A Storm of Human Error

2:47 PM -- How bad is the Storm worm? Even scanning it could trigger an attack.

In a recent interview with Information Week, Doug Pearson, technical director of REN-ISAC, the Research and Education Networking Information Sharing and Analysis Center, discussed his team's findings following a detailed analysis of Storm worm behavior. The results are pretty disturbing.

According to a warning issued by REN-ISAC, IT professionals should be cautious of scanning infected Storm worm hosts with network vulnerability scanners, because such an action could trigger an automated distributed denial of service (DDOS) attack.

Having suffered through automated DDOS attacks before, I don't believe anyone should take this warning lightly. But I also think we need to think beyond Storm's effects and focus more on how it's spreading.

My first guess is the obvious one: The Storm worm must use sophisticated attacks to exploit unprotected machines. This is certainly plausible -- Storm is basically super-malware that can communicate via peer-to-peer (P2P) methods, host copies of malware via HTTP, mail massive amounts of spam, and defend itself via DDOS attacks.

But the most vulnerable infection point is not the client itself, but the actual human who operates the PC. Using enticing email subjects -- like "You've received an ecard from a family member!" and newer adult-oriented come-ons such as "Want me to show you what my roommate and I do when we get lonely at night?" -- Storm tricks end users into clicking on a link to the IP address of a Storm worm host, which provides them with the latest variant of the malware.

Of course, your end users would never click on such messages, right? Your efforts at instilling an awareness of basic security issues are right on target, so they would never infect themselves. Or would they?

The fact that Storm can muster enough machines to create an effective DDOS attack suggests that plenty of end users have already been sucked in by these phony messages. Sadly, I've seen countless "awareness" campaigns conducted, and each one tells users not to open attachments or click on unknown links in emails. But these same users still infect themselves.

Why do end users keep making these same mistakes? Although I've observed the behavior for several years, I don't have an answer. But I have seen a shirt that might. On the front, it says "Social Engineering Specialist," and the back reads, "Because there is no patch for human stupidity."

The shirt's message might be true, but it still bewilders me that the most prolific botnet currently in operation was created solely by people infecting themselves. What are we doing wrong as IT security professionals? We install the latest patches, keep the antivirus software updated, and remind users about the dangers of email from strangers. But the infection rate climbs daily. It's apparent that we're doing something wrong, but what?

How are you handling these issues in your environment? Do you conduct regular awareness classes? Do you have a "Wall of Shame" for people who seem to always get infected with the latest malware? Click the "Discuss" link below and let me know what you're doing -- and whether it works or not.

— John H. Sawyer is a security geek on the IT Security Team at the University of Florida. He enjoys taking long war walks on the beach and riding pwnies. When he's not fighting flaming, malware-infested machines or performing autopsies on blitzed boxes, he can usually be found hanging with his family, bouncing a baby on one knee and balancing a laptop on the other. Special to Dark Reading