Data Centers

Storm Worm: The energizer bunny of botnets

In the world of botnets, Storm isn't king anymore, but the Storm botnet's owners aren't giving up. This article is a reminder by Michael Kassner of the need to remain vigilant and not fall prey to the Storm worm or its relatives.

In the world of botnets, Storm isn't king anymore, but Storm's botnet owners aren't giving up. This article is a reminder by Michael Kassner of the need to remain vigilant and not fall prey to the Storm worm or its relatives.

-------------------------------------------------------------------------------------------------------------------

It appears that the Storm worm is making a comeback. I first made mention of this botnet maker in the article "Kraken: The Biggest, Baddest Botnet Yet," where I explained how Storm was losing its grip as being the largest botnet in history to Kraken and Srizbi as the second largest. Well, Storm developers have added a few new twists to their arsenal and are seeing a resurgence in the size of their botnets. Therefore it's very important to not become complacent about this type of malware as it relies on social engineering to propagate. I'd like to take a few moments to go over the process so we're all clear on how the infestation occurs.

How my computer became a zombie

Let's follow the process of becoming infected with Storm and the aftereffects:

  1. I receive an e-mail informing me that the attachment contains some very important information. Not knowing any better, I open the attachment.
  2. I was just conned. The attachment has the Storm trojan/bot client hiding in it. My computer is now infected and just became part of a botnet. The scary part is that this all happened without my knowing it.
  3. What's worse is that my AV application is useless as Storm's code changes constantly, so any AV signature is out of date within an hour.
  4. My computer now follows the bidding of the "botmaster," which normally means it's going to be used as a spam relay. There are other more malicious activities, such as "distributed denial of service attacks," but botnets are usually for hire and spamming is a lucrative business.

That's one scenario and as botnet malware matures other more sophisticated attack venues are introduced. For instance, the delivery mechanism used by the Storm worm changes regularly. It starts out as PDF spam progressing to links for e-cards or invites to Web sites. The worm developers will try any method possible to entice users to click on a phony link or attachment. The initial e-mail used by Storm also morphs. There are new subject lines and body text that refer to relevant news or issues -- any way to subjugate human nature.

The willingness to prey on human nature is why Storm is back in the news. It's propagating successfully using an e-mail with a subject line of "FBI May Strike Facebook" or "The FBI has a new way of tracking Facebook." It appears that once again the developers have touched on a chord of human nature and are getting a decent infection rate.

Final thoughts

I could spend all sorts of time on the intricacies of how each of the top three botnets work or how successful they are at evading detection, but that wouldn't help. This article is my regular attempt at making sure all of us are cognizant of the need to be web-savvy, always questioning whether that link or attachment makes sense. Doing so will go a long way to reducing the amount of spam we receive. This certainly includes me, as I've been very close to becoming an unwilling botnet member myself.

-------------------------------------------------------------------------------------------------------------------

Michael Kassner has been involved with wireless communications for 40 plus years, starting with amateur radio (K0PBX) and now as a network field engineer and independent wireless consultant. Current certifications include Cisco ESTQ Field Engineer, CWNA, and CWSP.

About

Information is my field...Writing is my passion...Coupling the two is my mission.

79 comments
Tekcetera
Tekcetera

Yesterday we started receiving emails with subject CNN Daily Top 10 that contained a list of links to news stories with sensational titles. These links do not actually point to anything on CNN.com but the mail is designed to look like a valid CNN top 10 mailer and links, when they work, apparently point to a website that looks CNNish and wants to install a "flash player update". Over the course of the day yesterday many security blogs started reporting this (google "cnn daily top 10" to read some). Snopes is now reporting that it is a variation of the FBI and Facebook email and is attempting to spread the Storm Worm.

Photogenic Memory
Photogenic Memory

This seems like a two-part story involving unsolicted email and rootkit infection. Where do you start? I guess in the case of email; you can stop clicking on those invitational links for either porn or free stuff on the PC side( your users included ). This'll reduce some of the congestion in the inbox. On the email server side; you can adjust filters and rules accordingly? And I guess after that; check all systems for rootkits and check system logs for strange behavior. Did I get it right? What this article hasn't discussed is the creation of theses malicious information gathering programs? Can a botnet search out and defeat another botnet? For instance; a program ( worm/virus combo ) that can track or trace instances of another and implement an order of deletion without harming the host systems? Has anyone ever done this and discussed it openly? If spam was almost eliminated; how would it benefit the net? Yes, inboxes wouldn't be overstuffed, mail servers wouldn't be overly burdened or serve as open relays and bandwidth returned for what? But what would be next to plague us? Topics like packet shaping and the access for everyone despite economic problems will still be around. Apologies for the rant!

AV .
AV .

As long as the botnets use social engineering techniques, they'll be successful. There will always be someone thats curious enough to click on the link. If they are on a network, thats all it takes to infect the entire network. I work on a network of 150 people and the spam got to be so much over the past year (about 250,000 per day) that we had to outsource handling spam. We used an excellent in-house spam filter, GFI Mail Essentials, that handled it well for years, but we could no longer keep up in-house with constantly having to tweak the filters and deal with the spam that got through. Even after outsourcing spam, it still didn't stop the NDR storm attacks. Those are an absolute bane. I still have the IMF filter in place, though, on the Exchange server and that catches the NDRs that do get through the outsourced filters. Still, after going through an outsourced filter and the IMF, some NDRs get through to the inbox. Why? How is that possible? I've come to the conclusion that my network is as secure as its most gullible user. Education is key, but there's nothing you can do about curiosity. AV

Michael Kassner
Michael Kassner

It's pretty amazing that the top 5-6 botnets are responsible for sending billions of spam email messages a day. I'd appreciate hearing about any botnet experiences that you may have come across.

mybrotheriseric
mybrotheriseric

When the "get_flash_update.exe" was run on the PC, it installed Antivirus XP 2008. I don't know what else it was doing on the network, but I do know that I worked on a few of the PCs (after I replaced them) for a week and could not remove the software despite my best efforts. Even after I thought it was gone and the PC showed no running processes, my network security team told me that it was still dumping garbage onto the network at an alarming rate. Whatever this thing is, please stay away. PS: I sent some of the files to Symantec for their rapid response fix. It didn't work.

Michael Kassner
Michael Kassner

It's interesting and I guess it fits with the fact that the Storm people are becoming more active and morphing their carrier emails.

semi
semi

no need to apologise,good points. the problem is, although for good reason, it just wouldn't work. the code of the worm is ever changing, you'd literally need to use a botnet type system to defeat it, and tehn how do you stop the legitimate delivery being hijacked somehow. there's always a way. even if there was a mass message, adverts, the lot, advising people a program was avaiable and everyone should run it over a certain period of time, a bunch of spoofers or very clever hackers would use social engineering to somehow subvert the effort. the best we can hope to do is focus on changing a quickly as they do, and finding increasingly effective ways of blocking malicious traffic.

Michael Kassner
Michael Kassner

As I understand it your first comments about how to defend against this type of malware is accurate. Secondly, there has been talk about having good botnets attack the bad ones, but there many legal and political hurdles that need to be resolved first. I'm not sure where I stand, it means that others have the right to invade your computer. You might be interested in two more of my articles about spam, behavioral targeting and deep packet inspection. http://blogs.techrepublic.com.com/networking/?p=609 http://blogs.techrepublic.com.com/networking/?p=612 As for not having SPAM, I think we would all be in a better place. Bandwidth is an issue right now, ISPs are beginning to throttle it using DPI and we may lose "Net Neutrality"

semi
semi

Great comment - and all too true. It's another thing to worry about also when you look at virtualisation and remote working. I wholly support centralised storage and to some degree, using SaaS where practical - as we move ever closer to globals using server farms and thin clients - citrix is bad enough when running it from a fully fledged machine - I can't help but think we're in for trouble. Maybe i'm not well enough educated in these matters, but in my mind it's not much better than dumb terminals running off mainframes.... Until we're certain we can protect such an important and fragile operating environment from threats such as these, i don't think we should be risking it.

JCitizen
JCitizen

catching malware from trusted sources; which I am pretty sure is how I caught one once. I didn't have much of a spam problem back then, and my Outlook was set to block all images and page controls. I never even look at emails that have fishy subject lines. Needless to say I've completely changed tactics since then. But I expect to get hammered again by another trusted source some day.

Michael Kassner
Michael Kassner

Most of my clients are out-sourcing SPAM filtering as well. Just to keep up on all the signatures is a full time job. I was curious to learn about the emails that got through, was there anything special or different about them?

AV .
AV .

Here is an example of what happens with an attack by a botnet. Exactly one week ago, I gave a user a new PC. It was working correctly until 2 days ago when the user said they couldn't shut down. They were also freezing in Word and Outlook too. I looked in the event logs on the PC and saw that Google toolbar was trying to update several times, but also the HP Protect tools that we don't use in house was hanging the system at shutdown, specifically asghost.exe. I removed both of the programs today and any temporary internet files, but about six hours later, that person had an NDR Storm attack. About 2000 NDRs in a 2 or 3 hour period. Most were trapped by our outsourced email, some got through to the IMF on Exchange and a few went to the inbox. I ran a McAfee on-demand Viruscan, Spybot, Hijack, and nothing is supposedly on that PC. Maybe its just a coincidence that this happened, but I've deployed 10 of the same PCs over the past month and haven't had this happen to any of the other ones. I've dealt with spam in-house for many years, but I'm stumped as to how to stop these kind of attacks and whether they originate from inside or outside of our company. All of the emails say they are from my outsourced spam solution, and my Exchange server is set to only accept emails through them. I can't help but think that the PC has been compromised, but I don't know how. The user is not a big Internet user and very cautious about what he opens in email. I think his PC problems are somehow related to the NDR storm that he received. I just don't know where the attacks are coming from or why none of my defenses are picking it up. AV

Paul
Paul

IP providers are the hart of the nett Allway have and wilbe The only reasonable conclusion is They shauld be blamed 2 allow for the trafic They have the means and the muscle "Funds" to stop bot netts. Paul

semi
semi

i was once infected by a worm such as this... fortunately i was using a proxy, avec logs, so i saw the weird traffic and worked it out. these days i use a standard router, and i wonder how i'd know other than my machine running like a pig vigilance is key - in my years in bespoke software support and general desktop support, i've seen an amazing amount of infected machines - including entire business networks infected by worms... in the day of EPoS and integrated ticketing solutions it's a very real problem.

biginjin
biginjin

I'd like to thank you for the clarity of your article. I have forwarded the link to all our company employees and recommended they read it. Hopefully, it will help them better understand the possible implications of needless curiosity.

tim uk
tim uk

or, to put it another way, is there a reliable way of detecting whether a given PC is infected?

JCitizen
JCitizen

of it, just to see if it can be done; you could try turning off restore(I assume you did this on the AV/AS scans), and running Regsupreme Pro by Macecraft and force an uninstall from there. Providing the malware hasn't taken administrative control of the unit, this should work. Otherwise it is pretty much like the posters here are saying. Any infection that serious is a wipe and reinstall project. At my last contract we did that as policy; clearing the hard drive and reinstalling the image saved more time than the alternatives. The clients files were not on the drive anyway so it was a piece of cake. Like others have said though, a backup ghost image is the best if you don't want to take the time to do all the updating and replacing of applications.

Michael Kassner
Michael Kassner

You may not realize how important that information is, but it's huge and I for one appreciate you taking the time to let us know. I've ultimately resigned myself to just rebuilding affected PCs, the supposed fixes are not anywhere near as sophisticated as the malware. Also, there's the issue of trust, did the application really remove the malware completely or not? Thanks again

Photogenic Memory
Photogenic Memory

Thanks for the responses. It's much appreciated. I do have a question that I think might be inspirational for you in a future article based on your last sentence. Is the Internet a right or a priveledge to have? Perhaps in our lifetimes; this will be defined. I do think though like any political/social movement that we'll have to loose it in order to appreciate what we had before. I just hope people will fight for it a lot more vigilant than anything I've ever seen before. As a society we've become so apathetic. Once again, thanks for the response.

AV .
AV .

What I think happens is that the filters get overwhelmed by the number of spam emails being received and some sneak through. I've seen that not only with GFI and the IMF, but also with my outsourced filter as well. Its especially true of the NDR storm mail. The spammer tactic with that is to do a Joe Job attack on 2 or 3 email addresses for a day or two and then stop. Its damn annoying, because I don't know what else to do to stop the ones that get through. AV

pgit
pgit

I've seen infected machines hanging on HP "support" tools, I didn't really think about it as the mission was put a clean image on it. A good argument for a total crapware wipe before deploying an off-the-shelf computer.

Michael Kassner
Michael Kassner

I haven't run into a situation like that. I've seen where there were a few NDRs but not a flood. I was curious to learn if you tried a sniffer at the computer and maybe another at the perimeter? I'm not sure what it would show, but it might give you an idea as to where the packets are coming from.

Neon Samurai
Neon Samurai

With my own networks and machines, I'd notice the traffic spike or subtle degredation of the system I was working on. I rarely work at any machine without a cpu and inbound/outbound monitor graph visible if "feeling" the difference is not enough. I still watch the logs though. The last breach was spotted by the long list of failed email in my smtp's outbound queue. Too late, by my opinion, but at least we spotted it and fix the issue.

Michael Kassner
Michael Kassner

Thank you, it's nice to hear that. I hope it makes a difference as it seems like the only way we can solve this issue.

raichelraichel
raichelraichel

Hi there, there is a new beta program by Trend MIcro that is designed specifically to detect bots it is called RUbotted, check it out, remember it is a beta program, when I downloaded it and ran it, I got disconnected from my lan, I was able to come right back up. but when I tested it on another computer I was not able to get the LAN back up.

pgit
pgit

I think your best bet is a user that can notice little changes in how their box responds. I had a user just last week tell me he thought the machine was behaving poorly. The mouse would skip periodically, and apps (and web pages) seemed to load slower. It was barely noticeable, but it was enough he did notice. Turns out his office had been infected, fortunately only 3 machines. His partner admitted he was exploring what he called "legitimate" porn.

Michael Kassner
Michael Kassner

Hello Tim, It's hard to detect the latest variation, but all AV companies have signatures for the known versions. That said, the traditional signature approach that some of the antivirus vendors use really isn't all that useful anymore. Programs that have the best chance of identifying the malware are those that use heuristics, or algorithmic rules. The only problem with heuristics is the likelihood of increased false positives.

Michael Kassner
Michael Kassner

I have one client and the CEO tells me every time I see him that PC stands for "personal computer" and he will not now nor ever require all of the user to submit to a standard image. I actually admire that as it shows his regard for the individual employee. Regardless of that fact that he is paying me extra to build each computer to the user's specifications.

AV .
AV .

Basically, the company hires temporary help during the summer and winter break. For the most part, its the kids of the people that work there. They're in college and want to make some money, so we utilize them to build a standard image. Of course, we order our PCs to coincide with their arrival. We give them detailed instructions on how to build the PC and they're pretty good at it, actually. I still check their work. In a place of our size, 150 people, I would be inclined to go with cloning too, but management likes it the way it is because some of their kids are the ones working at the company in the summer. Even so, if a PC has to be rebuilt at other times when there is no temp help, than I have to rebuild it or save it for when they come back again. I have spare PCs to deploy immediately if something goes wrong, so it isn't a problem. AV

Neon Samurai
Neon Samurai

My build average for a mostly loaded out rig with Windows is about half a day of feeding it install disks, drivers and configurations. By contrast, a ghost image writes the drive in 20 min or so (back when I was using it anyhow). Cloning is fantastic. I'm probably not the one to talk though. I like my build scripts on top of the initial custom install. A completely loaded out Mandriva box takes under an hour; 15 to 20 min for custom install and reboot, 15 to 20 min for auto-build script to run and do all basic config plus grab update packages at the end with a bit of manual tuning rounding out the hour. My reason for moving away from cloning was needing multiple DVD to store the image of my hard drive. What does one backup or clone 250+ gig's too besides a RAIDed backup server?

Michael Kassner
Michael Kassner

Is there a reason why you don't use cloning? Also your point about worth it is well taken, it's getting to that point where it costs more to rebuild than to just use a spare new computer.

AV .
AV .

Its just plain old starting from scratch rebuilding the PC, if the PC is worth it. AV

Michael Kassner
Michael Kassner

It makes me appreciate disk cloning applications. I work very hard to get my clients to agree to use or at least start with a standard image. It eliminates all the heartache of rebuilding a system from the OS up. It also removes the arguing about whether to rebuild or try and find/fix the problem. It's just not worth it.

AV .
AV .

There is no way to really be sure that a breached PC is fully clean, even if you do it manually. It isn't worth the risk. AV

Neon Samurai
Neon Samurai

That's what many of the security geeks seem to feel anyhow. Once that box has been breached, image the drive and start your investigation but realize that "fixing" that machine means a reinstall from clean images or original media. Use your breached disk images to track down how it happened then fix the clean system and take another snapshot. Now I gotta go read what the previous feller said.

Michael Kassner
Michael Kassner

I must admit that I consider myself fortunate to have been exposed to the Internet in its infancy at the U of Wisconsin. The fact that I have said that is somewhat sad as well. I wonder what the Internet founders are thinking about where the Internet is heading?

semi
semi

it's a good un i think the only people qualified to judge it are the masses. i think it's far more likely that we'll see either a virtual or indeed physical split, and we'll see a refined premium product that has been planned from the start rise from the internet, which essentially just snowballed. like cigarettes and alcohol, the internet will be seen as something that cannot be taken away or restricted to great effort - think of the great firewall of china - ciggies at least are bad for you, there's no real reason to take such a valuable, if slightly dangerous, resource away. The premium version would be qualified from the start, and I imagine with the power of todays computers would run almost like a virtual pc client on your machine, assuring some sort of security. for people who wouldn't go anywhere near anything remotely classed as dodgy, routers could be configured to connect directly to the private cloud. limited to public speeds and technology, but large corporations already almost do this, forcing laptops to connect via vpn and allowing no local access, thus restricting access completely. /breathe ed: i had to change the word f.a.g.s to ciggies - do i detect an over-pc swear filter?

Michael Kassner
Michael Kassner

That would be an interesting topic. I'll do some research on it and see if I'm even remotely qualified to discuss it.

semi
semi

i've heard of this before, i sincerely doubt it's by design - as you say, it'd act like a broadcast storm. best case scenario it's a failover for if the switch should stop being able to route that gets triggered when the router melts to slag....

semi
semi

unfortunately i don't think it's a case of a default allow policy, i think it's more overwhelm the scanner and it stops working, every now and again it doesnt correctly scan a mail. due to the way they work with queues and rules, it's [almost] impossible to get a mail through without it being scanned without doing something special. More likely the filter gets confused (to use a technical term) for one or two mails, green ticks them, off you go to the users inbox queue.

Michael Kassner
Michael Kassner

I have never experienced an overloaded switch reverting to a hub. Is that by design or just the results? Wouldn't that make matters worse, almost like a broadcast storm?

Neon Samurai
Neon Samurai

.. requiring no user intervention and you'll see a lot of the security guys become more nervious. On a home service, that trick would be more valuable as home users are more prone to clicking what does not apply to there current task list. Either way, that's an issue someone building antispam appliances may want to look into.

AV .
AV .

I think thats probably the spammer's goal. Flood the spam filters and their messages will fly through, by default. If spammers can get some emails through, some gullible fool will read it and either buy something or fall victim to becoming a zombie. Its a win-win situation for them. AV

Neon Samurai
Neon Samurai

Even if only in the context of taking the redirected mail queue and scanning it for spam signatures before moving it on to the user's inbox queue. I was thinking more in the context of many waiting email on the recieving side of the scanner overwelming the scanner. If some are sneaking through, that sounds like a default Allow policy. I don't know the inner workings of spam filters well enough to be definitive though.

Michael Kassner
Michael Kassner

Do Spam filters use queues? Defaulting to allow traffic seems like a wrong approach.

Neon Samurai
Neon Samurai

A switch will often default to a dumb hub when overwelmed by packet traffic. It can't keep up with routing packets to ports so it just echos the packet to all ports rather than fail to transmit. So, if you overwelm a spam filter, it has a good chance of failing to a default accept state? Hm.. now for what objectives would getting a bit of mail through filtering be more important than being sneaky about it..

semi
semi

we've had confirmation previously that some had slipped through due to the overwhelming amount of mail to be processed, let alone one's that had to be quarrantined. That in itself is concerning, but then SPAM is proliferant.

Michael Kassner
Michael Kassner

I've seen that with Postini and Red Condor as well. I was just hoping for some insight as to if there were any additional tricks. Thanks for clearing that up.

Michael Kassner
Michael Kassner

The fingerprint scanner is easily subverted, as long the previous user isn't swiping the scanning surface to smudge the print they just left.

AV .
AV .

They just shut down and take their laptop with them. What do you mean by the notebook is owned? AV

Michael Kassner
Michael Kassner

I wrote a research paper on how easy it's to fake a finger print. Do you make the users swipe the reader after they are done? If not the notebook is owned.

AV .
AV .

We don't image PCs, but I usually turn the tools off and they aren't a problem. We do downgrade every one of the PCs to XP and remove Vista. On laptops though, we use the fingerprint scans from the HP Tools. As an Admin, I can't tell you what a major PITA that is. Our PCs are all locked down and the user can't do anything to them. With the fingerprint scan, sometimes I have to run mine through 4 or 5 times before its recognized as Admin. It's really frustrating, but the company wants that security on laptops. I think the problem is my fingerprint is not that pronounced and the scanner can't read it. Bummer for me, I think I need to get a fake finger. :^0 AV

AV .
AV .

Usually 2 people are hit with NDR storms everyday and then it abruptly stops. I am going to try a sniffer. Thats good advice. I've downloaded Wireshark (formerly Ethereal). I can't believe its free. What an excellent utility. My plan is to sniff the traffic on the user's PC while they are receiving an NDR storm. I'm hoping to see something, but honestly, its like looking for a needle in a haystack. AV

semi
semi

DPI will certainly have a role to play in the future of protection against SPAM, worms, virii... Just wish it didn't come at such a price. Encouraging DPI for anti- / protective reasons will give the illegitimate uses a cover. Phorm and BT have already proven their disregard for privacy by building profiles using DPI. Imagine antispam providers, mail providers, antivirus, firewall and your ISP doing it - at the same time. How long before the profiles that are built up are irrefutably intrusive? It's mockingly called private right now. Much like councils abusing anti-terrorism surveillance laws... and many other cases of something for the good being turned and twisted - most of the time without anyone realising. The danger of this is even greater in IT. How long have p2p programs etc existed, bemoaning their role in piracy and claiming to be for legitimate use... I'm neutral on this, I happen to like bittorrent for many reasons. But it's a link. How long have very very dodgy companies offered useless services as a way to get malware installed, and barely been challenged? (gator, certain weather forecast progs etc) Don't get me wrong, I'm not a conspiracy theorist... I don't condone any waste of resources... I hate spam, viruses, the lot. I can see the many many good uses for DPI - but I wish there was another way, because it will be abused. Your thoughts?

Michael Kassner
Michael Kassner

I feel that Snort is an amazing application, but I have limited experience with Snort and that scares me into not using it. It's like you almost need a degree in Snort to feel confident enough that it's configured correctly. Ironically I feel that Deep Packet Inspection is going to be very helpful with this problem.

Neon Samurai
Neon Samurai

The most noticable time is during a new system upgrade for that first week when everything seems blazingly fast; then you adjust to the new processor and bus speed and everything else seems a little slower. It's similar to coming off the four lane highways and feeling like 80/55 is slow because your now used to running 110/90. I've seen improvements in the firewalling in consumer routers. ddWRT seems to add some nice enhancements in terms of firewalling also. I can block ActiveX, Java, DNS, pings.. a few other things. It's not an active reponse mind you, just old fashion filtering. I'd go a step further and add the function into router and desktop/server firewalls. I have the firewall on the router but each machine inside the network has it's own firewalling also. No sense just the outside perimiter being able to notify me when I have an outbound spike on tcp 25. I think a consumer class IPS appliance would be close to what your sudgesting. I've looked at Snort a few times but it would need to include a good default rule set specifically for heuristic network traffic analysis. Bah.. if only I could figure out how to be independently wealthy through no visible means. Then I'd throw a rack and a few dev servers in my basement and take a week to play with Snort; Day job keeps me away from more interesting tasks. ;)

semi
semi

definately, a good point - i'm very sensitive to the nuances of my machine changing, and start investigating at the first sign of wobbles.... users may not be so lucky though. be intresting to see a development (probably on a linux release) that analyses traffic for signs of this type of activity, much like heuristic analysis of software but with traffic. the same method could be applied to detect a lot of potential attacks at the router - poisoned dns etc

semi
semi

yeah, like that approach, certainly brightened my afternoon up

pgit
pgit

That's one way to stop a bot! Maybe you could write them a note; "We will not be purchasing your software, we removed the network adapters from all our machines and achieved the same result." =)

JCitizen
JCitizen

Granted, when I go 64bit this will become less of a concern, I hope. But this was the main reason I dropped Trend Internet Security 2007.

Michael Kassner
Michael Kassner

My ISP used Postini and it appeared to work well. When Google bought Postini, my ISP switched to Red Condor, which also seems to work well.

AV .
AV .

We use Postini and so far its been great. We still use Mcafee & EPO in house though. I am looking to change that though. I don't trust it. Our saving grace is that all of our desktops are locked down. AV

Michael Kassner
Michael Kassner

Symantec updates several times a day, seven days a wee if you use FTP.

AV .
AV .

We only get updates during the week for virus signatures. If there is a major outbreak, they will push out an extra.dat file, but otherwise thats it. They depend on heuristics to generically detect virus-like activity. It is a big gaping hole in protection. AV

Michael Kassner
Michael Kassner

Is McAfee still updating on that schedule? That's not by any stretch a good thing.

Neon Samurai
Neon Samurai

Windows and Linux go about there inner workings completely differently so writing a worm that effects both is very dificult. Writing a worm that only effects multiple Linux distributions is not much easier. In this case, what flaw does the worm exploit to breach the system? It may be a flaw only present in Windows machines leaving other platforms immune. I wouldn't put any faith in the idea that it only effects Windows based PCs because they are more popular. The design of the base platforms has a great deal to do with how effective the exploit will be against them.

Michael Kassner
Michael Kassner

Let's start with being a victim of the Storm worm. First, I'd make sure my AV signature file was up to date and then run a full disk scan. Second I'd monitor outbound traffic on port 25 to see if you have an inordinate amount of traffic related to email. As for incoming SPAM that's different and you can do more about that. 1. Spammers pay companies to harvest email addresses from their address list. Ask if that is what they do. 2. You have all sorts of options as to applications and services that will filter your email for you and are quite good. 3. Someone else getting email on your computer should not be an issue. I'd check with your ISP to see if they have a spam-filtering service that you could use. That way you don't have to maintain a spam signature file and the application will not affect your computer's performance.

pgit
pgit

The executable(s) are win API dependent. A Linux machine itself wouldn't become "infected," i.e. executing malicious code. But you could find a Linux mail relay pumping out garbage, at the request of an infected windows machine with an account on it. So round about; yes. A Linux machine may be "effected" by this. Sort of.

dvgoad
dvgoad

So, how would we even suspect we were victim? Is it the amount or kind of spam? I've noticed that some spam appears to come from names similar to those I've emailed to lately. I thought that was slightly odd. I don't open them, I click my "spam" buttom and just trash it. What else do I need to be concerned with besides an influx of spam if I don't open any of it? Will it affect my email if someone else got it from signing into their own email on my computer? And will I now also be spammed?

Michael Kassner
Michael Kassner

As far as I know it doesn't affect Linux machines. I've been told that the only reason for that is there's such a target rich environment of PCs.

tryoklitt
tryoklitt

Does it affect Linux Machine aslso?

Tekcetera
Tekcetera

To avoid sending unauthorized traffic from both our corporate network and also my home network I use egress filtering on the firewall. I don't allow anything out except ports 80, 445, 21, 119 (NNTP) and 123 (NTP). Plus 53 limited only to my DNS servers and 25 limited only to our email server. This prevents sending out anything on unauthorized ports. Occasionally a specialized app may need to use a specific port to connect to a specific system which then gets added also.

AV .
AV .

We're using McAfee and EPO. Mcafee doesn't issue new signatures on the weekend, but people still work on the weekend. I've seen where several PCs of people working on the weekend became infected with a newer virus version and when McAfee updated on Monday, it did not pick up the virus. The only way to catch it was to do a full system scan. Even if your PC is not part of a botnet, you're still going to get tons of spam from other PCs that are. AV

JCitizen
JCitizen

except the last one I trounced didn't try port 25; I'd have to read my notes, but I seem to remember 445 or 115. When you have "Old Timer's" disease it becomes difficult to add to any discussion. Sorry! :(

Dumphrey
Dumphrey

machines and explicitly allow only our mail server. The pix logs violations and I was able to "catch" one infected machine. It was low volume traffic, most likely trying to replicate its self to others in the address book as opposed to a major worm. But our machines are generic for the most part so I wiped it and put on a clean image.

JCitizen
JCitizen

of denial of outgoing connection requests. I've never set it up completely for all the capability it has but you can easily flag certain behaviors automatically, so you can analyze it later. Syslog uses a number code to indicate what is going on for the particular port that was accessed. For a more expensive solution, you could go to a reporting service where they send router/firewall analysis to you through your email. I've become pretty lazy now that I've used this; because it tells you almost everything you want to know about outgoing/and incoming attempts and can educated you very well on who is attacking you or employing outgoing/incoming connection attempts. I can't say what would happen once your machine becomes owned buy a bot. As sophisticated as they have become, even the outgoing ODS might not tell the difference, and no connections would be blocked. That's were a bandwidth analyser would come into play, so you could see sudden jumps in activity. These services can run anywhere from $70 to well over $175 a year, if your router supports the firware. I've caught infections way early using these tools and consentrated on rooting out the malicious file(s) with whatever means have to be employed.

pgit
pgit

You should be able to set up an alert for some indication traffic on port 25 (smtp) has increased or changed behavior. An iptables rule could stop whatever traffic you want after reaching some level. What kind of stand-alone you going to use? I use smoothwall 3 for all my clients and love it. Throw single click-uvnc in the mix and I can remotely work not only on their computers but the smoothwall as well. It logs whatever you want, and there's some home brew hacks to do more than just log, like blocking a massive increase in certain traffic, automatically blocking DoS incoming...

TheGear
TheGear

I'm planning to put up a standalone firewall, in the hope that traffic analysis will give me a clue. Do you think this will work, and if so, what should I look for?

Editor's Picks