Yes, its been over a week since my last blog entry. I’ve been fairly pre-occupied and haven’t had much time to blog, as I’ve been supporting offices in other time-zones (thing GMT and GMT+, not EST or PST) But now I’m back and ready to get on with boring people to death.

First thing I want to comment on now that I’m back is the lack of wide-scale impact of the mocbot variant that targeted MS06-040.

The more I read about this one the more I thing the following factors kicked in:

1. It targeted only a limited section of the vulnerable OS’s; Windows 2000.
2. Microsoft has done a great job getting the word out to patch your systems. Two days after the patch was released, Microsoft reported “well over 100 million downloads of the update”. That’s pretty friggin’ impressive!
3. Past worms have driven home the point that firewall best practices include blocking the world from RPC and LSASS ports (While it seems obvious to some, this wasn’t the case three years ago!).
4. Recent prosecutions of knuckle-heads releasing worms for fun might have actually discouraged many. In the past, worms like Slammer, blaster, etc did nothing more than self-propogate. As time progressed we started seeing worms create botnets and now with the latest Graweg/mocbot we’re seeing spam-proxy trojans being dropped. This supports Alan’s hypothesis that massive scale attacks are moving towards a for-profit venture.
5. The security community as a whole has become more efficient at collaborating. I give the ISC big props on this one. They’ve managed to maintain their presence as a hub of information for the security world, unlike any other organization and they’ve maintained that service for FREE. I hope they realize that the free factor has been a major contributor to their success and don’t go the standard subscription route.
6. Advances in IDS/IPS technology have helped as well. Anything that moves our protection beyond patches is a good thing, and IDS/IPS tech does that well. Yes I realize signature-based IDS/IPS is reactive. However, it gets the protection mechanism upstream from the hosts we are protecting, which is always better for protection. Wouldn’t you rather someone else fight the terrorists in Afghanistan rather than you fighting them in your front yard? Me too.

My point is that the security community has learned from the past and is evolving and this is a good thing, as we are now seeing. We might be witnessing a point in time where the security community evolves and improves at a rate equal to or greater than the bad guys! Now wouldn’t that be refreshing.

For more information about this topic

• No Related Post