Researchers: Worms not heading underground


"With this added technique of constant morphing and many new variants, I can't imagine how signature-based based technologies will ever cope with this sort of thing -- people truly need behavior-based tools to stop them," said Alperovitch. "We haven't seen the mass mailing, mass targeting worms that were big in the past, and Storm is not mass targeting compared to some of those, but the Web component will allow it to propagate much faster, so we'll have to keep a close eye on it."

Anti-virus software makers agreed that traditional signature-based tools alone will not suffice to stop the new breed of worm, but they said that the attacks can be thwarted using a combination of those products and newer behavior-based systems.

Officials at AV market leader Symantec, based in Cupertino, Calif., said that they view Storm as more of a Trojan than a worm, based on the fact that its spread is relying on social engineering methods versus automated propagation. Either way, users should rely on a defense-in-depth security strategy to protect themselves from either form of attack, according to Dave Cole, director of Symantec's Security Response team.

"The major threat of today isn't the worm of yesteryear, but really the Trojan attack as the designers are using really sophisticated social engineering to trick people into downloading," Cole said. "The classical worms are still out there, we still see a ton, but the reality is they are not infecting nearly as many people because of the defenses out there; these new ones are a bigger threat."

While behavior-based tools such as IDSes may represent the most effective form of defense against the rapidly-changing worm threats of today, users should still employ signature-based anti-virus applications to protect against anything that sneaks through those filters, according to the Symantec researcher.