North American Network Operators Group
Date Prev | Date Next |
Date Index |
Thread Index |
Author Index |
Historical
Re: Quarantine your infected users spreading malware
- From: Gadi Evron
- Date: Tue Feb 21 07:40:01 2006
[email protected] wrote:
How do you get the unwashed masses of ISPs
to join the choir so you can preach to them?
Why not just bypass them and go direct to the unwashed
masses of end users? Offer them a free windows
infection blocker program that imposes the quarantine
itself locally on the user's machine. This program
would use stealth techniques to hide itself in the
user's machine, just like viruses do. And this program
would do nothing but register itself with an encoded
registry, and listen for an encoded command to activate
itself. Rather like a botnet except with the user's
consent and with a positive goal.
When the community of bot/worm researchers determines
that this machine is infected, they inform the central
registry using their own encoded signal. When enough
"votes" have been collected, the registry sends the
shutdown signal to the end user, thus triggering the
blocker program to quarantine the user.
At this point a friendly helpful webpage pops up
and guides the user through the disinfection process.
Unlike antivirus software, the application on the user's
computer does not need to detect malware and it needs
no database updates. It does only one thing and it relies
on the collective intelligence of the anti-malware community.
This won't stop worms or botnets, but it will slow them down
and it will greatly speed the cleanup process.
--Michael Dillon
Hi Michael, the only problem with that approach is that you think like a
defender.
As the defense is local to the user's machine, the attacker can just
kick it away.
--
http://blogs.securiteam.com/
"Out of the box is where I live".
-- Cara "Starbuck" Thrace, Battlestar Galactica.
|