Vulnerability Development mailing list archives
Re: Another new worm???
From: Dan_Schrader () TRENDMICRO COM (Dan Schrader)
Date: Fri, 23 Jun 2000 11:10:00 -0700
Blue Boarr wrote:
Any idea what the qualifications are? I assume one would have to agree not to distribute outside of the group. Would the group let in someone who was producing a free AV product?
The primary qualification is a commitment not to distriute viruses in an uncontrolled manner. Yes, they definitely would let someone in producing a free AV product.
The last thing any AV vendor needs is more viruses - we get (no exaggeration) over 500 new viruses a month. Thousands of files are sent
to
us each month for analysis.
I understand your point, but again to turn it around... you actually need "all" viruses to remain competitive, no?
We need fewer virues - the cost of managing 500 new viruses a month is extraodinary - and is driving some of the smaller vendors/share ware providers out of the business. This is one of the factors in the shake-out the industry has seen past 2 years. Do you have any idea how expensive it is to hire engineers in Silicon Valley?
What I was trying to do was reduce the likelyhood of copy cat viruses.
AV
vendors have a firm policy of never giving virus samples to anyone who we are not sure will be responsible in their handling of the virus.
That is the same as saying "we don't hire hackers." How do you know?
We make them sign a contract stating that viruses recieved from us will only be used in a controlled lab, will not be give to others, . . . . Of course it is less then perfect - but the point isn't to stop all virus distribution (never work), just to make it harder for script kiddies to create copy cat viruses.
For those few people who need to do their own analysis, there are faster, safer ways of getting the code then relying on someone sending it to you over on uncontrolled email group days or weeks after the av vendors had analyzed the virus and provided detailed descriptions of it on our web sites. By last Friday every major av vendor had posted write-ups
And what are the faster safer ways, for Joe Nobody, to get those?
Joining REVS, trading viruses with other people you know and trust - not sending them to an open list, getting to know people in AV - show that you are useful/reliable/secure and they will work with you.
If those exist, why do you care if I mail it out?
I care if you mail it out to hundreds or thousands of people with no reason at all to think they will use them responsibly.
Here is where the mailing lists and media are serving a purpose. The AV guys had the info they needed early, and presumable some had updated signature databases. The outbreak didn't happen until Monday though..
The outbreak started on Friday. We send emails to all registered customers and to all subscribers of our virus alert list on Friday. Symantec did the same. Because these lists are huge, is sometimes takes quite a while for the emails to go out (we have 300,000 subscribers to our list).
by definition for this type of virus, if people were prepared, there wouldn't have been an outbreak. The failing is still people who don't update their virus databases often enough. They still need the media to cry wolf to alert them that something is up.
You hit the nail on the head. The idea that we ever will be able to update 300 million desktops fast enough to stop the next lovebug is absurd. What we need is to put virus scanning (for the privacy advocates I specify virus scanning, not content scanning) on the internet backbone. If we can get a sufficient number of ISPs scanning all SMTP/POP3 traffic for viruses, we will have an ideal mechanism for containing virus outbreaks. Viruses wont go away - but their impact will be limited. Think about how much easier it would be to alert and update 2000 ISPs/ASPs instead of trying to alert millions of people.
I think the AV companies use the same mechanism that I do to weigh how high the risk level is... how many people get nailed. I've only put through like 7 pieces of malware to the list. It most cases, it was based on how widespread it was, and therefore interest level.
We have a formal "red alert" proceedure that specifies both the "risk level" to the outside world and the level of response we anticipate requiring. To set the risk level we look at: 1. Is the virus "in the wild" (i.e. in active circulation) 2. How many sites has it been reported to (Trend regularly talks to other av vendors to ask how many reports) 3. The propegation mechanism 4. The platforms affected 5. The social engineering (an email with an attachement that reads, "heres my virii" wont go far) 6. The timing (viruses incidents late on a Friday afternoon or over a weekend usually are contained before they go far) 7. Tea leaves BB
Current thread:
- Re: Red Hat 6.2's ftp segmentation fault, (continued)
- Re: Red Hat 6.2's ftp segmentation fault Blue Boar (Jun 24)
- Different attack vector - PXE-2.0 protocol Ollie Whitehouse (Jun 25)
- Spoofed FTP connections John Scimone (Jun 25)
- Re: Red Hat 6.2's ftp segmentation fault Jason Storm (Jun 24)
- Re: Another new worm??? sigipp () WELLA COM BR (Jun 21)
- Keyboard recording Martin M Samson (Jun 21)
- Re: Another new worm??? Blue Boar (Jun 21)
- Re: Another new worm??? Steve Mosher (Jun 22)
- disclosure and risk to list subscribers (Re: Another new worm???) Mark Rafn (Jun 22)
- Re: Another new worm??? Andrew Griffiths (Jun 21)
- Re: Another new worm??? Dan Schrader (Jun 23)
- Re: Another new worm??? Dan Schrader (Jun 23)
- Re: Another new worm??? Michael W. Shaffer (Jun 23)
- Re: Another new worm??? Bennett Todd (Jun 24)
- Re: Another new worm??? Crispin Cowan (Jun 25)
- Re: Another new worm??? Elias Levy (Jun 26)
- Re: Another new worm??? Crispin Cowan (Jun 27)
- Re: Another new worm??? Dino Amato (Jun 28)
- dalnet 4.6.5 remote vulnerability Matt Conover (Jun 28)
- *snprinf vs strncpy (misconception) Matt Conover (Jun 28)