[Dshield] Windoze Questions...
Jon R. Kibler
Jon.Kibler at aset.com
Fri Feb 20 16:10:18 GMT 2004
Corinne Cook wrote:
> Hi Jon-
> While not an expert myself, I can answer a few of your questions:
> 1)Tripwire actually does have products that run on Windows platforms(or at
> least Win200x, possibly NT4 as well).
Before writing my original post, I had checked out the Tripwire web site and could not
find any products for the Windows workstation. They did have some SERVER products, but
nothing for an end-user workstation. I talked to our Tripwire sales rep yesterday and
he confirmed that they do not have regular market products for the non-server Microsoft
environment. To what products were you referring?
Our potential customer that spawned all of these questions has already experienced a
problem that I believe that we will all see within the next few months: The wide-spread
propagation of worms before the AV software vendors are able to publish new signature
files. This potential customer was looking for alternative (non-AV) solutions to alert
them that an end-user's system has been compromised.
It has been our experience that the length of time between when an AV vendor first
publishes the signatures for a new worm, and the time that we first observe the worm,
has been dropping by about half for each major new worm. For Beagle.B, we saw the first
occurrence of the worm in less than an hour after we received the first AV signature
update for it. (We run 4 different AV scanners. For one of the AV products, it was almost
a day AFTER we first observed Beagle.B before they had new signatures available.) Since
we update our most critical AV signatures ever half-hour (more often would be impractical),
we can easily see the day coming where we will see the widespread distribution of a worm
before ANY AV signatures are available to detect it.
Thus, the interest in products that would detect the modification of a desktop system
independent of any AV product. We have developed email filtering tactics that protect
our clients should AV fail to detect worms processed by our email systems, but that
does not protect an organization from some employee's system becoming infected when
they check their personal email on Hotmail or similar services, or bring an infected
laptop into the organization.
Why are worms spreading so fast? Although I know of no one with any evidence that would
hold weight in a criminal court, the preponderance of evidence is that spammers are
responsible for the majority of the new worms. These new worms are spreading so fast because
spammers are using their tens to hundreds of thousands of already compromised systems to
rapidly blast the worm to as many recipients as possible. This results in an ever increasing
number of compromised systems. Soon (and VERY soon I fear!), spammers will control enough
systems to make the distribution of a new worm essentially instantaneous! (Are you prepared?)
Jon R. Kibler
Chief Technical Officer
Charleston, SC USA
Filtered by: TRUSTEM.COM's Email Filtering Service
No Spam. No Viruses. Just Good Clean Email.
More information about the list