[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Full-Disclosure] Getting the lead out of broken virus / worm email meta-reporting
- To: full-disclosure@xxxxxxxxxxxxxxxx
- Subject: Re: [Full-Disclosure] Getting the lead out of broken virus / worm email meta-reporting
- From: Thomas Reidy <treidy@xxxxxxxxx>
- Date: Tue, 3 Aug 2004 12:37:20 -0400
A good thought, but will probably be tough to convince a Sophos, etc
to go along w/ this w/o a very strong customer demand... profits are
still king...
Tough to implement, but a good idea...
-- Tom
On Tue, 3 Aug 2004 11:40:19 -0400, Clairmont, Jan M
<jan.m.clairmont@xxxxxxxxxxxxx> wrote:
> How fast is fast? The time it takes an av, spyware or firewall
> company to react to a real-time threat. I think there is going
> to have to be a pooling of anti-virus, mail sweeping and firewall
> protection knowledge. There should be a central policy that
> can be reported and distributed to the various vendors and
> clients that autoupdates the protecting software. Simply a
> crisis-mail-alert with appropriate information for translation into a
> protecting shield that updates all av, mail and firewall
> utilities.
>
> Has anyone written or read a spec. on standardizing worm, virus
> or other alerts with not just there's a'sploit, but a method of
> reporting the 'sploit or adware, malware in a way that the
> vendors and clients could instantly counter with a new filter or
> fix?
>
> Information such as.
> Such as the Virus, Malware, Spam type.
> Then filtering fingerprint,
> Associated dll update, or where to get it from approved vendor lists.
> etc.
> etc. Time of discovery, Place,
> Description of malicious effect etc.
>
> Does anyone have any ideas on this? Is there an RFP on this
> particular subject of universal alerts with fix etc. etc?
>
> Because the time consuming list watching is just not standardized.
> What vendor and when it comes time to update is a matter of
> when they get around to it. By that time the cows are out of the
> barn and we are like the volunteer fire department, foundation
> savers. By the time everyone gets out of bed, rushes to the firehouse and
> gets to the scene there is nothing left but a foundation to save.
>
> A Universal Internet Security Alert system with fix, signature etc. should be
> implemented, when one finds the fix they would be obligated to put the fix
> into an alert database that all vendors could use. It would be non-vendor
> specific and universal to all updates.
>
> Any other thoughts would be welcome.
> Part of the problem I see would be how to secure the reporting itself. It
> would have to be through a specific Agency,
> with signature and encryption that is fairly fool proof and secure.
> A centralized database that can then be created and then an
> alert issued where everyone can go and get the fix, signature or
> whatever and automated. Right now every vendor has its own.
>
> Thoughts,
> Jan Clairmont
> Firewall Administrator/Consultant
>
> -----Original Message-----
> From: full-disclosure-admin@xxxxxxxxxxxxxxxx
> [mailto:full-disclosure-admin@xxxxxxxxxxxxxxxx]On Behalf Of Todd Towles
> Sent: Tuesday, August 03, 2004 9:53 AM
> To: 'Denis McMahon'; 'fd'
> Subject: RE: [Full-Disclosure] broken virus / worm email has attachment
> not found by grisoft proxy scanner
>
> I have seen this type of e-mail on my yahoo account at home. I just guessed
> it was a corrupt e-mail put out by some e-mail virus circling the internet.
> It wouldn't by the first time or the last.
>
> -----Original Message-----
> From: full-disclosure-admin@xxxxxxxxxxxxxxxx
> [mailto:full-disclosure-admin@xxxxxxxxxxxxxxxx] On Behalf Of Denis McMahon
> Sent: Tuesday, August 03, 2004 6:39 AM
> To: fd
> Subject: [Full-Disclosure] broken virus / worm email has attachment not
> found by grisoft proxy scanner
>
> Hmm
>
> I've had a couple of suspicious emails this week with headers, blank
> line, a line of text, mime headers.
>
> Thunderbird doesn't see the mime attachment due to the broken headers,
> which is good, but nor does the grisoft email proxy scanner, which is
> bad, especially as I guess that certain broken applications (no I don't
> have outlook [express] on my system) might try and be snart and find the
> attachment.
>
> This might be broken malware sending unusable stuff out, but my worry is
> that somene may have found a technique that will sneak an attachment
> past some a-v scanners in a "broken" format that certain popular email
> apps will try and fix, possibly putting active malware on the hard disk.
>
> I tried to talk to grisoft about this, but all I get back is "you have
> to pay to talk to us cheapskate" ... whilst I can agree that they might
> not want to provide tech support to users of their free scanner, does
> anyone have an email address at grisoft for submitting suspicious items
> that have got past their proxy scanner?
>
> Denis
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
>
--
Thomas Reidy
treidy@xxxxxxxxx
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html