funsec mailing list archives
RE: Gadi Busted In Massive Conspiracy
From: Nick FitzGerald <nick () virus-l demon co uk>
Date: Sun, 05 Feb 2006 07:30:58 +1300
Sean Donelan to me:
Also, smart bad guys will ensure that they take sound steps to block access to the WU servers, so that once run they prevent being usurped by new MSRT updates, just as they already do with AV, etc... Remember, when playing in a blacklisting-controlled environment (i.e. modern "known virus scanning" AV) the bad guy has the upper hand becvause his code always gets to run first...That's why its important to get people with *UNMANAGED* PC's to turn on WU auto-update. PC's managed by professional IT sysadmins or actively self-administered are not the target of WU auto-update.
Hey -- you're preaching to the choir here... I was one of many people who tried (and failed) to convince MS that they MUST enable auto-update _as the default_ in XP (at least in Home, but we argued pretty strongly that they should make it the default across the board for ALL current and future OSes on the grounds that "competent" sys-admins would then decide if they needed it configured differently and the less-than-competent many (vast majority!) would at least be somewhat ptotected from their oen lack of clue). We failed again in SP1 (though I think by then all the vaguely security aware folk inside MS agreed, but they failed to convince some or other "business manager" -- I suspect "imagine the bandwidth bill" rang out in response to these suggestions...). By the time it came to SP2 they had learned that maybe we had a few clues about we were talking about all along, and were fighting a dirty PR campaign trying to spin the stupidity of their earlier poor decisions on this and its resulting worm-fests...
WU should "run first" and install patches or updates before the exploits start appearing after the public announcements (0-day is still a problem).
Absolutely...
The best AV is to eliminate the vulnerability by preventitive medicine, rather than trying to cure the machine after its infected. It would be great if software had no vulnerabilities, but absent that, the next best thing is effectively patching as many machines as soon as possible.
Well, it's not AV's job to eliminate and prevent vulnerabilities (other than in their own products). That is the responsibility of the OS and application developers in the first instance, and would be greatly assisted if large corporate buyers started factoring security and integrity assurance issues into their RFIs and, ultimately, into their supply contracts.
Nevertheless, WU auto-update won't help as much with the self-infect vectors. ...
...which is primarily what AV does deal with (or is supposed to). Viruses need not include any form of vulnerability exploitation. Those that do will, all other things being equal, tend to have better rates of spread, etc, but that is independent of their virality per se. Virality is a function of system integrity failure, and historically we have done an abysmally poor job of designing integrity management and assurance into (popular) computer systems.
... Once you are owned, I wouldn't trust MSRT or any AV product to completely restore a compromised computer because you never know what you don't know. The MSRT is an "air drop" to help control the worst infections amoung the unmanaged PC population. MSRT is not a replacement for other security products or IT management.
More preaching to the choir... 8-) Regards, Nick FitzGerald _______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Current thread:
- RE: Gadi Busted In Massive Conspiracy, (continued)
- RE: Gadi Busted In Massive Conspiracy Nick FitzGerald (Feb 02)
- RE: Gadi Busted In Massive Conspiracy Gary Funck (Feb 03)
- Re: Gadi Busted In Massive Conspiracy Valdis . Kletnieks (Feb 02)
- RE: Gadi Busted In Massive Conspiracy Randy Abrams (Feb 02)
- Re: Gadi Busted In Massive Conspiracy Valdis . Kletnieks (Feb 03)
- RE: Gadi Busted In Massive Conspiracy Randy Abrams (Feb 03)
- RE: Gadi Busted In Massive Conspiracy Nick FitzGerald (Feb 03)
- RE: Gadi Busted In Massive Conspiracy Sean Donelan (Feb 04)
- RE: Gadi Busted In Massive Conspiracy Nick FitzGerald (Feb 04)
- RE: Gadi Busted In Massive Conspiracy Sean Donelan (Feb 04)
- RE: Gadi Busted In Massive Conspiracy Nick FitzGerald (Feb 04)
- Re: Gadi Busted In Massive Conspiracy Drsolly (Feb 04)
- Re: Gadi Busted In Massive Conspiracy Valdis . Kletnieks (Feb 04)
- Re: Gadi Busted In Massive Conspiracy Drsolly (Feb 04)
- Re: Gadi Busted In Massive Conspiracy Drsolly (Feb 04)