September 11, 2012 at 12:32Network worms of the last decade are found and now
It would seem that the life cycle of network worms is short-lived - from the moment of detection to the release of signature updates by antivirus vendors, it takes from several hours to several weeks, software updates and elimination of vulnerabilities in it through which worms infect themselves do not take much time either. However, this is not so, recent studies by manufacturers of network-based intrusion detection and prevention (IDS / IPS) showed that network worms even in the last decade are still being detected everywhere.
Researchers at HP have studied about 35 billion events generated by HP TippingPoint IPS devices around the world, from 2007 to 2012. About 1,000 HP customers worldwide were analyzed.
It has been found that network worms relevant in the past decade are still detecting their network activity. So, the SQL Slammer network worm , which appeared in 2003, was noticed hundreds of times more often than many other threats during this period, and it is he who occupies about 2% (about 42 million rule triggers) of all detected threats. More than 50% of HP TippingPoint IPS customers had Slammer worm activity, 46% found traces of the Nimda worm (2001), 31.4% had various modifications of the Back Orifice Trojan (1998-2004), 8.29% had the Storm worm (2007 year) and 2.29% - the Code Red worm (2001).
The activity of worms is detected both in the inbound (attempts to infect from outside) and in outbound traffic (attempts to spread worms from infected computers to the LAN). Even organizations actively involved in information security and equipped with intrusion detection hardware cannot fully cope with the protection of workplaces.
Most likely, the reason for this phenomenon is that in companies with a large number of jobs, computers are often not updated for decades and internal IT services simply cannot keep software versions and information protection tools up to date. It is easy to imagine a large non-IT company in which the same people sit in many positions, work in the same environment and no one thinks about updating the hardware or updating the software. I think the situation is similar in Russian realities.
Learn More About the Study - Dark Reading - What The IPS Saw by Kelly Jackson Higgins.
Researchers at HP have studied about 35 billion events generated by HP TippingPoint IPS devices around the world, from 2007 to 2012. About 1,000 HP customers worldwide were analyzed.
It has been found that network worms relevant in the past decade are still detecting their network activity. So, the SQL Slammer network worm , which appeared in 2003, was noticed hundreds of times more often than many other threats during this period, and it is he who occupies about 2% (about 42 million rule triggers) of all detected threats. More than 50% of HP TippingPoint IPS customers had Slammer worm activity, 46% found traces of the Nimda worm (2001), 31.4% had various modifications of the Back Orifice Trojan (1998-2004), 8.29% had the Storm worm (2007 year) and 2.29% - the Code Red worm (2001).
The activity of worms is detected both in the inbound (attempts to infect from outside) and in outbound traffic (attempts to spread worms from infected computers to the LAN). Even organizations actively involved in information security and equipped with intrusion detection hardware cannot fully cope with the protection of workplaces.
Most likely, the reason for this phenomenon is that in companies with a large number of jobs, computers are often not updated for decades and internal IT services simply cannot keep software versions and information protection tools up to date. It is easy to imagine a large non-IT company in which the same people sit in many positions, work in the same environment and no one thinks about updating the hardware or updating the software. I think the situation is similar in Russian realities.
Learn More About the Study - Dark Reading - What The IPS Saw by Kelly Jackson Higgins.