Network worms of the last decade are found now
It would seem that the life cycle of network worms is not long: from the moment of detection of updates to signatures by anti-virus vendors, it takes from several hours to several weeks, software updates and the removal of vulnerabilities in it, by which the worms infect, also do not take much time. However, this is not the case; recent studies by manufacturers of network tools for intrusion detection and prevention (IDS / IPS) have shown that network worms, even of the past decade, are still found everywhere.
Researchers from HP studied about 35 billion events generated by HP TippingPoint IPS devices around the world, from 2007 to 2012. About 1000 HP customers around the world were analyzed.
It was found that the topical worms in the past decade have found their network activity so far. So the network SQL worm Slammer , which appeared in 2003, was noticed during this period hundreds of times more than many other threats and about 2% (about 42 million rule triggering) from all detected threats are taken by him. More than 50% of HP TippingPoint IPS clients detected Slammer worm activity, 46% had traces of the Nimda worm (2001), 31.4% had various modifications of the Back Orifice trojan (1998-2004), 8.29% - the Storm worm (2007). year) and 2.29% - Code Red worm (2001).
Worm activity is detected both in incoming (attempts to infect from outside) and in outgoing traffic (attempts to distribute worms from infected computers on a LAN). Even organizations that are actively involved in information security, having intrusion detection hardware, cannot fully cope with the protection of workplaces.
Most likely, the reason for this phenomenon is that in companies with a large number of jobs, computers are often not updated for decades and the internal IT services simply cannot keep up to date software versions and information security tools. It is easy to imagine a large non-IT company, in which many people sit in the same position, work in the same environment, and no one thinks about updating the hardware or updating the software. I think in the Russian reality the situation is similar.
Read more about the study - Dark Reading - What The IPS Saw , by Kelly Jackson Higgins.
Researchers from HP studied about 35 billion events generated by HP TippingPoint IPS devices around the world, from 2007 to 2012. About 1000 HP customers around the world were analyzed.
It was found that the topical worms in the past decade have found their network activity so far. So the network SQL worm Slammer , which appeared in 2003, was noticed during this period hundreds of times more than many other threats and about 2% (about 42 million rule triggering) from all detected threats are taken by him. More than 50% of HP TippingPoint IPS clients detected Slammer worm activity, 46% had traces of the Nimda worm (2001), 31.4% had various modifications of the Back Orifice trojan (1998-2004), 8.29% - the Storm worm (2007). year) and 2.29% - Code Red worm (2001).
Worm activity is detected both in incoming (attempts to infect from outside) and in outgoing traffic (attempts to distribute worms from infected computers on a LAN). Even organizations that are actively involved in information security, having intrusion detection hardware, cannot fully cope with the protection of workplaces.
Most likely, the reason for this phenomenon is that in companies with a large number of jobs, computers are often not updated for decades and the internal IT services simply cannot keep up to date software versions and information security tools. It is easy to imagine a large non-IT company, in which many people sit in the same position, work in the same environment, and no one thinks about updating the hardware or updating the software. I think in the Russian reality the situation is similar.
Read more about the study - Dark Reading - What The IPS Saw , by Kelly Jackson Higgins.
')
Source: https://habr.com/ru/post/151238/
All Articles