Quarantine your infected users spreading malware
xenophage0 at gmail.com
Tue Feb 21 13:16:22 UTC 2006
On 2/21/06, Michael.Dillon at btradianz.com <Michael.Dillon at btradianz.com> wrote:
> Why not just bypass them and go direct to the unwashed
> masses of end users? Offer them a free windows
> infection blocker program that imposes the quarantine
> itself locally on the user's machine. This program
> would use stealth techniques to hide itself in the
> user's machine, just like viruses do. And this program
> would do nothing but register itself with an encoded
> registry, and listen for an encoded command to activate
> itself. Rather like a botnet except with the user's
> consent and with a positive goal.
Intruiging concept.. Why bother "hiding" itself though? Or is the
idea to prevent itself from being removed by malware?
> When the community of bot/worm researchers determines
> that this machine is infected, they inform the central
> registry using their own encoded signal. When enough
> "votes" have been collected, the registry sends the
> shutdown signal to the end user, thus triggering the
> blocker program to quarantine the user.
Isn't there a risk of DoS though? What's to prevent someone from
"spoofing" those signals and shutting down other users? Relative
precautions would need to be taken, but to be sure, the end-user needs
the ability to override the system. Thus leaving us in the same
situation as before. Firewall? I don't need no stinking firewall..
> Unlike antivirus software, the application on the user's
> computer does not need to detect malware and it needs
> no database updates. It does only one thing and it relies
> on the collective intelligence of the anti-malware community.
Sure it does.. It doesn't need to remove it, per se, but it will need
to know what the infection is so it can give the correct disinfection
> --Michael Dillon
Jason 'XenoPhage' Frisvold
XenoPhage0 at gmail.com
More information about the NANOG