| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
From: nick at virus-l.demon.co.uk (Nick FitzGerald) Subject: Bogus FBI Email "Casey Townsend" replied to Valdis Kletnieks: [restructured to correct for top posting-itis...] > > W32/Sober-C, I believe. Consult your favorite AV vendor's info > > pages for details. > > I received the following private reply which makes me think it is NOT > W32/Sober-C, as Norton would have caught it. > > "An associate of mine had this one hit his computer and he had to start > from scratch with a complete rebuild. He told me he felt pretty stupid > about it because he isn't one of the people that don't have a clue, but > the fact that it was intimidating enough led him to open the mail and it > ran. It got by Norton as well and he could not recover when it hit him. > That is about all I know about it at this time." Ahhh yes, a FOAF denial -- generally even harder to refute than "firsthand" FOAFs... >From the described content, the odds are phenomenally high that the message he saw was produced by Sober.C. As to why NAV "missed" detecting the attachment (or not), there are myriad possible explanations, none of which can be satisfactorily divined from your friend's chronically deficient description of the events. However, based on much experience of such things in general (and some experience with Sober.C) I'll list, in no particular order, a few of the most likely explanations of NAV's failure in this case... 1. He had unwittingly turned off NAV's Email scanning... 2. ... or his kids deliberately turned it off to speed up their favourite shoot'em up. 3. He had been infested with some other, unknown to NAV (at the time), malware which disabled NAV before the message arrived. 4. His NAV update subscription has expired so he has not received a NAV update since before Symantec added detection of Sober.C. 5. Some other systematic problem has recently been introduced into his setup which has prevented NAV updating (how clueful is his ISP? Did he block LiveUpdate from accessing the Internet in the firewall?). 6. The copy of Sober.C attached to the message was truncated, and thus corrupted and (probably) unrunnable. Regardless of its runnability, NAV failed to detect it because some part of the file critical to NAV's detection of Sober.C is "missing". Yes, I've seen this with Sober.C. 7. The copy of Sober.C attached to the message has been infected with some other, parasitic PE infector which is now tagging along with Sober.C. Because this is a new virus, NAV may not detect it (and almost certainly wouldn't report Sober.C) I've not seen any other virus piggybacking with Sober.C yet, but based on much experience with other self-mailing PE viruses, it's only a matter of time... ...and many others I now can't be bothered describing. Anyway, the bogus FBI messages you asked about (plus several other interesting SE approaches) are used by Sober.C, and as of this writing _only_ by Sober.C. -- Nick FitzGerald Computer Virus Consulting Ltd. Ph/FAX: +64 3 3529854
Powered by blists - more mailing lists