Malware authors have been at the cutting edge of incorporating exploit code into their creations for zero day vulnerabilities. Fueled by financial incentives and readily available source code, the bad guys of today aggressively pursue continued development of malware code. Over the years, the window between vulnerability discoveries to its incorporation into a worm or exploit candidate has shrunk from months, to weeks, to zero day. This leaves administrators with very little time to schedule and deploy patches to all servers and workstations on their networks. And during this vulnerable time frame if the network is hit with a bot that uses a zero-day vulnerability, an organization could be faced with a potential worm outbreak or large scale attack.
The chart below shows the time frame between the vulnerability being reported and how long it took for malware authors to incorporate it into a worm candidate.
|
Patch |
Malware |
Patch Availability |
Worm Attack Date |
Number of days for worm to appear |
|
MS01-020 |
Nimda |
Oct 17th, 2000 |
Sept18th, 2001 |
335 Days |
|
MS02-061 |
Slammer |
July 24th, 2002 |
Jan 25th, 2003 |
185 Days |
|
MS03-026 |
Blaster |
July 16th, 2003 |
Aug 11th, 2003 |
26 Days |
|
MS04-011 |
Sasser |
Apr 13th, 2004 |
Apr 30th, 2004 |
17 Days |
|
MS05-039 |
Zotob |
Aug 09th, 2005 |
Aug 14th, 2005 |
5 Days |
|
MS06-040 |
Mocbot |
Aug 08th, 2006 |
Aug 12th 2006 |
4 Days |
The paper “Defeating bots on the internal network” from McAfee Avert Labs published in the Feb 2007 issue of Virus Bulletin describes setting up an IRC honeypot on a network using minimal resources and requiring little maintenance to be used as an early warning system to proactively alert botnet activity. Also discussed is using the internal IRC honeypot to gain control over infected machines and removing the bot from infected machines.
February 7th, 2007 at 1:39 pm
[…] Trackback […]
April 14th, 2007 at 10:00 am
[…] Källa: McAfee Avert Labs Blog Leave a Comment […]