Kuo, Jimmy wrote: >>How could AV possibly have mitigated a server worm like Blaster? How >>could *any* signature-based defense defend against a fast spreading worm >>that hits your machines faster than any AV company can distribute an >>update? This was the point of Staniford et al's Warhol Worm paper >><http://www.vnunet.com/News/1132084>: that worms can spread across the >>entire Internet in minutes, far faster than AV vendors can get a new >>signature out. >> >> >McAfee's VirusScan detected Blaster as "Exploit-DcomRpc" using DATs released >the previous week. (Similarly, Nachi/Welchia.) > I did obscure one point: that Blaster was not an 0-day exploit, and therefore it was possible to distribute signatures before the worm got going. This stops working for genuine 0-day exploits, where the worm is using an unknown vulnerability. But I'm confused about another point: how could AV stop an RPC worm? That seems more like something that an NIDS (SNORT, ISS RealSecure) or NIPS (Hogwash) would stop. How does AV get in the way of server worms? > You will find that most of >the articles about networks that got taken down referred to the Blaster >and/or Welchia virus. The interesting thing about that... McAfee's names >for the same two are Lovsan and Nachi. Symantec's name for those two are... >Blaster and Welchia. :-) > The way malware gets named has often mystified me :) Crispin -- Crispin Cowan, Ph.D. http://immunix.com/~crispin/ Chief Scientist, Immunix http://immunix.com http://www.immunix.com/shop/
This archive was generated by hypermail 2b30 : Sat Oct 04 2003 - 00:24:45 PDT