Bit9

Dan Hubbard’s Websense Research Team produces very interesting research reports. I have attended their latest web presentation and found the following slide interesting, if not all that surprising:

One day and a half before a first signature is written for a popular piece of malware! You can only imagine what happens with custom tailored pieces of malware that you identify and ask your anti-malware vendor to write a signature for. We have heard from our customers that they have been waiting 3 days or more (factory floors at standstill) to get a definition written.

Websense data does not cover proactive technology. It does cover samples that have been seen upwards from 100K times in the wild and require a signature ASAP. We cannot leave it up to user to decide whether to allow, block or ignore.

Furthermore, Websense suggests that most infections are web born, coming from top 100 web properties, either compromised through the likes of compromised via SEO Script Injection Attack or by simply using free accounts to host malware on sites like googlepages, blogspot, or rapidshare. As much as 29 percent of malicious Web attacks included data-stealing code.

These figures tell us that you cannot trust new and unknown components on the web, even if your favorite anti-malware scanner does not flag them. But what you can do is enforce rules of what is allowed. You can trust people, companies, signature models, your grandmother if wish, but you need to have a trust model. Letting just about anything execute is a recipe for disaster. It is Marcus Ranum’s “Default Deny” policy.

Leave a Reply