[unisog] zotob variant?

Gary Flynn flynngn at jmu.edu
Thu Oct 13 19:02:38 GMT 2005

Valdis.Kletnieks at vt.edu wrote:
> On Thu, 13 Oct 2005 08:25:12 EDT, Gary Flynn said:
>>I'm running across an unknown piece of malware almost
>>once a week. More often if I look for it.
> And it isn't like Gary has a *huge* pool of machines to find malware on.
> If he's finding that much new stuff in his little corner of the net, one
> has to wonder how much *more* stuff is to be found on the networks of some
> of the larger cablemodem providers (although of course, *most* will eventually
> find their way to Gary's net as well).  Though if once a week, new stuff is
> dropping itself on Gary's net before the anti-floopware(*) vendors have gotten
> an ID for it yet, there's something wrong....
> The phrase "not scalable" comes to mind.  Or as Dr Phil says: "And how's that
> working out for you?".
> (*) anti-things-that-go-bump-in-the-night-ware is too long to type. ;)

I find a fair amount of it when I follow reports from
our IDP to sites harboring malicious code. Its not
all found on our machines. :)

We mention in our security awareness material that
all the central security measures we have on campus
(IDP, firewalls, vulnerability detection, patching
systems, alert systems, etc.) aren't available to
home broadband users and that their security is
almost entirely up to them.

Someone else mentioned the ineffectiveness of signature
based defenses and some vendors offering behavior
based products. I like the intrusion detection/prevention
style products that pop up a warning when the RUN
registry is modified, something is installed in the
system32 directory, or a browser helper object is
installed. But I'm not sure its going to protect
the people who aren't cautious and informed any
more than pop up browser or firewall warnings...unless
the product prohibits the activity rather than just
warns about it. I've been in this business for 30
years and I'm not always sure what should run and
what shouldn't. Seeing what I do, my default is "deny"
but I doubt that could be said for the general
public. If the product starts talking about browser
helper objects, privileged directories, and open
sockets, people's eyes are going to glaze over.
If it just says, "potentially harmful" or "suspicious",
lots of stuff will get flagged and people will start
to ignore it.

I think the better short term solution is to operate
the computers with a non-privileged account. At least
with the present malware that usually modifies the
registry and installs itself in the Windows directory.
But as long as a regular account can open a socket,
malware writers can just change tactics. When everyone
starts running with non-privileged accounts, we'll
probably see more stuff starting up in the logged
in account's Startup folder and stored in the local
account's Documents and Settings account area (or in
the .profile and /home/user area for that other OS).
It should keep the rootkits out though.

The unprivileged user accounts will have the inconvenience
of having to log in with a privileged account to
install software but maybe that is as it should be.
I think mistakes and social engineering will be
our biggest headaches in the coming years rather than
just technology (if they aren't already).

The next step would be a white list of applications.
Possible, though inconvenient, in a controlled
environment. Impossible in a personal computer

Gary Flynn
Security Engineer
James Madison University

More information about the unisog mailing list