Quarantine your infected users spreading malware
Gadi Evron
ge at linuxbox.org
Tue Feb 21 12:35:52 UTC 2006
Michael.Dillon at btradianz.com wrote:
>>How do you get the unwashed masses of ISPs
>>to join the choir so you can preach to them?
>
>
> Why not just bypass them and go direct to the unwashed
> masses of end users? Offer them a free windows
> infection blocker program that imposes the quarantine
> itself locally on the user's machine. This program
> would use stealth techniques to hide itself in the
> user's machine, just like viruses do. And this program
> would do nothing but register itself with an encoded
> registry, and listen for an encoded command to activate
> itself. Rather like a botnet except with the user's
> consent and with a positive goal.
>
> When the community of bot/worm researchers determines
> that this machine is infected, they inform the central
> registry using their own encoded signal. When enough
> "votes" have been collected, the registry sends the
> shutdown signal to the end user, thus triggering the
> blocker program to quarantine the user.
>
> At this point a friendly helpful webpage pops up
> and guides the user through the disinfection process.
>
> Unlike antivirus software, the application on the user's
> computer does not need to detect malware and it needs
> no database updates. It does only one thing and it relies
> on the collective intelligence of the anti-malware community.
>
> This won't stop worms or botnets, but it will slow them down
> and it will greatly speed the cleanup process.
>
> --Michael Dillon
>
Hi Michael, the only problem with that approach is that you think like a
defender.
As the defense is local to the user's machine, the attacker can just
kick it away.
--
http://blogs.securiteam.com/
"Out of the box is where I live".
-- Cara "Starbuck" Thrace, Battlestar Galactica.
More information about the NANOG
mailing list