Given your history in "the industry", what is your impression of the average lag time between a virus being released into the wild and a fingerprint update being available from a vendor ? Is it days, weeks or months ? Also, what's the average interval in updates for anti- virus software users ? Lets say I map out all the web servers on the net, next month. The next day a new vulnerability in IIS is released. Within a day I should be able to "0wn" a number of web servers I know to be vulnerable. Unlike a virus, me exploiting them is not dependant upon them doing anything (ie. reading their email) except having IIS up and running. Also, it is "always rush hour somewhere on the 'net". Another difference is in what it takes for a virus to work. It has to propogate from system to system and will eventually make itself known. Once released, it is out of control of the writer (more or less). The IDS vs hackers battle is different. A hacker may develop an exploit and use it successfully through IDSs for some time, maybe even years. The IDS provides a defence against known scripts and known exploits but there is no reason to believe that this knowledge is anywhere near the 99% level an anti-virus program will achieve. If IDS vendors construct good honeypots, there is a chance that they may pick up otherwise unknown attack signatures. You might even venture to say that any IDS vendor that doesn't have a number of sophisticated honeypots for this purpose is on the road to nowhere. Darren
This archive was generated by hypermail 2b30 : Thu Apr 18 2002 - 19:46:42 PDT