ForeScout Technologies, announced its ActiveScout intrusion prevention system stopped and protected customers from the "Slapper Worm" attack -- even though those customers were neither aware of the attack in advance nor had taken any specific action to protect themselves.
According to some reports, the worm has infected more than 10,000 Apache Web servers to date.
The security community began issuing warnings late last week about the Slapper Worm, but only after thousands of machines had been infected. According to ForeScout, its ActiveScout-protected networks resisted the Slapper Worm attack automatically, before this worm became known to the security community at large. And no advance modification or update to the ActiveScout software was required to achieve this protection.
The company says that on networks where ActiveScout is installed, worms trying to attack the network will see a multitude of HTTP servers. These are virtual servers, presented by the Scout as a mark. The worm starts connecting to HTTP servers at port 80. At this early stage, ActiveScout identifies this as a probing (reconnaissance) activity and offers virtual resources to connect to.
According to the company, when the worm finds an open HTTP server, it connects to it. Shortly thereafter, it connects to port 443 on the same server. To the Scout, this is a bite event ("Port Bite" type). The system is designed to latch the auto-blocking mode, and engage dynamic firewall reconfiguration (if enabled) to block all traffic from the scanning host, which should prevent the worm from infecting machines on the protected network.
"We have surveyed some of our customers, and not a single one has suffered any damage from the Slapper Worm," said Doron Shikmoni, co-founder of ForeScout Technologies, "ActiveResponse technology worked according to design, automatically stopping the worm without our customers knowing the threat existed, or how the threat specifically operates to compromise vulnerable systems."