Hi, First, I don't know that Nessus is setup to detect Storm Worm infected computers. You might find some during normal course of business using an IDS signature as Tim mentioned or possibly by finding unexpected port 80 open on a host. Additionally, you can search for any of your IPs on http://www.bleedingthreats.net/rules/bleeding-compromised.rules. These will be IPs that have been returned as records from the look up of certain fastflux domains.
Finally, without going into the details, to trigger the DDoS there is a certain amount of thresholding required. It has to do with the version of Storm, the number of nodes, and how quickly you take certain actions against all of them. In short, if you only have one or infected nodes on your network, you're not likely to trigger a DDoS attack. Alternatively, as mentioned, they do rely on P2P (using modified(?) Overnet protocol), so if you're blocking that you'll probably also be OK. Steven securityzone.org > I scan our network constantly and have not experienced such an attack > despite having had more than one storm infected computer on the network > (despite the 8,000+ systems only about 5 infections so far). > > I don't have any facts to base this on, but I expect that the attacks > require communication between the clients and we have mitigating factors > here: > > 1. no inbound http to non-approved servers. Storm has a web server > component > so this *might* impact that > > 2. P2P is off by default. Storm relies on a P2P protocol (I forget which > one) to communicate so this can be expected to impact it. > > Most of our storm worm detection has been from a snort rule (three cases), > one from an external alert (before we had the snort rule in place), and > one > from trouble shooting lost network connectivity. > > I recommend snort for detecting storm. > > Tim Doty > > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] > On Behalf Of Nelson, C.M. > Sent: Friday, September 07, 2007 6:57 AM > To: [email protected] > Subject: Storm Worm > > Hi, > > I've been reading that security scanning a "Storm Worm" infected PC may > lead > to triggering a DDoS attach on the scanner host's network. > > Does anyone one have more information about using Nessus in relation to > Storm Worm i.e. is it known to trigger such an attack and can Nessus > detect > a Storm Worm infection? > > -- > Carl Nelson > Distributed Systems Services, Computer Centre, University of Leicester, > Leicester, LE1 7RH, U.K. > Tel: +44 (0)116 252 2060, Fax: +44 (0)116 252 5027 > _______________________________________________ > Nessus mailing list > [email protected] > http://mail.nessus.org/mailman/listinfo/nessus > _______________________________________________ > Nessus mailing list > [email protected] > http://mail.nessus.org/mailman/listinfo/nessus _______________________________________________ Nessus mailing list [email protected] http://mail.nessus.org/mailman/listinfo/nessus
