lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <41B1FD84D49E05448A4233378E6BF475163BF8@entmsgnt03.fm.frd.fmlh.edu>
From: jheidtke at fmlh.edu (Jerry Heidtke)
Subject: Authorities eye MSBlaster suspect

http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_MSB
LAST.B&VSect=S

Trend's stat can be off by a factor of ten or more for very small
infections. For Blaster.A, they say there were about 60,000; more likely
there were between half a million and a million. For Blaster.B, they say
there were 16; the likely total is almost definitely under a thousand.

Recent articles indicate that he was "responsible" for Blaster.C, not B
(although this had been misidentified in every article I've seen). The
executable for this was named "teekids.exe". Since his handle was teekid
and he was active in chat rooms and IRC, he must have been very
difficult to find. Trend says they detected 929 infections with
Blaster.C, so 7,000 total is probably not unrealistic. Still, it's less
than 0.1% of what Blaster.A or Nachia did, although from the press you'd
think this kid was responsible for it all.

The "virus" that was listed on his website was actually a p2p "worm"
that spread over kazaa. He claimed authorship, and had a link to the
file, which was actually located at
http://www.chaos-networks.com/staff/teekid/p2p.teekid.C.rar (it's no
longer there). Chaos Networks apparently was the hosting provider
referenced in the article.

I'm sure that the FBI would never exaggerate the extent of the damage,
in order to look like they were busting a major hacker after a difficult
investigation instead of some kid like millions of others with more time
and anger than skills. 

It looks like it took the FBI 6 days to find what took 10 minutes on
Google. Let's see, executable name is teekids.exe, here's a
script-kiddie that goes by teekid, he's got a web site called
t33kid.com, the whois for the domain gives his real name and address.
Enough probable cause to get a warrant right there.

Jerry


-----Original Message-----
From: the lumpalaya [mailto:lumpy@...y.haze.net] 
Sent: Friday, August 29, 2003 3:03 PM
To: Jerry Heidtke
Subject: RE: [Full-Disclosure] Authorities eye MSBlaster suspect


Court documents obtained by CNN allege that Parson's version of the worm
infected at least 7,000 computers. Investigators say they were able to
track him down after interviewing the person who hosted Parson's site
t33kid.com. The site, which the FBI says used to list the code for at
least one virus, appeared not to contain any content Friday.



Where did you get the total of 16?



Confidentiality Notice: This e-mail message, including any attachments,
is for the sole use of the intended recipient(s) and may contain
confidential and privileged information.  Any unauthorized review, use,
disclosure or distribution is prohibited.  If you are not the intended
recipient, please contact the sender by reply e-mail and destroy all
copies of the original message.


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ