Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

8/20/2007
06:47 AM
50%
50%

A Storm of Human Error

Storm worm's proliferation proves that end users still have a lot of learning to do

2:47 PM -- How bad is the Storm worm? Even scanning it could trigger an attack.

In a recent interview with Information Week, Doug Pearson, technical director of REN-ISAC, the Research and Education Networking Information Sharing and Analysis Center, discussed his team's findings following a detailed analysis of Storm worm behavior. The results are pretty disturbing.

According to a warning issued by REN-ISAC, IT professionals should be cautious of scanning infected Storm worm hosts with network vulnerability scanners, because such an action could trigger an automated distributed denial of service (DDOS) attack.

Having suffered through automated DDOS attacks before, I don't believe anyone should take this warning lightly. But I also think we need to think beyond Storm's effects and focus more on how it's spreading.

My first guess is the obvious one: The Storm worm must use sophisticated attacks to exploit unprotected machines. This is certainly plausible -- Storm is basically super-malware that can communicate via peer-to-peer (P2P) methods, host copies of malware via HTTP, mail massive amounts of spam, and defend itself via DDOS attacks.

But the most vulnerable infection point is not the client itself, but the actual human who operates the PC. Using enticing email subjects -- like "You've received an ecard from a family member!" and newer adult-oriented come-ons such as "Want me to show you what my roommate and I do when we get lonely at night?" -- Storm tricks end users into clicking on a link to the IP address of a Storm worm host, which provides them with the latest variant of the malware.

Of course, your end users would never click on such messages, right? Your efforts at instilling an awareness of basic security issues are right on target, so they would never infect themselves. Or would they?

The fact that Storm can muster enough machines to create an effective DDOS attack suggests that plenty of end users have already been sucked in by these phony messages. Sadly, I've seen countless "awareness" campaigns conducted, and each one tells users not to open attachments or click on unknown links in emails. But these same users still infect themselves.

Why do end users keep making these same mistakes? Although I've observed the behavior for several years, I don't have an answer. But I have seen a shirt that might. On the front, it says "Social Engineering Specialist," and the back reads, "Because there is no patch for human stupidity."

The shirt's message might be true, but it still bewilders me that the most prolific botnet currently in operation was created solely by people infecting themselves. What are we doing wrong as IT security professionals? We install the latest patches, keep the antivirus software updated, and remind users about the dangers of email from strangers. But the infection rate climbs daily. It's apparent that we're doing something wrong, but what?

How are you handling these issues in your environment? Do you conduct regular awareness classes? Do you have a "Wall of Shame" for people who seem to always get infected with the latest malware? Click the "Discuss" link below and let me know what you're doing -- and whether it works or not.

— John H. Sawyer is a security geek on the IT Security Team at the University of Florida. He enjoys taking long war walks on the beach and riding pwnies. When he's not fighting flaming, malware-infested machines or performing autopsies on blitzed boxes, he can usually be found hanging with his family, bouncing a baby on one knee and balancing a laptop on the other. Special to Dark Reading

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
News
FluBot Malware's Rapid Spread May Soon Hit US Phones
Kelly Sheridan, Staff Editor, Dark Reading,  4/28/2021
Slideshows
7 Modern-Day Cybersecurity Realities
Steve Zurier, Contributing Writer,  4/30/2021
Commentary
How to Secure Employees' Home Wi-Fi Networks
Bert Kashyap, CEO and Co-Founder at SecureW2,  4/28/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-24259
PUBLISHED: 2021-05-05
The “Elementor Addon Elements� WordPress Plugin before 1.11.2 has several widgets that are vulnerable to stored Cross-Site Scripting (XSS) by lower-privileged users such as contributors, all via a similar method.
CVE-2021-24260
PUBLISHED: 2021-05-05
The “Livemesh Addons for Elementor� WordPress Plugin before 6.8 has several widgets that are vulnerable to stored Cross-Site Scripting (XSS) by lower-privileged users such as contributors, all via a similar method.
CVE-2021-24261
PUBLISHED: 2021-05-05
The “HT Mega – Absolute Addons for Elementor Page Builder� WordPress Plugin before 1.5.7 has several widgets that are vulnerable to stored Cross-Site Scripting (XSS) by ...
CVE-2021-24262
PUBLISHED: 2021-05-05
The “WooLentor – WooCommerce Elementor Addons + Builder� WordPress Plugin before 1.8.6 has a widget that is vulnerable to stored Cross-Site Scripting (XSS) by lower-priv...
CVE-2021-24263
PUBLISHED: 2021-05-05
The “Elementor Addons – PowerPack Addons for Elementor� WordPress Plugin before 2.3.2 for WordPress has several widgets that are vulnerable to stored Cross-Site Scriptin...