[Full-disclosure] detecting targetted malware
lsi
stuart at cyberdelix.net
Mon Jan 22 12:42:43 GMT 2007
This is probably patented and implemented already but nonetheless its
a new idea for me, so I mention it...
While mass-produced malware remains an issue for a most users, an
significant threat is also posed by malware customised for a specific
victim (so called 'targetted malware'). This threat is potentially
worse as an organisation cannot rely on traditional AV or anti-
spyware scanners to detect the targetted malware; as the malicious
code is customised it does not have an entry in AV/AS signature
databases.
Despite this, detecting customised code should be easy. All that's
needed is a scanner. It simply finds every piece of executable code
on a system. It then compares each piece with its list of known-good
executables. Any executable that is found but is not on the list is
an intruder.
This approach takes advantage of the fact that, unlike spam, we can
make a list of all our known-good items.
Stu
---
Stuart Udall
stuart at at cyberdelix.dot net - http://www.cyberdelix.net/
---
* Origin: lsi: revolution through evolution (192:168/0.2)
Full-Disclosure is hosted and sponsored by Secunia.