This blog is now hosted at consciou.us

Thursday, August 9, 2007

Storm Worm and adaptability

So, the storm worm is the new kid on the botnet block. I'd like a zombie PC with a side of fries.

Estimates put the storm infected botnet at between 250,000 and 1,000,000 PCs- although I think it definitely has the potential to be much higher.

More interesting than the fact that there's a new botnet du jour is that there are still so many networks that allow this vector of infection. Yes, Virginia, there are still networks that allow executables into their networks via email.

Of course, your network doesn't, right? Here are a few things to think about:

I got a scam email a few weeks back. It had a PDF with an embedded executable in it.
In my consulting practice, I've regularly bypassed these filters using one of the following two expedients:

Simply renaming the file to something other than .exe (i.e. .txt)
Putting the executable in a zip file.

Most email systems out there aren't capable of detecting either of these types of subterfuge. Add to that that this is a de facto acceptable policy (since sending email with executables is actually part of the job description for certain individuals), and you essentially are forced to accept some amount of "slippage" with regards to protection.

Never mind the fact that there are zero-day exploits with Microsoft Office (and just try and block that!).

Without understanding the content (is this an executable, even though it is named foo.txt and embedded in a rar file?) and the context (Joe in IT should have the ability to send executables), it is next to impossible to implement sound policies around email.

However, with these, we can actually prevent these types of attack, and begin to deal with zero day attacks. I have a customer who decided last week that he didn't like the amount of PDF spam he was receiving, so a he built a dictionary to search for the spammer URLs in the PDFs. Net implementation took about 30 minutes (mostly finding the URLs). Net result? 68,000 of these blocked last week.

No comments: