HomeCalendarCertificationsColumnsFeaturesForumResourcesVitals
 
Image
 
linkedin_logo.png rss_logo.jpg
twitter_logo.png youtube_logo.jpg
Latest Additions
 
EH-Net Login
Welcome Guest.
Lost Password?
No account yet? Register
Who's Online
We have 29 guests and 1 member online
 
Advertisement

You are here: Home arrow Resourcesarrow News from the Outside Worldarrow Stuxnet, Duqu and Flame VS. AntiVirus
EH-Net
May 23, 2013, 01:52:28 AM *
Welcome, Guest. Please login or register.
Did you miss your activation email?

Login with username, password and session length
News: Go back to The Ethical Hacker Network Online Magazine Home Page
 
   Home   Help Calendar Login Register  
Pages: [1]   Go Down
« previous next »
  Print  
Author Topic: Stuxnet, Duqu and Flame VS. AntiVirus  (Read 3371 times)
0 Members and 1 Guest are viewing this topic.
Agoonie
Full Member
***
Offline Offline

Posts: 176



View Profile WWW
« on: June 01, 2012, 12:51:44 PM »
Great article about malware and AV.  Illustrates why we need a change in AV to detect ever changing threats.  It was kind of cool to see they owned up to it. 


http://www.wired.com/threatlevel/2012/06/internet-security-fail/
Logged
OSCE, OSCP, OSWP, CISSP, GPEN

www.agoonie.com
sil
Hero Member
*****
Offline Offline

Posts: 549



View Profile WWW
« Reply #1 on: June 01, 2012, 01:04:09 PM »
Flamer - I Can Haz Propaganda
http://infiltrated.net/index.php?option=com_content&view=article&id=48&Itemid=54
Logged
http://www.infiltrated.net/mgz/puppylecter.jpg
Agoonie
Full Member
***
Offline Offline

Posts: 176



View Profile WWW
« Reply #2 on: June 01, 2012, 01:52:43 PM »
My boss would agree with you 100%.  He says that they are all "snake oil salesmen" and they created most of the problems to get money.  The thing I am noticing is that they are not catching them but still saying they can protect against it.  But isn't it a necessary evil at this point even without the FUD/gov't FUD?
Logged
OSCE, OSCP, OSWP, CISSP, GPEN

www.agoonie.com
sil
Hero Member
*****
Offline Offline

Posts: 549



View Profile WWW
« Reply #3 on: June 01, 2012, 02:01:35 PM »

They don't need to make their own malware, flood the market to sell the products. The approach is wrong. In order to understand this, you would need to go to http://maec.mitre.org and understand a lot of what's going on. In a nutshell this is the issue:

Malware Signature
1 + 1 = 2

Attacker
one + 1 = 2

New Malware Signature
one + 1 = 2

Same attack + attacker
one plus one equals 2

New Malware Signature
one plus one equals 2

Same attack + attacker
b25lIHBsdXMgb25l

No matter how they want to attack the heuristics, its a guessing game based on what they KNOW. They can never see/know/understand an attacker so there is a lot of assumption based on known knowns. So attackers will ALWAYS have an upper hand. The keys isn't to rely on malware/AV companies, the key is to understanding your network, applications and patterns. E.g., any baseline traffic would yield anomalies in sites visited, bandwidth consumed and so forth. You start seeing things leave your network destined for say China at 3am... Its something you should be quick to look at. Same applies for ANY connection LEAVING your network when say, there is no one on a particular machine. HIPS also help here but running say Tripwire or Samhain in an enterprise can be a headache
Logged
http://www.infiltrated.net/mgz/puppylecter.jpg
ajohnson
Recruiters
Hero Member
*
Offline Offline

Posts: 1057


aka dynamik


View Profile WWW
« Reply #4 on: June 01, 2012, 05:55:23 PM »
Have either of you read: http://www.amazon.com/The-Myths-Security-Computer-Industry/dp/0596523025/ref=sr_1_1?ie=UTF8&qid=1338590679&sr=8-1

It's an easy read that's written for the layman and is expectedly a bit biased in McAfee's favor. However, there were some parts that were extremely candid about both AV in general and McAfee's own offerings.
Logged
WIP: GCFA | www.infosiege.net | @infosiege

The day you stop learning is the day you start becoming obsolete.
3xban
Hero Member
*****
Offline Offline

Posts: 608


View Profile WWW
« Reply #5 on: June 02, 2012, 10:33:05 AM »
Its all about whitelisting I say.  The less educated folks in IT think it is an impossible feat to use app controls to whitelist your standard baseline system.  I was in a conference call this week where someone stated its "easier to blacklist"  I was like what???  Sure for the one offs you actually know about but what about the 100 other backdoor apps installed on your network that you DON'T know about?? 

If anything enforce whitelists on your servers, I mean if you don't know what is running on at least those then you have lost this battle. 

I believe the basic firewall rule set is an excellent example and POC - your rules that allow traffic in to specific services with the DENY ALL rule at the end.  Even outgoing, allow only these services out from these specific networks, block everything else.  Good your egress point to the network is covered.  Now do the same for everything else!  Sure it may take a while to complete the list of allowed apps on your network but in the long run it will pay off. Keep everything patched and you c-levels can sleep better at night.
Logged
Certs: GCWN
(@)Dewser
Pages: [1]   Go Up
  Print  
« previous next »
 
Jump to:  

Powered by MySQL Powered by PHP Powered by SMF 1.1.18 | SMF © 2013, Simple Machines
Joomla Bridge by JoomlaHacks.com 		Valid XHTML 1.0! Valid CSS!
Page created in 0.072 seconds with 23 queries.
 
Exclusive Deal

sansfire13_245x90_cw90.jpg
SANSFIRE 2013
June 15 - 22

5% Off w/ Code: EHN_5

SANS Deals 4 EH-Netters
5% OFF Any SANS Course in Any Format!
Coupon Code: EHN_5 Including SANS Rocky Mountain 2013 & SANS Boston 2013
Polls
Compared to this year, 2013 will be:
 
Recent Forum Topics
EH-Net News Feeds
Latest Additions
 
         
Advertisement

© 2013 The Ethical Hacker Network
Joomla! is Free Software released under the GNU/GPL License.