Re: informIT: Modern Malware

[Andy Steingruebl <steingra () gmail com>]

On Tue, Mar 22, 2011 at 8:41 AM, Gary McGraw <gem () cigital com> wrote:
> hi sc-l,
>
> The tie between malware (think zeus and stuxnet) and broken software of the sort we work hard on fixing is difficult 
> for some parts of the market to fathom.  I think it's simple: software riddled with bugs and flaws leads directly to 
> the malware problem.   No, you don't use static analysis to "find malware" as the AT&T guys sometimes think…you use 
> it to find the kinds of bugs that malware exploits to get a toehold on target servers.  One level removed, but a 
> clear causal effect.

Gary,

Interestingly, your article only covers malware that gets installed by
exploiting a technical vulnerability, not malware that gets installed
by exploiting a human vulnerability (social engineering).  I've been
looking around and haven't found much data on infection rates,
percentages, success rates, etc. but "voluntarily" installed malware
is a significant and growing concern, and it requires an entirely
different approach than that required for malware that exploits a
technical vuln.

Thoughts?

- Andy

_______________________________________________
Secure Coding mailing list (SC-L) SC-L () securecoding org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates
_______________________________________________