RE: today in the news

["Larry Seltzer" <larry () larryseltzer com>]

This story is getting a lot of ink, but it's not surprising at all and as a
practical matter it affects few people. It's obvious that at the early stage
at which CERT examines these there won't be signatures for most AV products.
It does say that the heuristics are still not terribly effective, probably
because they are tuned unagressive to avoid false positives.

But by the next day almost eveyrone will have a signature for it. In the
meantime much of this malware will have been blocked through other means
(Outlook dropping executables for example) and those relatively few people
with the common sense not to open a file from a stranger that says "heres
that data you four ask"

I'll ask Andreas Marx, who actually tests these things, if the numbers seem
right to him.

Larry Seltzer
eWEEK.com Security Center Editor
http://security.eweek.com/
http://blog.eweek.com/blogs/larry%5Fseltzer/
Contributing Editor, PC Magazine
larryseltzer () ziffdavis com 

-----Original Message-----
From: funsec-bounces () linuxbox org [mailto:funsec-bounces () linuxbox org] On
Behalf Of Dude VanWinkle
Sent: Tuesday, July 25, 2006 9:21 AM
To: Paul Vixie
Cc: funsec () linuxbox org
Subject: Re: [funsec] today in the news

This one (from one of the later stories) is interesting, if true:

Eighty percent of new malware defeats antivirus (eye catching eh?)

from:
http://www.zdnet.com.au/news/security/soa/Eighty_percent_of_new_malware_defe
ats_antivirus/0,2000061744,39263949,00.htm

or from: http://tinyurl.com/nmj6v  (for those using MS)

"At the point we see it as a CERT, which is very early on -- the most
popular brands of antivirus on the market . have an 80 percent miss rate.
That is not a detection rate that is a miss rate.(")

"So if you are running these pieces of software, eight out of 10 pieces of
malicious code are going to get in," said Ingram.


------------------------------------------------

hmm, so if you are a "first wave" hit, then 80% of malware will make it
through your AV?

How would you test that?

-JP<who is guessing all ports were open and users were click happy with no
SMTP filtering in this "test" ;-)>


On 7/24/06, Paul Vixie <paul () vix com> wrote:
> http://news.com.com/2010-7355_3-6097678.html?part=rss&tag=6097678
> "Perspective:  Zero-day Wednesdays"
>
>        Somewhere--perhaps in the United States, but more likely, somewhere
in
>        China--a man walks out of a nondescript building, casts his eyes
upon
>        the urban landscape around him after spending an eight-hour day
>        staring at a computer screen, and lights a cigarette.
>
>        He does not know his bosses by name or by face; he knows only that
he
>        is paid, and paid pretty well, for his research. Like a legitimate
>        computer-security researcher, he uses automated testing tools
against
>        Microsoft Office software, probing for buffer overflows, pointer
>        errors or negative integers in Word, Excel and PowerPoint. Unlike a
>        legitimate security professional, he does not report what he finds
to
>        Microsoft.
>
>        ...
>
> http://it.slashdot.org/article.pl?sid=06/07/24/1442238
> "Sophos Reveals Latest Spam-Relaying Countries"
>
>        "For the first time in more than two years, the United States has
>        failed to make inroads into its spam-relaying problem.  The U.S.
>        remains stuck at the top of the chart and is the source of 23.2
>        percent of the world's spam. Its closest rivals are China and South
>        Korea, although both of these nations have managed to reduce their
>        statistics since Q1 2006. The vast majority of this spam is relayed
by
>        'zombies,' also known as botnet computers."
>
>        ...
>
> http://it.slashdot.org/article.pl?sid=06/07/22/1612257
> "Why Popular Anti-Virus Apps 'Don't Work'"
>
>        Avantare writes "ZDNet Australia has a writeup about why AV apps
don't
>        work. The reason given is because the malware authors are writing
code
>        that will get around the signatures of the application by testing
>        their code on the most popular anti-virus software before release."
>        This comes as a follow up to another article detailing the sad
state
>        of anti-virus software currently on the market.
>
>        ...
>
> http://it.slashdot.org/article.pl?sid=06/07/20/042253
> "Banner Ad on Myspace Serves Adware to 1 Million"
>
>        An anonymous reader writes "Washingtonpost.com's Security Fix blog
>        reports that a banner ad running on MySpace.com and other Web sites
>        used a Windows security flaw to push adware and spyware out to more
>        than one million computer users this week. The attack leveraged the
>        Windows Metafile (WMF) exploit to install programs in the
>        PurityScan/ClickSpring family of adware, which bombards the user
with
>        pop-up ads and tracks their Web usage."
>
>        ...
>
> http://it.slashdot.org/article.pl?sid=06/07/18/0237221
> "Open Source Malware Search Engine"
>
>        chr0.ot writes "Metasploit creator HD Moore has released an
>        open-source search engine that finds live malware samples through
>        Google queries. From the article: 'The new Malware Search project
>        provides a Web interface that allows anyone to enter the name of a
>        known virus or Trojan and find Google results for Web sites hosting
>        malicious executables.' The tool then searches for actual malware
>        signatures and uses the signature output from ClamAV to find the
name
>        of the malware. This is then used in conjunction with a PE
signature
>        matching method to form a Google query. Afterwards the malware can
>        then be downloaded directly from Google."
>
>        ...
> _______________________________________________
> Fun and Misc security discussion for OT posts.
> https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
> Note: funsec is a public and open mailing list.

_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.

_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.