[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <3F4602A9.12893.7E024190@localhost>
From: nick at virus-l.demon.co.uk (Nick FitzGerald)
Subject: [inbox] Re: Fwd: Re: Administrivia: Binary
Executables w/o Source
"Jason Coombs" <jasonc@...ence.org> wrote:
> Nick FitzGerald came to his senses and removed me from the pedestal he had
> placed me on, and then launched into a well-written barrage of fact, beginning
> thus:
Nice... 8-)
> >> I agree completely. The sobig spam is valuable -- it shows us who we
> >> should not trust to operate a computer.
> >_If_ you know what to take from the headers _AND_ have omniscient
> >access to the mythical IP-to-user mapping address list...
>
> Ah, but Nick, I *DO* have omniscient access to the non-mythical IP-to-user
> mapping list -- and so do you. ...
No, we don't.
> ... How many FD subscribers post to the list from
> the ISP "NetZero/United Online/untd.com" out of Honolulu, Hawaii? I can assure
> you that I am the only one.
> Received: from smtp04.lax.untd.com (outbound28-2.lax.untd.com [64.136.28.160])
<<snip>>
Posting is not the issue. The virus can harvest the posters' addresses
(yours and mind and Thor's and Len's and all the others) from the
drives of any _subscriber_. It then can post from that machine using
whichever of the addresses it chooses. How many subscribers (who have
posted or not) are on popular cable, DSL and even dial-up connects?
You may be the only poster from that domain, but are you sure you're
the only subscriber? And what about non-subscribers who, for whatever
reason (perhaps looking for help with just this virus) searched the
web, found some web archive of F-D and thus gave up your address to the
virus through the contents of their local web cache directories?
> Likewise, you are quite possibly the only person who posts from CLEAR Net
> Mail, New Zealand. At least while using your mobile device...
>
> From: Nick FitzGerald <nick@...us-l.demon.co.uk>
> Received: from smtp2.clear.net.nz (smtp2.clear.net.nz [203.97.37.27])
<<snip>>
Yep -- but am I the only person using clear.net.nz who susbscribes?
And recall, the worm does not use the default (or any particular) mail
client on the victim machine. As has become the fashion among
"successful" self-mailers with the introduction of object blocking on
the Outlook application object, Sobig rolls its own SMTP, even going so
far as trying to properly look up MX records for its targets, so all
you get in the virus' message headers is what the first SMTP relay it
hit records in its Received: headers.
Finally, consider the subscriber to poster (or "lurker") ratio. Len
may have a better idea, but I'd hazard that in large-ish lists such as
this, fewer than 10% of subscribers post and probably less than half of
them are "regular" posters.
> I appreciate your attention to detail, ...
Thank-you.
I hope you still appreciate it given the further flaws in your thinking
about this incident described above.
> ... but the relevant detail you missed was
> my conclusion, a witty challenge to Len Rose to stop concealing the truth and
> give us full disclosure:
I did not miss that that was rather playful.
However, I also noted that your post, along with several others
yesterday, supported a chronically ignorant view of how to properly
deal with such messages and I felt the greater good was served by
challenging and correcting that ignorance, as Sobig.F is just one of
many of this type of malware event and there will certainly be many
similar ones yet. Thus it seems that having the folk who can greatly
influence the handling of such events be properly informed of the
issues they must consider when faced with such incidents, before
launching any of the apparently popular but hare-brained "solutions"
that have been suggested, is a good thing and contributes to the
overall solution, rather than to the problem.
<<snip>>
> Thor Larholm then came up with a very good idea to post a Web-based
> full-disclosure archive of everything received not just everything that ends
> up distributed to the list. The potential forensic value of Thor's suggestion
> is staggering.
>
> Thor Larholm wrote:
> > In that case, I would prefer if Len put up an archive of all the virus
> > mails sent to FD so everybody on the list could have fun analyzing it.
> > Couple it with the archives of normal posts and some regging+grep'ing
> > you will be bound to find correlations between posting IP addresses.
I'm sure you might find a small number of such interesting detects, but
the odds are very high that the infected parties that seem to have FD
posters' addresses in their sights are not themselves posters to FD
(recall the lurker ratio). You may find and shame a few of the lamer
posters (who are probably generally derided or ignored anyway) but most
of the virus-sending IPs will turn up no reasonably verifiable
relationships to known FD posters because, as I've said many times now,
there are many, many ways the FD posters' addresses get onto Sobig
victims' machines and thus into Sobig's target list. On balance, I
just don't think it would be worth the effort of even looking.
> Nick, I truly did not deserve to be on your pedestal, anyway, so this has all
> been very constructive.
It was a pedestal in the sense that I would choose to read your posts
ahead of Mr Woods' and most others. I was genuinely surprised that
your message showed so many fundamental misunderstandings of the
workings of the virus and their obvious implications for any "SMTP
forensics" based on the virus' messages.
> It's important that we remember to laugh a little, especially at ourselves.
Indeed, and I hope you are still...
> The funniest thing I've seen in a long time is the direct relationship between
> Symantec's stock price (SYMC) and the release of successful worms/virii...
> Antivirus software vendors may not be paying the authors of malware directly,
> but it sure looks like a good business to write and release malware in order
> to manipulate the market price of certain A/V vendors' stock. You gotta love
> the free market...
I think you meant "saddest" for that second word...
Regards,
Nick FitzGerald
Powered by blists - more mailing lists