorer.</DIV><DIV><BR></DIV><DIV><B>How does it spread?</B></DIV><DIV>Whatever the email subject line used, the attackers count on a user's lack of concern with clicking on links or attachments in emails coming from a dubious source. Seven years after the "I Love You" attacks, users are still clicking at will hoping to read news, a postcard, watch a video, or join an event. Many of these invitations require that you click on a link that leads to an infected website.</DIV><DIV><BR></DIV><DIV>Storm uses both image spam and spam with attachments to download the malware. Both types have their benefits for spammers. Image spam easily bypasses spam filters and, with some attachments, infected attachments are difficult to discern from legitimate ones. </DIV><DIV><BR></DIV><DIV>A recent trick used by Storm is attacking networks that are scanning for malware and vulnerabilities with a massive distributed denial-of-service (DDos) attack. It is actually attacking computers that are trying to weed the Storm worm out. This puts universities at high risk because of the placement of their scanners on a non-private network, thereby making them visible to the Internet at large.</DIV><DIV><BR></DIV><DIV>Earlier in August, researchers at SecureWorks discovered that the Storm worm authors have taken their full attention off of email-based attacks and have started creating more malicious Web pages.</DIV><DIV><BR></DIV><DIV><B>What happens if infected?</B></DIV><DIV>The spam worked exceedingly well, helping the attackers build up a massive botnet. A compromised machine becomes merged into that botnet (a network of "zombie" computers run by host machines). Rather than there being one host of a centralized network of infected machines, there are multiple hosts. None of these hosts has a full list of the entire botnet, making it difficult to gauge the true extend of the zombie network. As the machine becomes part of this network, the attacks continue to grow as more and more machines are "recruited" to send out spam, often without the knowledge of the computer's owner or user. </DIV><DIV><BR></DIV><DIV>Researchers at SecureWorks and Postini have said they think the Storm worm authors are cultivating such an enormous botnet to do more than send out increasing amounts of spam. They now estimate there are 1.7 million infected PCs within the Storm worm botnet. All of the bots are set up to launch denial-of-service attacks and that's exactly what they're anticipating. DoS attacks are designed to pound computers with countless questions that flood its ability to respond, effectively taking the machine down. </DIV><DIV><BR></DIV><DIV><B>What's being done about it?</B></DIV><DIV>The problem security researches are facing is that the tactics of the Storm worm spam change constantly using varying subject lines, "from" and "to" names, and type of email (either image-based, or with attachments or embedded links). </DIV><DIV><BR></DIV><DIV>Anti-malware vendors are rolling out special updates for latest versions of Storm but must do so every few days as the worm mutates. According to F-secure and others, the malware code is modified every 30 minutes, undermining standard signature-based AV's ability to block this threat. Additional ways to reduce risk can be done through spam filtering and URL filtering. However, a complete solution to the problem may still be a long way off.</DIV><DIV><BR></DIV><DIV><B>Are you at risk at MIT?</B></DIV><DIV>The email servers at MIT block most of the spam at the border. However, because about 97% of email is spam, there is a great likelihood that some spam will still come through. The higher your spam threshold, the more likely spam will get through. If set lower, more spam will be caught, however, you also risk legitimate email from being blocked as well. See spam filtering: <<A href="http://web.mit.edu/ist/services/email/nospam/ ">http://web.mit.edu/ist/services/email/nospam/ </A>></DIV><DIV><BR></DIV><DIV>Because the malware can download from infected Web pages as well, spam filtering or avoiding dubious-looking email will not prevent infection. Stay away from dangerous sites such as those for downloading free software tools. Users can't count on search engines to protect them. </DIV><DIV><BR class="khtml-block-placeholder"></DIV><DIV>Prevention is the best medicine. Keep Windows and your antivirus, firewall, and other security software up-to-date. Those precautions will reduce the chances of infection.</DIV><DIV><BR></DIV><DIV>To learn more about virus protection, firewall protection and software updates at MIT:</DIV><DIV><BR></DIV><DIV>IT Security Web page: <<A href="http://web.mit.edu/ist/topics/security/">http://web.mit.edu/ist/topics/security/</A>></DIV><DIV><BR></DIV><DIV>To read more about the Storm worm:</DIV><DIV><BR></DIV><DIV>Information Week: <<A href="http://www.informationweek.com/shared/printableArticle.jhtml?articleID=201800635">http://www.informationweek.com/shared/printableArticle.jhtml?articleID=201800635</A>></DIV><DIV><BR></DIV><DIV>Security Focus: <<A href="http://www.securityfocus.com/news/11482">http://www.securityfocus.com/news/11482</A>></DIV><DIV><BR></DIV><DIV>PC World: <<A href="http://www.pcworld.com/article/id,136465-c,worms/article.html">http://www.pcworld.com/article/id,136465-c,worms/article.html</A>></DIV><DIV><BR></DIV><DIV>How to tell if your computer is a zombie:</DIV><DIV><BR></DIV><DIV>PC World: <<A href="http://www.pcworld.com/article/id,134988/article.html">http://www.pcworld.com/article/id,134988/article.html</A>></DIV><DIV><BR></DIV><DIV>To read more about botnets:</DIV><DIV><BR></DIV><DIV>Security Focus: <<A href="http://www.securityfocus.com/news/11473/1">http://www.securityfocus.com/news/11473/1</A>></DIV><DIV><BR></DIV><DIV><BR></DIV><DIV><BR></DIV>Monique<BR><DIV> <SPAN class="Apple-style-span" style="border-collapse: separate; border-spacing: 0px 0px; color: rgb(0, 0, 0); font-family: Helvetica; font-size: 14px; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; text-align: auto; -khtml-text-decorations-in-effect: none; text-indent: 0px; -apple-text-size-adjust: auto; text-transform: none; orphans: 2; white-space: normal; widows: 2; word-spacing: 0px; "><SPAN class="Apple-style-span" style="border-collapse: separate; border-spacing: 0px 0px; color: rgb(0, 0, 0); font-family: Helvetica; font-size: 14px; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; text-align: auto; -khtml-text-decorations-in-effect: none; text-indent: 0px; -apple-text-size-adjust: auto; text-transform: none; orphans: 2; white-space: normal; widows: 2; word-spacing: 0px; "><SPAN class="Apple-style-span" style="border-collapse: separate; border-spacing: 0px 0px; color: rgb(0, 0, 0); font-family: Helvetica; font-size: 12px; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; text-align: auto; -khtml-text-decorations-in-effect: none; text-indent: 0px; -apple-text-size-adjust: auto; text-transform: none; orphans: 2; white-space: normal; widows: 2; word-spacing: 0px; "><SPAN class="Apple-style-span" style="border-collapse: separate; border-spacing: 0px 0px; color: rgb(0, 0, 0); font-family: Helvetica; font-size: 12px; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; text-align: auto; -khtml-text-decorations-in-effect: none; text-indent: 0px; -apple-text-size-adjust: auto; text-transform: none; orphans: 2; white-space: normal; widows: 2; word-spacing: 0px; "><DIV style="font-size: 12px; "><SPAN class="Apple-style-span" style="font-size: 12px; "><SPAN class="Apple-style-span" style="font-size: 12px; ">=========================</SPAN></SPAN></DIV><DIV style="font-size: 12px; "><SPAN class="Apple-style-span" style="font-size: 12px; "><SPAN class="Apple-style-span" style="font-size: 12px; ">Monique Yeaton</SPAN></SPAN></DIV><DIV style="font-size: 12px; "><SPAN class="Apple-style-span" style="font-size: 12px; "><SPAN class="Apple-style-span" style="font-size: 12px; ">IT Security Awareness Consultant</SPAN></SPAN></DIV><DIV style="font-size: 12px; "><SPAN class="Apple-style-span" style="font-size: 12px; "><SPAN class="Apple-style-span" style="font-size: 12px; ">MIT Information Services & Technology (IS&T)</SPAN></SPAN></DIV><DIV style="font-size: 12px; "><SPAN class="Apple-style-span" style="font-size: 12px; "><SPAN class="Apple-style-span" style="font-size: 12px; ">(617) 253-2715</SPAN></SPAN></DIV><DIV style="font-size: 12px; "><SPAN class="Apple-style-span" style="font-size: 12px; "><SPAN class="Apple-style-span" style="font-size: 12px; "><A href="http://web.mit.edu/ist/security">http://web.mit.edu/ist/security</A></SPAN></SPAN></DIV><DIV style="font-size: 12px; "><BR class="khtml-block-placeholder"></DIV><BR class="Apple-interchange-newline"></SPAN></SPAN></SPAN></SPAN> </DIV><BR></BODY></HTML>