[Full-Disclosure] Re: [Dshield] new msblaster on the loose?

From: John Sage (jsageat_private)
Date: Wed Aug 13 2003 - 12:16:37 PDT

Next message: Joey: "Re: [Full-Disclosure] Re: [Dshield] new msblaster on the loose?"

Previous message: Person: "Re: [Full-Disclosure] new msblaster on the loose?"
In reply to: David Vincent: "[Full-Disclosure] new msblaster on the loose?"
Next in thread: Joey: "Re: [Full-Disclosure] Re: [Dshield] new msblaster on the loose?"
Reply: Joey: "Re: [Full-Disclosure] Re: [Dshield] new msblaster on the loose?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

arrggg...

On Wed, Aug 13, 2003 at 10:23:23AM -0700, David Vincent wrote:
> anyone else seeing this?
> 
> ---------------
> 
> http://www.theinquirer.net/?article=11018
> 
> New version of Blaster worm on the loose
> Already
> 
> By INQUIRER staff: Wednesday 13 August 2003, 16:51
> KASPERSKY LABS claimed this afternoon that there's already a new
> version of the Blaster/Lovesan worm on the loose.

the Inquirer..

Kaspersky...

Two of the most sober, most credible, most consistent authorities I
can think of.

<troll on>
The only person that I'd put greater value in, if I was to hear a
comment about all this, would be something from Steve Gibson.
</troll off>

> And it says that's likely to mean a repeat of the outbreak we've
> seen during this week. The new variety of Lovesan exploits the same
> vulnerability.
> 
> Kaspersky says that the number of infected systems is around the
> 300,000  mark, and the new variety may double this number.

Bullsh1t..

C'mon folks, think about this a bit.

Changing the name of the executable does *not* make a variant of any
significance.

You can call it foo.exe or bar.exe and if it does absolutely the same
thing, the name change is irrelevant...

...except to set off those self-serving companies who are trying to
get some press out of all this:

"Trend-mantec releases a press report noting the fifteen variant of
the Win32-blah_blah worm, using a executable
"self-serving-publicity.exe". Video of the press conference at
eleven!!!"

...and to those who think they're safe if they have an up-to-date
snort signature:

"Oh my gawd.. I just put the snort rule that catches "p3n1s32.exe" and
now those bad script kiddies have switched to "teek_bar.exe"...

Let me give you a clue: they're just playing with your head.

> "In the worst case, the world community can face a global Internet
> slow down and regional disruption... to the World Wide Web," said
> Eugene Kaspersky, head of the labs.

Give me a break...

Yeah, I'll bet he said it, to anyone who'd listen.

Let's rename it "warhol_worm.exe" and watch the experts freak...

- John
-- 
"Obviously, we do not want to leave zombies around."
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Next message: Joey: "Re: [Full-Disclosure] Re: [Dshield] new msblaster on the loose?"
Previous message: Person: "Re: [Full-Disclosure] new msblaster on the loose?"
In reply to: David Vincent: "[Full-Disclosure] new msblaster on the loose?"
Next in thread: Joey: "Re: [Full-Disclosure] Re: [Dshield] new msblaster on the loose?"
Reply: Joey: "Re: [Full-Disclosure] Re: [Dshield] new msblaster on the loose?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Wed Aug 13 2003 - 13:53:20 PDT