Home page logo
/

nanog logo nanog mailing list archives

Re: Quarantine your infected users spreading malware
From: "Jason Frisvold" <xenophage0 () gmail com>
Date: Tue, 21 Feb 2006 08:16:22 -0500


On 2/21/06, Michael.Dillon () btradianz com <Michael.Dillon () btradianz com> wrote:
Why not just bypass them and go direct to the unwashed
masses of end users? Offer them a free windows
infection blocker program that imposes the quarantine
itself locally on the user's machine. This program
would use stealth techniques to hide itself in the
user's machine, just like viruses do. And this program
would do nothing but register itself with an encoded
registry, and listen for an encoded command to activate
itself. Rather like a botnet except with the user's
consent and with a positive goal.

Intruiging concept..  Why bother "hiding" itself though?  Or is the
idea to prevent itself from being removed by malware?

When the community of bot/worm researchers determines
that this machine is infected, they inform the central
registry using their own encoded signal. When enough
"votes" have been collected, the registry sends the
shutdown signal to the end user, thus triggering the
blocker program to quarantine the user.

Isn't there a risk of DoS though?  What's to prevent someone from
"spoofing" those signals and shutting down other users?  Relative
precautions would need to be taken, but to be sure, the end-user needs
the ability to override the system.  Thus leaving us in the same
situation as before.  Firewall?  I don't need no stinking firewall.. 
:)

Unlike antivirus software, the application on the user's
computer does not need to detect malware and it needs
no database updates. It does only one thing and it relies
on the collective intelligence of the anti-malware community.

Sure it does..  It doesn't need to remove it, per se, but it will need
to know what the infection is so it can give the correct disinfection
instructions..

--Michael Dillon

--
Jason 'XenoPhage' Frisvold
XenoPhage0 () gmail com


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault