[ISN] Thank you for the details about that movie regarding my application for the approved wicked screensaver

From: InfoSec News (isnat_private)
Date: Tue Aug 26 2003 - 05:52:48 PDT

  • Next message: InfoSec News: "[ISN] BlackBerry Reveals Bank's Secrets"

    Forwarded from: "Rob, grandpa of Ryan, Trevor, Devon & Hannah" <rsladeat_private>
    
    Given that Sobig.F seems to have subsided from its weekend peak (from
    my numbers, it was doubling every day last week up until Sunday and
    then suddenly dropped off--to a rate that is still roughly as high as
    Klez at its worst) and that "Stage 2" seems to have been averted, a
    few thoughts.
    
    Blaster, a worm, infected relatively few machines but inconvenienced
    (and in some cases worse) companies, so it gets it's name in the
    paper.  Sobig surpasses all records in terms of number of email
    messages generated, and almost nobody (outside of our little security
    circle) is paying attention.
    
    Spoofing of email headers in virus messages goes back to Hybris or
    before.  Most of the successful email viruses have used some form of
    spoofing.  Yet antivirus companies, in their mail server based
    products, are continuing to generate bounce messages to the nominal
    sender, probably in an attempt to market their products.
    
    I got a lot of bounced Sobig over the past week.  None, of course, had
    been sent from me.  What these bounces are actually doing is aiding
    the virus: the bounce messages send the virus (a full copy of the
    original message is often included) to yet another machine.  Spammers
    have also been using spoofed email addresses for some time.  Bounced
    spam is therefore also helping spammers to spread their messages.  
    Two spam for the price of one, thanks to bounces.  (Occasionally I
    hear of a server being inundated by a faked sender address on spam,
    but this seems to be rare.  Which would seem to indicate that spammers
    are deliberately using random addresses, possibly for reasons of
    multiplication through bounces.)
    
    One of the interesting points to come out the height of the Sobig
    numbers on Saturday, was that I saw relatively *few* bounces, in
    proportion to what one might have thought was the case.  My address is
    obviously on enough infected machines for me to get huge numbers of
    infected messages: due to the way the virus spoofs addresses, a large
    number of the Sobig messages would have been sent "from" me.  Given
    that the majority of server based antiviral packages do bounce
    messages, the penetration of server based virus scanning would
    therefore seem to be quite low.  (Interesting, the indirect things you
    can learn in the aftermath of an attack.  Consider the subject line of
    this message a test of content scanners still doing simplistic subject
    line rejections.)
    
    I have been warning about the type of convergence of malware
    technologies involved in the "stage 2" situation for a few years now.  
    Will it be taken seriously after Sobig?  (Listen to the sound of me
    *not* holding my breath.)  Sobig seems to have been planned and
    designed with much greater care than is usually the case with viruses
    and malware.  Up until now, we have been spared what viruses *could*
    do primarily by the fact that we have been facing a bunch of
    disorganized amateurs.  A number of comments about Sobig have raised
    the possibility of an involvement with spammers and/or organized
    crime.  (We already know that "red guest" groups in China are much
    more organized and disciplined than traditional blackhats.)  Sobig may
    simply be the result of an isolated creative mind, but relying on that
    supposition as fact is dangerous security planning.
    
    Buried in the investigations into Sobig.F, you will find reference to
    the fact that it stops reproducing after September 10th.  I'm afraid
    it took my wife pointing it out to make me realize that this is one
    day before September 11th.  Sobig.G, anyone?
    
    
    ======================  (quote inserted randomly by Pegasus Mailer)
    rsladeat_private      sladeat_private      rsladeat_private
    You know the type.  They like to blame it all on the Jews or the
    Blacks, 'cause if they couldn't, they'd have to wake up to the
    fact that life's one big, scary, glorious, complex and ultimately
    unfathomable crapshoot -- and the only reason THEY can't seem to
    keep up is they're a bunch of misfits and losers
                     - An analysis of Neo-Nazis, from `The Badger' comic
    http://victoria.tc.ca/techrev    or    http://sun.soci.niu.edu/~rslade
    
    
    
    -
    ISN is currently hosted by Attrition.org
    
    To unsubscribe email majordomoat_private with 'unsubscribe isn'
    in the BODY of the mail.
    



    This archive was generated by hypermail 2b30 : Tue Aug 26 2003 - 09:55:50 PDT