Chapter 5 • Botnet Detection: Tools and Techniques

about malware reports that only make the secondary list. B-
list celebrities might be suspect, but B-list malware has been
reported by an expert in the field. So, the fact that the sec-
ondary list is much longer than the primary list suggests
strongly that a single variant is sparsely distributed, to reduce
the speed with which it’s likely to be detected. This does sug-
gest, though, that the technical definition of ItW (i.e.,
reported by two or more reporters; see Sarah Gordon’s paper,
What is Wild?
, at http://csrc.nist.gov/nissc/1997/proceed-
ings/177.pdf) is not as relevant as it used to be.
Don’t panic, though; this doesn’t mean that a given variant may be
detected only by the company to which it was originally reported.
WildList-reported malware samples are added to a common pool
(which is used by trusted testing organizations for AV testing, among
other purposes), and there are other established channels by which AV
researchers exchange samples. This does raise a question, however:
How many bots have been sitting out there on zombie PCs that still
aren’t yet known to AV and/or other security vendors? Communication
between AV researchers and other players in the botnet mitigation
game has improved no end in the last year or two. Despite this, anec-
dotal evidence suggests that the answer is still “Lots!” After all, the
total number of Sdbot variants is known to be far higher than the
number reported here (many thousands …).
Heuristic Analysis
One of the things that “everybody knows” about antivirus software is that it
only detects known viruses. As is true so often, everyone is wrong. AV ven-
dors have years of experience at detecting known viruses, and they do it very
effectively and mostly accurately. However, as everyone also knows (this time
more or less correctly), this purely reactive approach leaves a “window of vul-
nerability,” a gap between the release of each virus and the availability of
detection/protection.
Despite the temptation to stick with a model that guarantees a never-
ending revenue stream, vendors have actually offered proactive approaches to
virus/malware management. We’ll explore one approach (change/integrity
detection) a little further when we discuss Tripwire. More popular and 
successful, at least in terms of detecting “real” viruses as opposed to imple-

Download 6,98 Mb.

Do'stlaringiz bilan baham: