Posted on 09/06/2007 10:12:39 PM PDT by ShadowAce
The New Zealand Honeynet Project, which produced Capture-HPC (mentioned here last week), also produced an excellent white paper about using Capture-HPC to identify malicious Web servers. On the group's Web site, you'll find that paper, the captured data, and the tools for anyone to inspect and replicate.
The New Zealand Honeynet Project inspected more than 300,000 URLs (nearly 149,000 hosts) for three weeks and found 306 malicious URLs served from 194 malicious servers. Here are the most interesting points, to me:
|
2. Many of the malicious Web sites turn non-malicious, and vice versa, all the time. I've talked about this in previous columns, but essentially many malware writers are taking great pains to make sure an infected Web site serves up malicious content to any given IP address only once. That strategy defeats additional inspection by anti-malware researchers and honeyclients.
3. Only 12 percent of malicious URLs appeared on a blacklist. Nevertheless, counterintuitive as it may seem, blacklists were highly effective at blocking a large percentage of attacks. This is because the blacklists often blocked the main back-end computers serving up most of the malware. In today’s Web-intertwined world, most of the infected Web sites actually point to a smaller number of “super server” hosts. Block them, and the original infected site is defanged.
4. Fully patched computers blocked 100 percent of the malicious attempts (for the study, the project used Internet Explorer 6 SP2 instead of the better-defended Internet Explorer 7).
5. The study includes analysis of several real Web sites and exploits.
6. Many of the exploits attempted to steal log-on names and passwords.
7. Most attacks used JavaScript to initiate the exploitation.
The paper ends with several defense recommendations, including:
* Keep fully patched, both OS and applications.
* Blacklists are effective.
* Don’t run as root or admin in browser sessions.
* Host-based firewalls offer additional protection.
I encourage any computer security defender to download and read this honeyclient paper.
Bump
Bump
I’m the only one that uses my computer, so I always do everything as admin, is that a big deal?
Sure sounds that way. Time to change that.
The only time "administrator" is really useful is when installing or removing software, and that can usually be done off line anyway.
Unless the application previously downloaded but not yet installed is the agent.
Hmmmmmmmmm.
Yes, and you'll do yourself a favor by creating a user account at "Power User" level (or even "User" level if you can stand it), and using that for your normal web-surfing and whatnot.
Running normal user tasks as a member of "Administrators" is like taking your souped-up Corvette with the 454ci engine for every drive to the grocery store, despite the fact that it is a pointless risk and a waste of power compared to taking the VW.
99% of the time, Windows users do not require administrative-level privilege. Only when installing software, making changes to the system files, etc. do you need that.
And that should be your BIG CLUE as to why you normally want to run at lower power level -- if you get bitten, the damage done by the malware will be lower because it can't install software and can't change system settings as easily.
When you're at "Power User" or "User" level, you can still invoke selected programs as "Administrator" by doing a right-click and selecting "RunAs..." It's not perfect, but it generally does the proper thing and gives you admin access for that command.
The downside to playing it safer is that it is occasionally inconvenient. Windows is still basically a toy operating system that thinks in terms of a single individual running it all, rather than the classic professional dual-mode of an administrator and a user. There are some things you need to do as a regular user which, under Windows, require administrative privilege because Windows is fundamentally stupid about priv levels. Real operating systems have done it right for decades. Vista is trying to improve its ugly situation, but it's only baby steps compared to what's required to correct decades of Windows' designed-in stupidity.
please add me to the tech ping list! Thank you ;)
MJ
Even installing a printer requires administrative privileges, which means that every salesmen traveling with a laptop has to be set to administrative privileges.
Yes
ping
You’ve been added. Welcome Aboard!
My company just switched all windows computers to operate in this manor. It was such a pain for me, I replaced the hard drive with a new one, and installed Linux (Mepis), and run any windows-only applications in VirtualBox. So far, it's worked fine for me.
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.