Re: No AV? Shock, horror!

[Paul Ferguson <fergdawgster () gmail com>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Tue, Sep 29, 2009 at 12:15 AM, Dan Kaminsky <dan () doxpara com> wrote:

> > We would agree:
> >
> > http://countermeasures.trendmicro.eu/in-security-reputation-is-key/
>
> I guess the real question is this:
>
> How large is the long tail of viruses?
>
> Suppose, if you will, that there are "hits" in the malware space --
> individual pieces of malware that get spread all over.  Suppose we
> grant that AV has a reasonably good chance of catching the hits.
>
> Suppose also that there's some infection rate, below which a
> particular attack vector or payload will not have a signature
> generated for it because nobody will find it.
>
> Infections by these rare payloads would constitute a sort of "long
> tail" of malware -- too rare for a signature, but in aggregate,
> possibly common enough to represent a significant number of
> infections.
>
> But how common?  I mean, we know the long tail doesn't work exactly as
> promised in the media space.  We also know there's a lot of infected
> boxes out there running AV.  It'd be really interesting if we had data
> around this question.

A good starting point would be taking a look at the Rogue AV landscape
right now -- it's all over the place.

It is somewhat unique in this regard, because of the delivery methods being
used (e.g. various botnets, social engineering ruses, etc.)

- - ferg

-----BEGIN PGP SIGNATURE-----
Version: PGP Desktop 9.5.3 (Build 5003)

wj8DBQFKwbdtq1pz9mNUZTMRAgimAJ4i21VvPzEWkhNPX4TtR2QwtTNr3wCg6xDw
o8fGXfpw7kR4SMCeTfLmBMA=
=rfvY
-----END PGP SIGNATURE-----



--
"Fergie", a.k.a. Paul Ferguson
Engineering Architecture for the Internet
fergdawgster(at)gmail.com
ferg's tech blog: http://fergdawg.blogspot.com/
_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.