A newly discovered capability of the Storm worm could invalidate results churned out by NAC products, attendees at Interop New York learned last week.
This new trick is Storm's ability to interrupt applications as they boot up and either shut them down or allow them to appear to boot, but disable them, says Josh Corman, host protection architect for IBM/ISS.
Users will see that, for example, antivirus is turned on, but actually it isn't scanning for viruses, or as Corman puts it, it is brain dead. "It's running but it's not doing anything. You can brain-dead anything," he says.
NAC vendors acknowledged at the show that this capability could thwart the endpoint checking that their products perform. NAC scans devices before they gain admission to networks looking for the likes of properly patched operating systems and personal firewalls and antivirus software that is updated and turned on.
If the software seems turned on but is doing nothing that would invalidate the scan, say representatives of NAC vendors ConSentry, Juniper and McAfee. "This is an example of why pre-admission NAC is not enough," says Michelle McLean, director of marketing for Consentry.
Analyzing what devices attempt to do once they are on the network - post-admission NAC - is necessary as a backstop to pre-admission tests, says Vimal Solonki, senior director of product marketing for McAfee.
Storm also exemplifies the sophistication of new malware that retaliates against researchers studying it with the goal of stamping it out, Corman revealed at the show.
The worm can figure out which users are trying to probe its command-and-control servers, and it retaliates by launching distributed DoS attacks against them, shutting down their Internet access for days, he says.
"As you try to investigate [Storm], it knows, and it punishes," he says. "It fights back."