> It is being discussed because (as Jimmy related it) > the Blaster worm used this 2-step approach. Conversely, the > Slammer/Sapphire worm was a single step, notably doing all of > its exploiting and damage in a single UDP datagram of a few > hundred bytes. Blaster was a lame virus. It used RPC to propagate, something no sane human should have open to the Internet. It also was easy to kill and didn't have a particularly dangerous payload. Once again, third party solutions easily prevented Blaster (good firewall rules, host-IPS, etc.) Of my 50 or so customers in the Portland area. None of them experienced a serious Blaster infection. The only affected machines were a few laptops. > I don't know if AV products have a > chance at stopping single-stage worms. I doubt it, but Jimmy is > correct when he says I shouldn't talk about that which I don't > know, so I'll let him address that question. Slammer was more ingenious. Its smallness was its evil. But it too was easily stopped by one of a thousand third party products. And its been my experience that AV products are very good at detecting worms. Unfortunately, AV can only detect once the machine has been infected. So the better answer is to use AV in conjunction with good firewall rules and host-IPS if possible. This reinforces my original point that the concept of a "monoculture" isn't as dangerous as Greer's report leads you to believe. Because it totally ignores third-party security solutions, it draws misleading conclusions. ___________________________________ Andrew Plato, CISSP President/Principal Consultant Anitian Enterprise Security 503-644-5656 Office 503-644-8574 Fax 503-201-0821 Mobile www.anitian.com ___________________________________
This archive was generated by hypermail 2b30 : Tue Oct 07 2003 - 08:52:02 PDT