Re: Sniffing is not the easy answer, Kate.

[byte_jump <bytejump () gmail com>]

On 10/11/05, Paul Melson <pmelson () gmail com> wrote:
> The problem with this model of evasion is that in the state you describe,
> it's a faux threat.  It only exists in a contrived environment where we
> presume monitoring occurs.  So a sanctioned pen test gets by my NIDS, so
> what?  Or if I'm a NIDS vendor, so my product and all but one of my
> competitors' products fail this one line item test in an eval, so what?  It
> won't be a big deal until it exists in the wild and becomes an actual
> threat.  At which point, it will be possible for the algorithm to be
> analyzed and low-cost detection for it will be added to the various NIDS
> products.  What will be even more fascinating is when the NIDS vendors'
> researchers discover an unpredictably common pattern of nop sled that is
> unique to your algorithm that lets them write a signature for it. :-)

An admission that NIDS products == antivirus products. "We protect you
- as long as five percent of your peers have alerted us to the fact
that they got owned and have provided us with samples!"

"The malice software used by the hackers – W 32.Toxbot – was
discovered at the beginning of this year. The virus enables
uninhibited access to the infected computer. The Toxbot registers all
keyboard actions of the infected computers and sends this information
to the cyber-criminals. Anti-virus software has been available for
some time. The hackers, however, frequently revised the virus, in a
catch up game with the anti virus producers."
http://www.om.nl/?s=3&p=lp&id=5146