[Dshield] Windoze Questions...

Jon R. Kibler Jon.Kibler at aset.com
Fri Feb 20 16:10:18 GMT 2004


Corinne Cook wrote:
> 
> Hi Jon-
> 
> While not an expert myself, I can answer a few of your questions:
> 
> 1)Tripwire actually does have products that run on Windows platforms(or at
> least Win200x, possibly NT4 as well).

<BIG SNIP!>

Corinne,

Before writing my original post, I had checked out the Tripwire web site and could not 
find any products for the Windows workstation. They did have some SERVER products, but 
nothing for an end-user workstation. I talked to our Tripwire sales rep yesterday and 
he confirmed that they do not have regular market products for the non-server Microsoft 
environment. To what products were you referring?

Our potential customer that spawned all of these questions has already experienced a 
problem that I believe that we will all see within the next few months: The wide-spread 
propagation of worms before the AV software vendors are able to publish new signature 
files. This potential customer was looking for alternative (non-AV) solutions to alert 
them that an end-user's system has been compromised.

It has been our experience that the length of time between when an AV vendor first 
publishes the signatures for a new worm, and the time that we first observe the worm, 
has been dropping by about half for each major new worm. For Beagle.B, we saw the first 
occurrence of the worm in less than an hour after we received the first AV signature 
update for it. (We run 4 different AV scanners. For one of the AV products, it was almost 
a day AFTER we first observed Beagle.B before they had new signatures available.) Since 
we update our most critical AV signatures ever half-hour (more often would be impractical), 
we can easily see the day coming where we will see the widespread distribution of a worm
before ANY AV signatures are available to detect it.

Thus, the interest in products that would detect the modification of a desktop system 
independent of any AV product. We have developed email filtering tactics that protect 
our clients should AV fail to detect worms processed by our email systems, but that 
does not protect an organization from some employee's system becoming infected when 
they check their personal email on Hotmail or similar services, or bring an infected
laptop into the organization.

Why are worms spreading so fast? Although I know of no one with any evidence that would 
hold weight in a criminal court, the preponderance of evidence is that spammers are 
responsible for the majority of the new worms. These new worms are spreading so fast because 
spammers are using their tens to hundreds of thousands of already compromised systems to 
rapidly blast the worm to as many recipients as possible. This results in an ever increasing 
number of compromised systems. Soon (and VERY soon I fear!), spammers will control enough 
systems to make the distribution of a new worm essentially instantaneous! (Are you prepared?)

Jon
-- 
Jon R. Kibler
Chief Technical Officer
A.S.E.T., Inc.
Charleston, SC  USA
(843) 849-8214




==================================================
Filtered by: TRUSTEM.COM's Email Filtering Service
http://www.trustem.com/
No Spam. No Viruses. Just Good Clean Email.



More information about the list mailing list