and here are some answers [was: Quarantine your infected users spreading malware]

Tue Feb 21 05:01:57 UTC 2006

Sean Donelan wrote:
> On Tue, 21 Feb 2006, Christopher L. Morrow wrote:
> 
>>it's also not just a 'i got infected over the net' problem... where is
>>that sean when you need his nifty stats :) Something about no matter what
>>you filter grandpa-jones will find a way to click on the nekkid jiffs of
>>Anna Kournikova again :(
> 
> 
> Give me (or CAIDA) permission to peak inside your networks and I'm sure
> there are lots of nifty stats we could anonymize :)
> 
> The big mystery for me has always been the computers that are infected
> BEFORE they are connected to the network for the first time (according
> to their owners).  Its never repeatable, and never provable, but the
> computer owner swears it happened.  In any case, the home computer is
> owned by the home user, not the ISP or an employer or a media company.  If
> you make something attractive enough to the user, he will find a way to
> get it on his computer no matter how many roadblocks you try to put in
> the way.
> 
> An ISP blocking one virus or worm doesn't change the end result.  Time
> after time I've watched, the computers eventually get infected anyway.
> Although it may appear to take longer or your NIDS may not pick up the
> final signature.  Look at Adlex, Motive, Arbor, ISS, Microsoft and other
> vendors for ideas I've used over several years and they are now selling.
> 
> On the other hand, the number of infected computers never seems to spiral
> out of control. I've been wondering, instead of trying to figure out why
> some computers get infected, should we be trying to figure out why most
> computers don't become infected?

Comment only on last paragraph:
Many *home* computers do, quite a few *corporate* do as well, in my 
experience.

Even if they didn't the numbers we face are significant enough.

-- 
http://blogs.securiteam.com/

"Out of the box is where I live".
	-- Cara "Starbuck" Thrace, Battlestar Galactica.