Mirage NAC Stops Storm Worm & Variants

Mirage Networks stops Storm worm and variants that render other NAC solutions ineffective

Dark Reading Staff, Dark Reading

November 15, 2007

2 Min Read

AUSTIN, Texas -- Mirage Networks, developer of patented Network Access Control (NAC) solutions, announced today that its NAC technology recognizes and isolates the notorious Storm Worm and its many variants, despite claims by some that Storm renders NAC solutions ineffective. The Storm Worm is malicious software designed to illegally recruit computers into a global distributed network, or botnet. The Mirage research team acquired copies of Storm and its variants and verified that it detects the worm and isolates infected endpoints.

“It is particularly significant that Mirage shuts down Storm because several aspects of the worm’s behavior suggest that its programmers designed it to thwart NAC applications specifically,” said Grant Hartline, chief technical officer for Mirage Networks. “Mirage’s out-of-box threat detection and mitigation render the Storm Worm ineffective, highlighting the necessity for both pre- and post-admission NAC.”

The Storm Worm propagates using a social engineering element that entices a user to launch an executable file that infects the user’s computer. The compromised system then is merged into a botnet. The Storm Worm is unique in that its botnet functions like a peer-to-peer network instead of being controlled through a central server. This makes an accurate accounting of the size of the botnet virtually impossible. Estimates range from 250,000 to ten million infected systems worldwide, all capable of receiving and executing commands from the worm’s programmers without the knowledge or consent of the system owners.

Aspects of Storm’s behavior suggest an active attempt to thwart many anti-virus and intrusion prevention systems. For example, the code Storm uses to propagate morphs every half hour, foiling signature-based technologies such as AV and IPS. Storm’s P2P network of distributed drones is resilient to attack, and constantly shifts the roles of systems on the network. By the time a command-and-control server is identified, it most likely isn’t serving that function any more, and if it is shut down, another system on the network will take over its responsibilities. Storm also demands little from its hosts in the way of network resources and doesn’t cause damage to the systems it infects, making it particularly hard to detect. Storm has also been known to initiate Distributed Denial of Service attacks on security vendors that covertly attempt to get machines on the botnet for reconnaissance.

Mirage Networks

About the Author(s)

Dark Reading Staff

Dark Reading

Dark Reading is a leading cybersecurity media site.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights