Quarantine your infected users spreading malware

Jason Frisvold xenophage0 at gmail.com
Tue Feb 21 13:16:22 UTC 2006

On 2/21/06, Michael.Dillon at btradianz.com <Michael.Dillon at btradianz.com> wrote:
> Why not just bypass them and go direct to the unwashed
> masses of end users? Offer them a free windows
> infection blocker program that imposes the quarantine
> itself locally on the user's machine. This program
> would use stealth techniques to hide itself in the
> user's machine, just like viruses do. And this program
> would do nothing but register itself with an encoded
> registry, and listen for an encoded command to activate
> itself. Rather like a botnet except with the user's
> consent and with a positive goal.

Intruiging concept..  Why bother "hiding" itself though?  Or is the
idea to prevent itself from being removed by malware?

> When the community of bot/worm researchers determines
> that this machine is infected, they inform the central
> registry using their own encoded signal. When enough
> "votes" have been collected, the registry sends the
> shutdown signal to the end user, thus triggering the
> blocker program to quarantine the user.

Isn't there a risk of DoS though?  What's to prevent someone from
"spoofing" those signals and shutting down other users?  Relative
precautions would need to be taken, but to be sure, the end-user needs
the ability to override the system.  Thus leaving us in the same
situation as before.  Firewall?  I don't need no stinking firewall.. 

> Unlike antivirus software, the application on the user's
> computer does not need to detect malware and it needs
> no database updates. It does only one thing and it relies
> on the collective intelligence of the anti-malware community.

Sure it does..  It doesn't need to remove it, per se, but it will need
to know what the infection is so it can give the correct disinfection

> --Michael Dillon

Jason 'XenoPhage' Frisvold
XenoPhage0 at gmail.com

More information about the NANOG mailing list