length: 00:18:37

self executing worm: sasser (the biggest), blaster

last week: knee jerk reaction because RPC vulnerability – because of the way RPC has been exploited in the past nowadays desktop & perimeter FW

lots of spyware being dropped

the PoC was not mature, but it’s not simply PoC of b0f, it does something, but  it is not gov/org malware level

when hacker find something hot, they don’t wait too long as the window of vulnerability will close

exploit via wire – IPS is best method to detect

but self executing worm will have a code that need to be spread, from AV prespective it should be able to detect it

BUT the exploit can be done without any file – needs to be written in the disk

SQL slammer: fileless malware

HIPS & generic b0f protection is good way to mitigate

Payload can be obfuscated – but the exploit cannot – IPS DCE RPC is old signature

Not feasible for AV to scan memory all the time.