>>>How could AV possibly have mitigated a server worm like Blaster? How >>>could *any* signature-based defense defend against a fast spreading worm >>>that hits your machines faster than any AV company can distribute an >>>update? This was the point of Staniford et al's Warhol Worm paper >>><http://www.vnunet.com/News/1132084>: that worms can spread across the >>>entire Internet in minutes, far faster than AV vendors can get a new >>>signature out. >>McAfee's VirusScan detected Blaster as "Exploit-DcomRpc" using DATs released >>the previous week. (Similarly, Nachi/Welchia.) >I did obscure one point: that Blaster was not an 0-day exploit, and >therefore it was possible to distribute signatures before the worm got >going. This stops working for genuine 0-day exploits, where the worm is >using an unknown vulnerability. >But I'm confused about another point: how could AV stop an RPC worm? >That seems more like something that an NIDS (SNORT, ISS RealSecure) or >NIPS (Hogwash) would stop. How does AV get in the way of server worms? Most AV today is based off file activity (though this will be changing). So, you question is valid. In this case, the injector portion that comes by through the exploit tells the machine to download the more complete virus. When that download happens, we detect the file coming down, and block it. And thus the machine does not get infected. However, a stub of code sits at that RPC vulnerability. But it believes it has satisfied its job and just sleeps. Jimmy
This archive was generated by hypermail 2b30 : Mon Oct 06 2003 - 12:04:40 PDT