Re: monitoring status of active malwares on honeypots

[Valdis.Kletnieks () vt edu]

On Fri, 08 Feb 2008 18:54:40 +0530, "Bhatnagar, Mayank" said:
> 2. Those which are dormant and for a long period of time, how can we
> conclude a particular malware/virus is not active any more? Basically we
> should not worry about it more. Is there any way we can conclude about
> the same.

It's pretty safe to assume that unless a competent researcher has reverse
engineered it and found positive proof that a malware has a hard-coded
'drop dead' date, that it's still active.  And even then, it's not perfect,
because people will run with their system clock set to sometime in 1987
because their CMOS battery died and they haven't replaced it...

Here's last week's report from our e-mail gateway virus scanners:

Breakdown by Virus Family:
    719 NETSKY                 (19.47%)
    549 MYDOOM                 (14.87%)
    509 MYTOB                  (13.79%)
    438 AGENT                  (11.86%)
    292 IFRAME                 ( 7.91%)
    207                        ( 5.61%)
    204 NYXEM                  ( 5.53%)
    181 BAGLE                  (  4.9%)
     88 BUGBEAR                ( 2.38%)

Bagle, Mytob - 2005. Netsky, Mydoom - 2004. Bugbear - 2002. So the *vast
majority* of stuff we're seeing is *old*.

It's best to consider malware to be Internet Herpes - they're forever, and
you have to keep treating with antivirals to keep the itching away....

Attachment: _bin
Description: