I have a paper a few years ago about predicting botnet location, the next step of the work was to correlate my work with network security policies and profiles of individual networks to see what the impact of policy was. As soon as I finish inventing the 300-hour workweek I wanted to get cracking on it.
On Sep 29, 2009, at 6:12 PM, Dan Kaminsky wrote: > On Tue, Sep 29, 2009 at 11:37 PM, Rich Kulawiec <[email protected]> wrote: >> On Tue, Sep 29, 2009 at 09:15:34AM +0200, Dan Kaminsky wrote: >>> Infections by these rare payloads would constitute a sort of "long >>> tail" of malware -- too rare for a signature, but in aggregate, >>> possibly common enough to represent a significant number of >>> infections. >>> >>> But how common? I mean, we know the long tail doesn't work >>> exactly as >>> promised in the media space. We also know there's a lot of infected >>> boxes out there running AV. It'd be really interesting if we had >>> data >>> around this question. >> >> This is a fascinating question. And there's certainly precedent >> for abusers to operate in this fashion: consider snowshoe spammers, >> who distribute their presence and their activities widely in order >> to minimize the observables, thus decreasing the risk of detection. >> Given that and other similar tactics, it wouldn't surprise me at all >> to find that distribution-limited malware has been deployed, in an >> attempt (again) to decrease the risk of detection, and thus to >> forestall >> countermeasures by vendors. >> >> But I must admit that, at the moment, I'm at a loss for a methodology >> by which we could approach this question in a meaningful way -- >> that is, >> a methodology that would quantify the answer. > > Methodology wouldn't be too bad -- there are things a manual auditor > can notice and alarm on quickly, that AV really can't just block or > even send back for further review. So it's a matter of: > > 1) Gain legitimate access to a large number of systems, perhaps > through a PC repair service > 2) Separate the machines into buckets -- "No AV" "Norton" "McAfee" > "Trend Micro" etc > 3) For each bucket, scan with all AV scanners. This will determine > the number of machines that are infected with known malware that at > least one other scanner was able to find. > 4) For each node that passed all automatic sweeps, manually sweep. > This should yield the a minimum size of the "long tail" (minimum, > because we might not find all). > > Note that we may want to qualify "infected". Tracking cookies most > assuredly do not count. Botnets most assuredly do. Merely > self-replicating code, that's sort of up in the air. > > _______________________________________________ > Fun and Misc security discussion for OT posts. > https://linuxbox.org/cgi-bin/mailman/listinfo/funsec > Note: funsec is a public and open mailing list. _______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
