Comment Re:This is what IDS/IPS appliances are for... (Score 4, Informative) 99
I believe there is more going on to this than you would understand. For example, the Zeus/Qakbot strain always downloads a file. Most times it will be randomized. For arguments sake, lets say it was named nbc.exe. What Zeus/Qakbot did was communicate out via IE. Even though the nbc.exe was the application responsible for running the show, the communications portion was done via good ole GET and POST via HTTPS. At issue with detecting nbc.exe where Zeus/Qakbot was/is concerned, is the fact that the operators of the malware were/are changing the executable N amount of hours. So most AV systems wouldn't even detect it. So no... IPS/IDS here means nothing. Blacklisting *may* have worked to stop the communication, but even then a fast flux would have trumped that.