If we know what URL's that the virus is going to try to connect to, we should encourage administrators NOT to block these URL's, register them ourselves and place our own code on them which will cause the virus to self destruct.
The idea of an antivirus-virus is much debited. In the past some have tried to make a virus which goes around patching the exploit on which it came in. Oversights in the development of this antivirus-virus have caused problems in other places (namely on the network infrastructure side.) The difference here is this: we are not USING the exploit, we are merely directing code that uses the exploit to no longer use it. (and to perhaps create a popup message warning the user that they are infected with something) This will create no additional network traffic.
This is of course in the hopes that the virus author did not anticipate this sort of action and make the virus expect some sort of encrypted certificate in the "virus update"
The idea of an antivirus-virus is much debited. In the past some have tried to make a virus which goes around patching the exploit on which it came in. Oversights in the development of this antivirus-virus have caused problems in other places (namely on the network infrastructure side.) The difference here is this: we are not USING the exploit, we are merely directing code that uses the exploit to no longer use it. (and to perhaps create a popup message warning the user that they are infected with something) This will create no additional network traffic.
This is of course in the hopes that the virus author did not anticipate this sort of action and make the virus expect some sort of encrypted certificate in the "virus update"
[ reply ]
Link to this comment: http://www.securityfocus.com/comments/newsbriefs/75/286#286