lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <B7B536A379EDC5419ACE631E7F3301395623@harold.fairfax.phra.com>
Date: Fri, 26 Sep 2003 15:22:45 -0400
From: "James C. Slora, Jr." <james.slora@...a.com>
To: "Larry Seltzer" <larry@...ryseltzer.com>, <kruse@...lroad.dk>,
	"Liviu Daia" <Liviu.Daia@...r.ro>, <bugtraq@...urityfocus.com>
Subject: RE: Ruh-Roh SOBIG.G?


I have received one classic Swen.A message with an SCR attachment.

What does this have to do with Sobig.x?

Most likely we are seeing the results of secondary file infectors -
Yaha, Klez, Bugbear, etc. Virus detection is generally "first and out".
I have previously seen file infectors piggybacking on the virus du jour.


Plus jerks spamming out custom trojans. Some of them might hide their
payload as a file infection inside a common malware whose social
engineering has been successful. This has the benefit to the jerk of
delaying AV company detection of his malware. Recipients who open the
attachment get the alert from their AV software and they think they were
protected, while the trojan continues its business unimpeded. Depending
on many factors of course.

> -----Original Message-----
> From: Larry Seltzer [mailto:larry@...ryseltzer.com]
> Sent: Friday, September 26, 2003 6:45 AM
> To: kruse@...lroad.dk; 'Liviu Daia'; bugtraq@...urityfocus.com
> Subject: RE: Ruh-Roh SOBIG.G?
> 
> 
> I thought it had expired on 9/10, and it did stop coming for 
> a while. I'm seeing it
> again too; actually, I'm seeing two different attachment 
> sizes in the new ones, one
> around 70K and the other around 100K. 
> 
> Did someone reissue Sobig.F with a new expiration date?
> 
> Larry Seltzer
> Security Editor, eWEEK.com
> http://security.eweek.com/
> larryseltzer@...fdavis.com 
> 
> -----Original Message-----
> From: Peter Kruse [mailto:kruse@...sesecurity.dk] 
> Sent: Thursday, September 25, 2003 6:02 PM
> To: 'Liviu Daia'; bugtraq@...urityfocus.com
> Subject: SV: Ruh-Roh SOBIG.G?
> 
> 
> Hi,
> 
> There is no new Sobig worm here. I just ran through samples 
> received by the original
> poster and I can confirm that these are all Sobig-F samples. 
> The worm is known to be
> polymorphic which by nature will change the size and content 
> of the code. Nothing new
> here.
> 
> Kind regards // Med venlig hilsen
> 
> Peter Kruse
> CSIS / Kruse Security ApS
> http://www.krusesecurity.dk
> 
> 


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ