Storm Worm

Malware remains a threat. The Storm Worm is one of the most threatening in recent times, and it continues to propogate. Bruce Schneier discusses it in detail here on Wired (thanks to David Lacey’s blog for drawing attention to this piece).

Schneier makes some remarks that should stick in all our minds over the coming months – the choice quotes are:

– Antivirus companies are pretty much powerless to do anything about it

– Inoculating infected machines individually is simply not going to work

– we know that users can’t keep themselves from clicking on enticing attachments and links

We simply don’t know how to stop Storm

– Oddly enough, Storm isn’t doing much, so far, except gathering strength

Personally, I’m worried about what Storm’s creators are planning for Phase II

A gentleman named Frank Boldewin has reversed engineered the Storm Worm and performed an analysis on how it works. The paper is hard going – especially for a very out-of-practice coder like me – but the message is clear. This is not a virus knocked together by a script kiddie in his bedroom. This is very dangerous malware that will create havoc on our networks and open up the door to more infection. And we can’t detect it because it’s been designed to bypass and be ignored by all of our desktop anti-malware controls (perhaps we should remember that the chaps who write malware probably test it against common controls before they unleash it). The conclusion of the report is that

it should be clear that the developers of this malware deal with a lot of nasty tricks to gain access to victims’ machines and hide from detection, even on standard protected boxes.

Ultimately, malware has come of age. This is destructive and undetectable, and put together with some no small amount of skill. We need to continue meeting the threat with up to date controls and detection. We need to ensure we have documented incident response plans for when we discover infected machines on our networks (and don’t believe that we wont) – and we need to practice running through them. We also need to continue communicating security awareness messages to our employees.