North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: Quarantine your infected users spreading malware

  • From: Jason Frisvold
  • Date: Tue Feb 21 08:18:41 2006
  • Domainkey-signature: a=rsa-sha1; q=dns; c=nofws; s=beta;; h=received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=BNg9mKB14gJYEHzGnhAyNJmEMXEUfVq5JGzVGNMy18BTpzKINGA6KZ5li+JL4uXJbMFZa3AXSp8AIcy1SD6VNEi04fsi/FppgM7bh9dqFbL0nxJMYLPkd1TLuQ+//LZ0s7SW214L5yJOGegDW/iCI5XXw4l2TKD/p7hj5yhUP3w=

On 2/21/06, [email protected] <[email protected]> wrote:
> Why not just bypass them and go direct to the unwashed
> masses of end users? Offer them a free windows
> infection blocker program that imposes the quarantine
> itself locally on the user's machine. This program
> would use stealth techniques to hide itself in the
> user's machine, just like viruses do. And this program
> would do nothing but register itself with an encoded
> registry, and listen for an encoded command to activate
> itself. Rather like a botnet except with the user's
> consent and with a positive goal.

Intruiging concept..  Why bother "hiding" itself though?  Or is the
idea to prevent itself from being removed by malware?

> When the community of bot/worm researchers determines
> that this machine is infected, they inform the central
> registry using their own encoded signal. When enough
> "votes" have been collected, the registry sends the
> shutdown signal to the end user, thus triggering the
> blocker program to quarantine the user.

Isn't there a risk of DoS though?  What's to prevent someone from
"spoofing" those signals and shutting down other users?  Relative
precautions would need to be taken, but to be sure, the end-user needs
the ability to override the system.  Thus leaving us in the same
situation as before.  Firewall?  I don't need no stinking firewall.. 

> Unlike antivirus software, the application on the user's
> computer does not need to detect malware and it needs
> no database updates. It does only one thing and it relies
> on the collective intelligence of the anti-malware community.

Sure it does..  It doesn't need to remove it, per se, but it will need
to know what the infection is so it can give the correct disinfection

> --Michael Dillon

Jason 'XenoPhage' Frisvold
[email protected]