Re: Quarantine your infected users spreading malware

["Jason Frisvold" <xenophage0 () gmail com>]

On 2/21/06, Michael.Dillon () btradianz com <Michael.Dillon () btradianz com> wrote:
> Why not just bypass them and go direct to the unwashed
> masses of end users? Offer them a free windows
> infection blocker program that imposes the quarantine
> itself locally on the user's machine. This program
> would use stealth techniques to hide itself in the
> user's machine, just like viruses do. And this program
> would do nothing but register itself with an encoded
> registry, and listen for an encoded command to activate
> itself. Rather like a botnet except with the user's
> consent and with a positive goal.

Intruiging concept..  Why bother "hiding" itself though?  Or is the
idea to prevent itself from being removed by malware?

> When the community of bot/worm researchers determines
> that this machine is infected, they inform the central
> registry using their own encoded signal. When enough
> "votes" have been collected, the registry sends the
> shutdown signal to the end user, thus triggering the
> blocker program to quarantine the user.

Isn't there a risk of DoS though?  What's to prevent someone from
"spoofing" those signals and shutting down other users?  Relative
precautions would need to be taken, but to be sure, the end-user needs
the ability to override the system.  Thus leaving us in the same
situation as before.  Firewall?  I don't need no stinking firewall.. 
:)

> Unlike antivirus software, the application on the user's
> computer does not need to detect malware and it needs
> no database updates. It does only one thing and it relies
> on the collective intelligence of the anti-malware community.

Sure it does..  It doesn't need to remove it, per se, but it will need
to know what the infection is so it can give the correct disinfection
instructions..

> --Michael Dillon

--
Jason 'XenoPhage' Frisvold
XenoPhage0 () gmail com