Interview with Josh Corman, Principal Security Strategist for IBM Internet Security Systems

Have you read the latest issue of our digital (IN)SECURE Magazine? If not, do it now.

Joshua Corman serves as Principal Security Strategist for IBM Internet Security Systems. With more than ten years of experience in security and networking software development, Corman is responsible for the technical vision and direction of host protection solutions. He is currently leading an industry charge to evolve defenses against the latest generations and innovations of malicious code. Corman is also charged with strategy for Data Security and End-Point Admission Control solutions.

In this Q&A session he discusses the Storm Worm.

Why is Storm so dangerous?
Its danger lies in the fact that it is a sleeping giant. The computational power of this system is tremendous. What could you do with the world’s largest supercomputer? The answer is, a lot. The current owners of Storm appear to be financially motivated. But if this same technology was in the hands of a politically motivated group it would represent a clear and present danger. Just look at recent independent cyber-attacks that have been carried out including the DDOS (distributed Denial of Service) attacks on Estonia, power outages in New Orleans, and the successful cyber reconnaissance on U.S. federal organizations. None of these were executed by Storm itself, but they give you a glimpse of what an organization like Storm could be capable of. Ultimately, despite the efforts of the security industry, Storm is still successful over one year from its birthday.

Why has Storm been so successful?
The social engineering capability of Storm is unprecedented. The true secret to its success is not technology based, it is the ability to understand human nature and what files users will open, forward and execute. Its delivery mechanisms are constantly changing from attached PDFs to mp3 files or spoofed YouTube videos to free NFL GameTrackers. Each download or execution adds another computer to its growing botnet network. The largest “recruitment” campaigns are seen around the holidays prompting users to download the dancing skeleton for Halloween or read the animated Valentines card from a secret admirer. Storm’s decentralized resilient peer to peer (P2P) botnet architecture allows it to adapt independently. It is like vapor, it just vanishes when you try to attack it.

Is it still the largest botnet? How large is it?
This security industry’s concern is not solely about the specific code that is Storm; it is about the phenomenon pioneered by Storm. The world of cyber-crime is not unlike any other emerging market, there is always an innovator and then there are copycats. As you eliminate elements of Storm, copycat versions such as MayDay, Mega-D, etc appear. The model is thriving despite the security industry’s best efforts. The archetype Storm pioneered is being improved upon.

Opinions vary on whether Storm is the largest network of its kind; estimates ran from half a million systems to 6.5 million systems over the past year with 2007 reports estimating botnet size of up to 1.8 million. On the lower end, one recent report shows that the number of Storm infected machines peaked at around 40,000 on January, 2008. The honeynet project had monitored botnets ranging in size of up to 50,000 machines. One issue is that accurate counting is very difficult. It is possible that Storm Worm is not the current largest botnet, but is one of the largest – and one of the most successful.

However, Storm is not static. Three hundred thousand PCs may be cleaned up while Storm is recruiting another half a million. It is like a never-ending cyber game of whack-a-mole. Part of the Storm DNA is to recruit to replace fallen or patched machines. In older botnet systems, a system administrator cleaned and patched a system and it was cured. Storm is a new epidemic; a network can get cleaned of one version and get re-infected tomorrow. Regardless of its actual current size Storm and its archetype represents a substantial risk in computational power.

What makes it different from other malware?
Past malware iterations were one trick ponies, focusing on a single method of attack that, once discovered, was easily patched and mitigated by the security industry. Storm is unprecedented in the elegant combination of independently innovative tricks it uses to obfuscate signature anti-virus. Just as unique and impressive, is Storm’s masterful use of effective Social Engineering to deliver its malware.

Is Storm just being used to send spam?
No. Storm has three recognized revenue opportunities, but is not limited to these:
1. Botnet Rentals: The large scale of the botnet is being used as real-estate for the spam community, with portions being rented/or leased by spammers to send spam using Storm as the middleman.

2. Stock Market Manipulation: Penny stock trades are being performed through mass-marketed phishing schemes to artificially inflate stock prices, creating a profit scheme for those playing the “pump and dump” stock game.

3. DDoS for Hire: Although this does not appear to be a primary source of revenue, the massive size of Storm could easily take down any Fortune 50 company, holding the servers out for ransom or simply disrupting business. Additionally, as a form of self-preservation, Storm has launched DDOS attacks on companies that have security researchers working to mitigate the botnet.

If an organization has an AV systems are they protected?
Storm’s success is largely due to its ability to evolve beyond signature anti-virus (AV) capabilities. Although AV can detect some variants of the botnet, Storm has been able to demonstrate its knowledge and has outgrown the upper bounds of signature AV. Some of its innovations that have undermined AV include the use of polymorphism to self-modify every 15 minutes, the use of rootkits designed to hide from AV signatures and the operating system, and the ability to disable or even lobotomize signature AV products – to make the software appear that it is running when it isn’t.

Signature AV is ineffective in combating Storm, but some behavioral AV technologies within host intrusion prevention systems (HIPS) have been able to proactively detect and prevent Storm from infecting systems despite its innovative techniques to bypass traditional AV. We have seen that one of the most effective technologies to combat and detect Storm is combining strong virus prevention systems (VPS) with behavioral AV and heuristics in a multi-layered security approach.

What can consumers and enterprises do to protect themselves?
The first step is education. End users need to be aware of the dangers of visiting malicious sites, propagating spam and downloading “free” applications. At both the enterprise and at the consumer-level, a multi-layered security agent should be running on their endpoint that includes HIPS, VPS and behavioral AV. Awareness around major holidays is critical.

From the user’s point of view, a simple rule could be to stop clicking on links in email – period. One way to avoid being a victim of a social engineering tactic is by not following the links in the spam email messages. A higher degree of distrust for forwards, jokes, and unsolicited emails could stop the user from being infected in the first place. On the other hand, government authorities have the opportunity to investigate and take action against the person/s responsible for the Storm Worm – similar to what had been done against the authors of the Zotob worm.

How does someone know if its computer is part of the botnet?
In enterprises behavioral AV and HIPS have done a decent job of preventing infection. For detective purposes, IPS and network behavioral anomaly detection can identify the P2P protocols (eDonkey/OverNet) used by Storm and can in turn detect which systems are linked. In the consumer space, it is usually not possible to detect whether or not a computer is part of Storm. If a consumer’s AV has been defeated, and a rootkit has been leveraged, he may only know if his ISP complains about unusually high activity from his machine, indicating that he are sending a lot of spam. Keep in mind that this sort of notification could be another of Storm’s social engineering techniques, encouraging the user to visit a spoofed site or download a file with infected malcode to “clean’ the machine. Any actions on a consumer’s part should only be in response to talking with the ISP or visiting the ISP’s official Web. Storm will typically not damage a PC; as its parasitic nature needs the PC to be fully functional in order to thrive.

What can consumers and enterprises expect as the next wave of attacks?
One thing that is predictable about Storm is that it targets major holidays. Last year, it was Valentine’s Day, Independence Day, Labor Day, Halloween, Christmas and New Year. This year, it has already targeted Valentine’s Day. Though there are some “out-of-band” spam runs that doesn’t occur on special days, major holidays are one of the sure targets as users are likely to be more vulnerable to social engineering attacks on these occasions. Beware of upcoming e-cards for Mother’s Day, Father’s Day, downloadable and freeware surrounding major sporting events, fantasy leagues, etc. Another wave of attacks could include a shift in Storm’s architecture to transition to more covert channels of communication. Stealthier command and control channels such as http may be more difficult or impossible to detect. The increased use of common channels represents a serious problem and the industry hasn’t even caught up to the obvious channels that are being utilized today.

What can be done to stop Storm and who should / can stop it?
The blueprint for fighting Storm may be Storm itself. We need to be nimble, adaptive and use the human factor to our advantage. The security industry needs a distributed presence and scalable ways to protect the masses and consumer base. We need a cross industry task force to brainstorm and consider new strategies for securing the Internet in the era of Storm. This issue needs participation from security vendors, networking organizations, telecommunications carriers and the government to get serious on how to adjust our security postures. There needs to be investment in a healthy debate about how to fight large scale DDOS attacks because currently no type of technology can block one.

We will never be able to secure every system out there on the Internet. Can we adapt, evolve, and do more? Yes.