Re: ? - I don't know where to send this one, so I'm sending i t here...

[Nick FitzGerald <nick () virus-l demon co uk>]

Fergie wrote:

> New Bagles being seeded.
>
> Methinks the AV vendors are trying as best they can to keep
> up with the onslaught of new Bagles being massively sent the
> past few days...

Every week or two they endure such a blast.  I think the record was 8 
(or was it 12?) in one (slighty longer than) 24 hour period.

Of course, that pales in comparison to some other malware families.

Elsewhere I have just been discussing Spybot variants.  Ignoring that 
there is huge variance amongst the vendors as to family inclusion for 
these (what some call Spybot others call SD-Bot, Loonbot, and a number 
of others), but one vendor that has somewhat strict rules internally 
for placing something in what it calls the Spybot family knows of over 
17,200 Spybot variants.

If these had all been created in the last year, that's around 50 a day.

OK, so that's not a reasonable assumption, as we know "Spybot" has been 
around for a while longer than that.  Let's say it's been around for 
three years -- that means a sustained average of around 16 per day and 
even if Spybot has been around for four years, that's over 12 a day, 
every day, for four years.

OK, so the Spybots are not made by one spam-gang and the code has been 
publicly released and developed something of a community, but recall 
that Spybot is just one of several very common bots to which those 
conditions apply...

...

That was the serious part, needed to setup the fun part.

If there are 17,000+ Spybots and perhaps nearly as many SD-Bots and 
maybe half as many Agobot/Gaobot variants and a dozen or so new Bagles 
and associated Glieders, Mitglieders and so on a week and all the 
dozens upon dozens upon dozens of new (mainly) South American banking 
Trojans every week, and on and on and on (and there are), if there is 
huge deluge of new malware every day, when do we reach the point where 
the set of "bad" programs is larger than the set of all good programs 
ever?

Or is that point somewhere _behind_ us already?

You think that's fun?

Well, assuming that you may agree that we are rapidly approaching that 
point (if, in fact, we have not already passed it), ask yourself this:

   Why are our "protection" systems based on the obviously absurd
   notion that it is somehow more useful/efficient/whatever to detect
   more known bad stuff (which is a form of default allow) than simply
   to detect and allow only the known good stuff (default deny)?


Regards,

Nick FitzGerald

_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.