funsec mailing list archives
Re: ? - I don't know where to send this one, so I'm sending i t here...
From: Nick FitzGerald <nick () virus-l demon co uk>
Date: Thu, 03 Nov 2005 10:40:34 +1300
Fergie wrote:
New Bagles being seeded. Methinks the AV vendors are trying as best they can to keep up with the onslaught of new Bagles being massively sent the past few days...
Every week or two they endure such a blast. I think the record was 8 (or was it 12?) in one (slighty longer than) 24 hour period. Of course, that pales in comparison to some other malware families. Elsewhere I have just been discussing Spybot variants. Ignoring that there is huge variance amongst the vendors as to family inclusion for these (what some call Spybot others call SD-Bot, Loonbot, and a number of others), but one vendor that has somewhat strict rules internally for placing something in what it calls the Spybot family knows of over 17,200 Spybot variants. If these had all been created in the last year, that's around 50 a day. OK, so that's not a reasonable assumption, as we know "Spybot" has been around for a while longer than that. Let's say it's been around for three years -- that means a sustained average of around 16 per day and even if Spybot has been around for four years, that's over 12 a day, every day, for four years. OK, so the Spybots are not made by one spam-gang and the code has been publicly released and developed something of a community, but recall that Spybot is just one of several very common bots to which those conditions apply... ... That was the serious part, needed to setup the fun part. If there are 17,000+ Spybots and perhaps nearly as many SD-Bots and maybe half as many Agobot/Gaobot variants and a dozen or so new Bagles and associated Glieders, Mitglieders and so on a week and all the dozens upon dozens upon dozens of new (mainly) South American banking Trojans every week, and on and on and on (and there are), if there is huge deluge of new malware every day, when do we reach the point where the set of "bad" programs is larger than the set of all good programs ever? Or is that point somewhere _behind_ us already? You think that's fun? Well, assuming that you may agree that we are rapidly approaching that point (if, in fact, we have not already passed it), ask yourself this: Why are our "protection" systems based on the obviously absurd notion that it is somehow more useful/efficient/whatever to detect more known bad stuff (which is a form of default allow) than simply to detect and allow only the known good stuff (default deny)? Regards, Nick FitzGerald _______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Current thread:
- Re: ? - I don't know where to send this one, so I'm sending i t here... Fergie (Nov 02)
- Re: ? - I don't know where to send this one, so I'm sending i t here... Blue Boar (Nov 02)
- Re: ? - I don't know where to send this one, so I'm sending i t here... Nick FitzGerald (Nov 02)
- Re: ? - I don't know where to send this one, so I'm sending i t here... Valdis . Kletnieks (Nov 02)
- Re: ? - I don't know where to send this one, so I'm sending i t here... Nick FitzGerald (Nov 02)
- Re: ? - I don't know where to send this one, so I'm sending i t here... Drsolly (Nov 03)
- Re: ? - I don't know where to send this one, so I'm sending i t here... Blue Boar (Nov 03)
- RE: ? - I don't know where to send this one, so I'm sendingi t here... Larry Seltzer (Nov 03)
- Re: ? - I don't know where to send this one, so I'm sending i t here... Nick FitzGerald (Nov 03)
- Re: ? - I don't know where to send this one, so I'm sending i t here... Valdis . Kletnieks (Nov 02)
- Re: ? - I don't know where to send this one, so I'm sending i t here... Nick FitzGerald (Nov 02)
- Re: ? - I don't know where to send this one, so I'm sending i t here... Drsolly (Nov 03)