and here are some answers [was: Quarantine your infected users spreading malware]

Tue Feb 21 04:54:38 UTC 2006

On Tue, 21 Feb 2006, Christopher L. Morrow wrote:
> it's also not just a 'i got infected over the net' problem... where is
> that sean when you need his nifty stats :) Something about no matter what
> you filter grandpa-jones will find a way to click on the nekkid jiffs of
> Anna Kournikova again :(

Give me (or CAIDA) permission to peak inside your networks and I'm sure
there are lots of nifty stats we could anonymize :)

The big mystery for me has always been the computers that are infected
BEFORE they are connected to the network for the first time (according
to their owners).  Its never repeatable, and never provable, but the
computer owner swears it happened.  In any case, the home computer is
owned by the home user, not the ISP or an employer or a media company.  If
you make something attractive enough to the user, he will find a way to
get it on his computer no matter how many roadblocks you try to put in
the way.

An ISP blocking one virus or worm doesn't change the end result.  Time
after time I've watched, the computers eventually get infected anyway.
Although it may appear to take longer or your NIDS may not pick up the
final signature.  Look at Adlex, Motive, Arbor, ISS, Microsoft and other
vendors for ideas I've used over several years and they are now selling.

On the other hand, the number of infected computers never seems to spiral
out of control. I've been wondering, instead of trying to figure out why
some computers get infected, should we be trying to figure out why most
computers don't become infected?