Re: Re:Proposal: how to notify owners of compromised PC's

["Jonathan A. Zdziarski" <jonathan () nuclearelephant com>]

You can track widespread virii breakout without running manual
blacklists.  We're working on a streamlined (machine automated)
blackhole list server at http://www.nuclearelephant.com/projects/sbl/. 
It is originally designed to identify spammer IPs within minutes of a
new distribution based on how wide-spread the reports are across
networks (rather than the total number of reports) and works rather well
in preliminary testing.  A tool like this could easily be adapted to
track, in real-time, which hosts were infected based on the same spread
principle.  By using machine-automation combined with a realtime,
short-term blackhole server such as the SBL project, you can zero in
with accuracy the individuals infected without worrying about
blackholing entire dialup lists, etc.

For tracking dynamic accounts for virii, you may consider tweaking the
blacklist life from 24 hours to maybe 2-3 hours - that should be all you
need to notify the host anyway.  DSL lines don't change but every couple
of days, and dialup users are usually on for a couple hours unless
they're traveling.

What I think would be a better idea though as far as notifying the
end-users would be to code a little tray applet that would tell the user
whenever there were several port 25 connections to different hosts. 
Include with a standard "You're running windows so you're going to get
0wned" suite of tools. 

> > If major sites like Google, MSN etc. would query rapid DSL and dialup
> > blacklists, they could visually inform the visitor that their PC is
> > listed (+ inform them what to do, direct them to online AV etc).
>
> Bad idea! Think about all those hosts listed in a RBL and the users can´t
> do anything about it? Especially dailup/dsl users with dynamic IP´s.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html