[88846] in North American Network Operators' Group
Re: Quarantine your infected users spreading malware
daemon@ATHENA.MIT.EDU (Gadi Evron)
Tue Feb 21 07:39:03 2006
Date: Tue, 21 Feb 2006 14:35:52 +0200
From: Gadi Evron <ge@linuxbox.org>
To: Michael.Dillon@btradianz.com
Cc: nanog@merit.edu
In-Reply-To: <OFC44A2009.FCE5FC89-ON8025711C.0036DB2C-8025711C.0037B70B@btradianz.com>
Errors-To: owner-nanog@merit.edu
Michael.Dillon@btradianz.com wrote:
>>How do you get the unwashed masses of ISPs
>>to join the choir so you can preach to them?
>
>
> Why not just bypass them and go direct to the unwashed
> masses of end users? Offer them a free windows
> infection blocker program that imposes the quarantine
> itself locally on the user's machine. This program
> would use stealth techniques to hide itself in the
> user's machine, just like viruses do. And this program
> would do nothing but register itself with an encoded
> registry, and listen for an encoded command to activate
> itself. Rather like a botnet except with the user's
> consent and with a positive goal.
>
> When the community of bot/worm researchers determines
> that this machine is infected, they inform the central
> registry using their own encoded signal. When enough
> "votes" have been collected, the registry sends the
> shutdown signal to the end user, thus triggering the
> blocker program to quarantine the user.
>
> At this point a friendly helpful webpage pops up
> and guides the user through the disinfection process.
>
> Unlike antivirus software, the application on the user's
> computer does not need to detect malware and it needs
> no database updates. It does only one thing and it relies
> on the collective intelligence of the anti-malware community.
>
> This won't stop worms or botnets, but it will slow them down
> and it will greatly speed the cleanup process.
>
> --Michael Dillon
>
Hi Michael, the only problem with that approach is that you think like a
defender.
As the defense is local to the user's machine, the attacker can just
kick it away.
--
http://blogs.securiteam.com/
"Out of the box is where I live".
-- Cara "Starbuck" Thrace, Battlestar Galactica.
