North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: Quarantine your infected users spreading malware

  • From: Michael.Dillon
  • Date: Tue Feb 21 08:44:34 2006

> > When enough
> > "votes" have been collected, the registry sends the
> > shutdown signal to the end user, thus triggering the
> > blocker program to quarantine the user.
> 
> Isn't there a risk of DoS though?  What's to prevent someone from
> "spoofing" those signals and shutting down other users?

The signal would be encoded using a unique key. 
I would also expect that the choice of listening port
would be somehow randomized and registered in the central
registry to make it less of a DOS target.

>  Relative
> precautions would need to be taken, but to be sure, the end-user needs
> the ability to override the system.  Thus leaving us in the same
> situation as before.  Firewall?  I don't need no stinking firewall.. 

I see no reason why the user needs the ability to 
override or remove the software. After all, during
normal operation it does nothing at all therefore it
does not interfere in any way with machine operation.
The intent is to make it virtually impossible to 
remove this software so that a virus or worm cannot
remove it either.

> Sure it does..  It doesn't need to remove it, per se, but it will need
> to know what the infection is so it can give the correct disinfection
> instructions..

If the quarantined state keeps open a port 443 connection 
to a specific trusted webserver run by the group of trusted 
security researchers then the specifics of combatting the 
worm can be made available on that site. If necessary the 
site could upload ActiveX controls to do malware scans or 
recommend the installation of such software.

--Michael Dillon