[unisog] antivirus that works despite ssl

Brian Eckman eckman at umn.edu
Tue Jul 10 22:24:46 GMT 2007

power less wrote:
> BTW in my exhausting coverage of the storm worm :-)  I should mention
> this article:
> http://www.securityfocus.com/news/11473
> This explains a few things, I guess. I'm not well-versed in DNS I'm afraid.
> I take it they are not talking about the urls in the storm messages
> themselves?
> Because those are are IP numbers not domain names  in most of the ones I
> got. I

Storm a/k/a Peacomm switched from using fast flux DNS to IP addresses a 
while back. That would explain the difference in what you read and what 
you saw.

> Two I just got:
> Address:  24.93. 201.2
> Name:    cpe-24-93-201-2.neo.res.rr.com
> Address:  65.190. 29.151
> Name:    cpe-065-190-029-151.triad.res.rr.com
> I'd love to hear more about this dnsflux business. A comment to that 
> article
> asked?
> "Why don't ISPs just block the inbound DNS traffic to home machines on
> dynamic addresses? Do that and the distributed DNS part evaporates."
 > Is that true?

ISPs will probably tell you that this isn't their job. Regardless, 
hardly anyone has the capability to determine what is a "home machine on 
dynamic addresses" 95% of the time, let alone 100% of the time. Also, I 
bet you there are no less than 1,000 legitimate Internet domain names 
(and likely lots more than that) that have their authoritative DNS 
servers running on "home machines on dynamic addresses", or what would 
appear to most people to be "home machines on dynamic addresses".

ISPs don't like blocking legitimate traffic. It makes their customers, 
help desk, and shareholders quite unhappy. The solution proposed above 
would certainly do this.

Put bluntly, there is no patch for stupidity nor ignorance. If you 
approach the entire world's population, hand them a loaded gun, and tell 
them you'll give them dinner if they point it at their head and pull the 
trigger, I guarantee you'd find people that would do it. Not just the 
suicidal folks, but there are surely millions of people in the world 
that have no idea what a gun looks or acts like.

The same principle applies to computer users. Some percentage of them 
just have no clue that clicking the link in the email, then "clicking 
here" to get their greeting card because the site is "testing new 
functionality", then clicking "Open" or "Run" when prompted what to do 
with ecard.exe is risky behavior. They just want to see their stupid 
greeting card.

Brian Eckman, Security Analyst
University of Minnesota
Office of Information Technology
Security & Assurance

More information about the unisog mailing list