Full Disclosure mailing list archives
Re: Re:Proposal: how to notify owners of compromised PC's
From: "Jonathan A. Zdziarski" <jonathan () nuclearelephant com>
Date: Wed, 28 Jan 2004 12:29:09 -0500
You can track widespread virii breakout without running manual blacklists. We're working on a streamlined (machine automated) blackhole list server at http://www.nuclearelephant.com/projects/sbl/. It is originally designed to identify spammer IPs within minutes of a new distribution based on how wide-spread the reports are across networks (rather than the total number of reports) and works rather well in preliminary testing. A tool like this could easily be adapted to track, in real-time, which hosts were infected based on the same spread principle. By using machine-automation combined with a realtime, short-term blackhole server such as the SBL project, you can zero in with accuracy the individuals infected without worrying about blackholing entire dialup lists, etc. For tracking dynamic accounts for virii, you may consider tweaking the blacklist life from 24 hours to maybe 2-3 hours - that should be all you need to notify the host anyway. DSL lines don't change but every couple of days, and dialup users are usually on for a couple hours unless they're traveling. What I think would be a better idea though as far as notifying the end-users would be to code a little tray applet that would tell the user whenever there were several port 25 connections to different hosts. Include with a standard "You're running windows so you're going to get 0wned" suite of tools.
If major sites like Google, MSN etc. would query rapid DSL and dialup blacklists, they could visually inform the visitor that their PC is listed (+ inform them what to do, direct them to online AV etc).Bad idea! Think about all those hosts listed in a RBL and the users can´t do anything about it? Especially dailup/dsl users with dynamic IP´s.
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Proposal: how to notify owners of compromised PC's Erik van Straten (Jan 28)
- <Possible follow-ups>
- Re:Proposal: how to notify owners of compromised PC's Thomas Zangl - Mobil (Jan 28)
- Re: Re:Proposal: how to notify owners of compromised PC's Jonathan A. Zdziarski (Jan 28)
- Re:Proposal: how to notify owners of compromised PC's Erik van Straten (Jan 28)
- Re: Proposal: how to notify owners of compromised PC's petard (Jan 28)
- Re: Proposal: how to notify owners of compromised PC's Phil Brutsche (Jan 28)
- Re: Proposal: how to notify owners of compromised PC's petard (Jan 28)
- Re: Proposal: how to notify owners of compromised PC's Phil Brutsche (Jan 29)
- Re: Proposal: how to notify owners of compromised PC's Åke Nordin (Jan 29)
- Re: Proposal: how to notify owners of compromised PC's petard (Jan 28)
- Re: Proposal: how to notify owners of compromised PC's Dave Sherohman (Jan 29)