funsec mailing list archives
RE: today in the news
From: "Larry Seltzer" <larry () larryseltzer com>
Date: Tue, 25 Jul 2006 09:43:51 -0400
This story is getting a lot of ink, but it's not surprising at all and as a practical matter it affects few people. It's obvious that at the early stage at which CERT examines these there won't be signatures for most AV products. It does say that the heuristics are still not terribly effective, probably because they are tuned unagressive to avoid false positives. But by the next day almost eveyrone will have a signature for it. In the meantime much of this malware will have been blocked through other means (Outlook dropping executables for example) and those relatively few people with the common sense not to open a file from a stranger that says "heres that data you four ask" I'll ask Andreas Marx, who actually tests these things, if the numbers seem right to him. Larry Seltzer eWEEK.com Security Center Editor http://security.eweek.com/ http://blog.eweek.com/blogs/larry%5Fseltzer/ Contributing Editor, PC Magazine larryseltzer () ziffdavis com -----Original Message----- From: funsec-bounces () linuxbox org [mailto:funsec-bounces () linuxbox org] On Behalf Of Dude VanWinkle Sent: Tuesday, July 25, 2006 9:21 AM To: Paul Vixie Cc: funsec () linuxbox org Subject: Re: [funsec] today in the news This one (from one of the later stories) is interesting, if true: Eighty percent of new malware defeats antivirus (eye catching eh?) from: http://www.zdnet.com.au/news/security/soa/Eighty_percent_of_new_malware_defe ats_antivirus/0,2000061744,39263949,00.htm or from: http://tinyurl.com/nmj6v (for those using MS) "At the point we see it as a CERT, which is very early on -- the most popular brands of antivirus on the market . have an 80 percent miss rate. That is not a detection rate that is a miss rate.(") "So if you are running these pieces of software, eight out of 10 pieces of malicious code are going to get in," said Ingram. ------------------------------------------------ hmm, so if you are a "first wave" hit, then 80% of malware will make it through your AV? How would you test that? -JP<who is guessing all ports were open and users were click happy with no SMTP filtering in this "test" ;-)> On 7/24/06, Paul Vixie <paul () vix com> wrote:
http://news.com.com/2010-7355_3-6097678.html?part=rss&tag=6097678 "Perspective: Zero-day Wednesdays" Somewhere--perhaps in the United States, but more likely, somewhere
in
China--a man walks out of a nondescript building, casts his eyes
upon
the urban landscape around him after spending an eight-hour day staring at a computer screen, and lights a cigarette. He does not know his bosses by name or by face; he knows only that
he
is paid, and paid pretty well, for his research. Like a legitimate computer-security researcher, he uses automated testing tools
against
Microsoft Office software, probing for buffer overflows, pointer errors or negative integers in Word, Excel and PowerPoint. Unlike a legitimate security professional, he does not report what he finds
to
Microsoft. ... http://it.slashdot.org/article.pl?sid=06/07/24/1442238 "Sophos Reveals Latest Spam-Relaying Countries" "For the first time in more than two years, the United States has failed to make inroads into its spam-relaying problem. The U.S. remains stuck at the top of the chart and is the source of 23.2 percent of the world's spam. Its closest rivals are China and South Korea, although both of these nations have managed to reduce their statistics since Q1 2006. The vast majority of this spam is relayed
by
'zombies,' also known as botnet computers." ... http://it.slashdot.org/article.pl?sid=06/07/22/1612257 "Why Popular Anti-Virus Apps 'Don't Work'" Avantare writes "ZDNet Australia has a writeup about why AV apps
don't
work. The reason given is because the malware authors are writing
code
that will get around the signatures of the application by testing their code on the most popular anti-virus software before release." This comes as a follow up to another article detailing the sad
state
of anti-virus software currently on the market. ... http://it.slashdot.org/article.pl?sid=06/07/20/042253 "Banner Ad on Myspace Serves Adware to 1 Million" An anonymous reader writes "Washingtonpost.com's Security Fix blog reports that a banner ad running on MySpace.com and other Web sites used a Windows security flaw to push adware and spyware out to more than one million computer users this week. The attack leveraged the Windows Metafile (WMF) exploit to install programs in the PurityScan/ClickSpring family of adware, which bombards the user
with
pop-up ads and tracks their Web usage." ... http://it.slashdot.org/article.pl?sid=06/07/18/0237221 "Open Source Malware Search Engine" chr0.ot writes "Metasploit creator HD Moore has released an open-source search engine that finds live malware samples through Google queries. From the article: 'The new Malware Search project provides a Web interface that allows anyone to enter the name of a known virus or Trojan and find Google results for Web sites hosting malicious executables.' The tool then searches for actual malware signatures and uses the signature output from ClamAV to find the
name
of the malware. This is then used in conjunction with a PE
signature
matching method to form a Google query. Afterwards the malware can then be downloaded directly from Google." ... _______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
_______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list. _______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Current thread:
- today in the news Paul Vixie (Jul 24)
- Re: today in the news Dude VanWinkle (Jul 25)
- RE: today in the news Larry Seltzer (Jul 25)
- Re: today in the news Florian Weimer (Jul 25)
- Re: today in the news Drsolly (Jul 25)
- Re: today in the news David Lodge (Jul 25)
- <Possible follow-ups>
- today in the news Paul Vixie (Aug 28)
- RE: today in the news Richard M. Smith (Aug 28)
- Re: today in the news Dude VanWinkle (Jul 25)