Sean Donelan wrote:
On Tue, 21 Feb 2006, Christopher L. Morrow wrote:
it's also not just a 'i got infected over the net' problem... where is that sean when you need his nifty stats :) Something about no matter what you filter grandpa-jones will find a way to click on the nekkid jiffs of Anna Kournikova again :(
Give me (or CAIDA) permission to peak inside your networks and I'm sure there are lots of nifty stats we could anonymize :)
The big mystery for me has always been the computers that are infected BEFORE they are connected to the network for the first time (according to their owners). Its never repeatable, and never provable, but the computer owner swears it happened. In any case, the home computer is owned by the home user, not the ISP or an employer or a media company. If you make something attractive enough to the user, he will find a way to get it on his computer no matter how many roadblocks you try to put in the way.
An ISP blocking one virus or worm doesn't change the end result. Time after time I've watched, the computers eventually get infected anyway. Although it may appear to take longer or your NIDS may not pick up the final signature. Look at Adlex, Motive, Arbor, ISS, Microsoft and other vendors for ideas I've used over several years and they are now selling.
On the other hand, the number of infected computers never seems to spiral out of control. I've been wondering, instead of trying to figure out why some computers get infected, should we be trying to figure out why most computers don't become infected?
Comment only on last paragraph: Many *home* computers do, quite a few *corporate* do as well, in my experience. Even if they didn't the numbers we face are significant enough. -- http://blogs.securiteam.com/ "Out of the box is where I live". -- Cara "Starbuck" Thrace, Battlestar Galactica.