funsec mailing list archives

Re: No AV? Shock, horror!

From: Dan Kaminsky <dan () doxpara com>
Date: Wed, 30 Sep 2009 00:12:56 +0200

On Tue, Sep 29, 2009 at 11:37 PM, Rich Kulawiec <rsk () gsp org> wrote:

On Tue, Sep 29, 2009 at 09:15:34AM +0200, Dan Kaminsky wrote:

Infections by these rare payloads would constitute a sort of "long
tail" of malware -- too rare for a signature, but in aggregate,
possibly common enough to represent a significant number of
infections.

But how common?  I mean, we know the long tail doesn't work exactly as
promised in the media space.  We also know there's a lot of infected
boxes out there running AV.  It'd be really interesting if we had data
around this question.


This is a fascinating question.  And there's certainly precedent
for abusers to operate in this fashion: consider snowshoe spammers,
who distribute their presence and their activities widely in order
to minimize the observables, thus decreasing the risk of detection.
Given that and other similar tactics, it wouldn't surprise me at all
to find that distribution-limited malware has been deployed, in an
attempt (again) to decrease the risk of detection, and thus to forestall
countermeasures by vendors.

But I must admit that, at the moment, I'm at a loss for a methodology
by which we could approach this question in a meaningful way -- that is,
a methodology that would quantify the answer.


Methodology wouldn't be too bad -- there are things a manual auditor
can notice and alarm on quickly, that AV really can't just block or
even send back for further review.  So it's a matter of:

1) Gain legitimate access to a large number of systems, perhaps
through a PC repair service
2) Separate the machines into buckets -- "No AV" "Norton" "McAfee"
"Trend Micro" etc
3) For each bucket, scan with all AV scanners.  This will determine
the number of machines that are infected with known malware that at
least one other scanner was able to find.
4) For each node that passed all automatic sweeps, manually sweep.
This should yield the a minimum size of the "long tail" (minimum,
because we might not find all).

Note that we may want to qualify "infected".  Tracking cookies most
assuredly do not count.  Botnets most assuredly do.  Merely
self-replicating code, that's sort of up in the air.

_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.

Current thread:

Re: No AV? Shock, horror!, (continued)
- - - Re: No AV? Shock, horror! Toralv_Dirro (Sep 28)
    - Re: No AV? Shock, horror! Dan Kaminsky (Sep 28)
    - Re: No AV? Shock, horror! Charles Miller (Sep 28)
    - Re: No AV? Shock, horror! Nick FitzGerald (Sep 28)
    - Re: No AV? Shock, horror! Nick FitzGerald (Sep 28)
    - Re: No AV? Shock, horror! Rich Kulawiec (Sep 28)
    - Re: No AV? Shock, horror! Paul Ferguson (Sep 28)
    - Re: No AV? Shock, horror! Dan Kaminsky (Sep 29)
    - Re: No AV? Shock, horror! Paul Ferguson (Sep 29)
    - Re: No AV? Shock, horror! Rich Kulawiec (Sep 29)
    - Re: No AV? Shock, horror! Dan Kaminsky (Sep 29)
    - Re: No AV? Shock, horror! Charles Miller (Sep 29)
    - Re: No AV? Shock, horror! Dan Kaminsky (Sep 29)
    - Re: No AV? Shock, horror! Michael Collins (Sep 29)
    - Re: No AV? Shock, horror! Nick FitzGerald (Sep 28)