InfoSecNews put an article on the wire today about the Storm Botnet getting more aggressive.

With schools starting within a few weeks in many different parts of the Northern hemisphere, many network administrators are running active network scans to look for traces of malware. Often, malware is easy to detect because it keeps a backdoor listening. The presence of an open network port on a host is often the first hint that something is afoot and almost always requires further analysis.

The ISN article outlines that the malware detects that it is being scanned, and instructs (part of) the vast botnet to attack the host from which the scans originated.

More often than not, these hosts are regular workstations used by administrators and, even if the intermediary infrastructure (firewalls, routers, switches, etc.) can handle the DDoS-volume, those workstations more than likely cannot. Effectively, such retaliation attacks will make it much more difficult for network administrators to find out what is happening on their network.

What does this mean?

Does it mean that admins can no longer actively scan for traces of malware on their network, for fear of retaliation?


Fortunately, there is still the possibility to listen passively. Using tools, such as netflow, it is still possible to detect suspicious network traffic patterns. The benefit of using netflow, or other forms of passive network monitoring, is that it is (near) impossible to detect by an attacker.

While an attacker can still attempt to launch a DDoS-attack against the school, it will be harder to find out what the exact target is.

In the mean while, it seems like the botnets are getting more aggressive about fighting back against detection and cleanup. I wonder where this will take us next.