Kuo, Jimmy wrote: >>But I'm confused about another point: how could AV stop an RPC worm? >>That seems more like something that an NIDS (SNORT, ISS RealSecure) or >>NIPS (Hogwash) would stop. How does AV get in the way of server worms? >> >> >In this case, the injector portion that comes by through the exploit tells >the machine to download the more complete virus. When that download >happens, we detect the file coming down, and block it. And thus the machine >does not get infected. > >However, a stub of code sits at that RPC vulnerability. But it believes it >has satisfied its job and just sleeps. > Interesting. So staged worms that first hack a small beachhead and then download the rest of the rootkit can be blocked by AV. To bypass this, the beachhead has to be sophisticated enough to disable AV before hitting the file system, which is difficult, and probably not portable across AV defenses. Crispin -- Crispin Cowan, Ph.D. http://immunix.com/~crispin/ Chief Scientist, Immunix http://immunix.com http://www.immunix.com/shop/
This archive was generated by hypermail 2b30 : Mon Oct 06 2003 - 12:46:57 PDT