Malware "best practices"
Chris Brenton
cbrenton at chrisbrenton.org
Wed Jul 26 13:07:00 EDT 2006
On Sun, 2006-07-23 at 21:41 -0400, Ben Scott wrote:
>
> Despite all the talk about heuristics, virus detection is still
> almost entirely dependent on recognizing signatures of know viruses.
With good reason. AV vendors make most of their money off of
subscription services. So why "fix" something that is not broken in that
its keeping their bottom line in the black. ;-)
> That's why practically every new virus yields an immediate signature
> update from everyone. So new viruses are not recognized by 80% of AV
> software? No shit. I'm very surprised it's that good.
Mass infections are soooo 1990's. Virus writers worth their salt are
available for hire and have turned it into a business model. Over the
last three years I've been involved with multiple clients that have had
their networks breached by custom viruses that easily avoid AV software.
In fact many of these clients had two different vendor AV solutions
running in parallel when they've been hit.
The model has changed but IMHO most networks have not changed their
defense posture to deal. We are still building moats while the enemy has
taken to the sky to attack from above. On the plus side, I have yet to
see a Linux box compromised this way. It is consistently Windows
systems.
HTH,
Chris
More information about the gnhlug-discuss
mailing list