Combating file infectors on corporate networks

In this age of botnets, rootkits, spyware, and other bleeding-edge security threats, file infectors are frequently thought of as a dead threat. But during the past year or so, we have observed an unprecedented growth in classic file-infecting viruses that have enjoyed a relatively high degree of success in the wild - causing widespread damage to computer systems. Many of the new viruses seen today aren´t advancements in their own right; rather, they have just taken advantage of advancements in technology. And the sophistication of infection techniques and vectors used by viruses these days are on the rise. With a recent increase in network file-infecting viruses, it´s high time we revisit the traditional techniques used to detect virus-like activity on the network and improve them. This paper proposes using virtual area networks (VLANs) technology to mass deploy a SAMBA based honeypot to the entire site. We also look at setting up a server message block (SMB) based sniffer to capture file-infector activity on the local area network. The proposed solutions are scalable, cost effective and were internally implemented at McAfee Avert Labs.