tag:blogger.com,1999:blog-7347279.post3474030247627871338..comments2023-08-26T05:04:33.009-04:00Comments on anti-virus rants: numbers, context, and backgroundkurt wismerhttp://www.blogger.com/profile/03810635947269551517noreply@blogger.comBlogger2125tag:blogger.com,1999:blog-7347279.post-80470394177263502752010-08-10T12:15:00.046-04:002010-08-10T12:15:00.046-04:00"I've grown less convinced that it tells ..."I've grown less convinced that it tells us anything useful about targeting."<br /><br />i'm not convinced it tells us anything about it either. both the contradictory implications from the different datasets, and the fact that viruses and worms are often more prevalent in one area than in another. i think there's a strong motivation for us to find patterns and meaning, but i'm not convinced there are any to find in this case.<br /><br />"Actually, Stuxnet isn't limitedh to USB devices. "<br /><br />i realize it also copies itself to network shares, but as it reqires a hardcoded absolute path for the lnk exploit to work it seems unlikely that those copies would activate (unless someone was using mapped drives).<br /><br />assuming there were mapped drives, that could account for a higher probability of infection between nodes within an organization (making the org behave like a clique) but i'm not sure yet what the larger implications of that would be.<br /><br />"Blogging data like these is something I don't do very often, and I'm still thinking about the best way of presenting 'em. :)"<br /><br />well, people will probably always find ways of reading more into numbers than is actually there, but i suppose trying to head at least some of them off at the pass might not hurt.kurt wismerhttps://www.blogger.com/profile/03810635947269551517noreply@blogger.comtag:blogger.com,1999:blog-7347279.post-54535872200602090902010-08-10T11:59:51.365-04:002010-08-10T11:59:51.365-04:00Actually, while the prevalence data is interesting...Actually, while the prevalence data is interesting (else I wouldn't have blogged it), I've grown less convinced that it tells us anything useful about targeting. It would have been more useful earlier in its lifecycle, but by the time I first blogged it, it had already spread beyond SCADA sites, which I'd say is actually a more critical FAIL than its low prevalence, since it essentially scuppered its ability to effect a targeted attack. At any rate, in its present form.<br /><br />I agree that Symantec and ESET (not to mention Microsoft, who were also tracking geographical data) weren't measuring the same things (or at the same time). I'd say that the only way to draw any useful conclusions would be to look at several sources and note similarities and divergences. But I see these data as more qualitative than quantitative. After all, the data from each vendor comes from (mostly) discrete user/system populations.<br /><br />Actually, Stuxnet isn't limitedh to USB devices. Unfortunately, our telemetry, while it's accurate in geographical terms, doesn't give relative proportions for different vectors. <br /><br />Thanks for your input. Blogging data like these is something I don't do very often, and I'm still thinking about the best way of presenting 'em. :)David Harleyhttp://blog.eset.com/noreply@blogger.com