lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <3F5A7365.22747.CDD99A86@localhost>
From: nick at virus-l.demon.co.uk (Nick FitzGerald)
Subject: Anybody know what Sobig.F has downloaded?

A few days ago "Ferris, Robin" <R.Ferris@...ier.ac.uk> wrote:

> Old News, what most of us are waiting for is the next sobig variant that
> will come out after sept 10. Some have said that it will be out on the 11th
> but I think that was just the AV vendors hyping things up (read Symantec,
> NAI etc ) the smaller ones are more accurate. 

I'd not be surprised if we see it sooner, and I mean sooner than 10 
September.  There is no "need" for Sobig's writer to wait until then to 
release the next variant, and at least one previous "next variant" was 
released "early".  Given that Sobig.F has been all but a complete 
failure (in terms of what it seems intended to achieve -- grow the 
relay and proxy network of the spammers posited to be behind it), it 
would not be surprising if the next variant were released "ahead of 
schedule".

> For info on the 2nd part go to sophos or something like that they have
> documented it quite well.

You are badly mistaken.

Very, very few public sources of information about the nature of 
Sobig.F's "second stage" are available for the simple reason that it 
did not really happen.  A couple of astute observations have been made, 
but not widely publicized (and are very unlikely to be because they are 
not the kind of thing that neatly boils down into a media-palatable 
sound bite).  Aside from those technical observations, we have had a 
bunch of companies engaged in self-congratulation and loudly patting 
themselves on their own backs for what a good job they did in helping 
to prevent the "second stage".  Unfortunately, most of these have 
essentially been media events where the actual nature of Sobig's 
"second stage" has been largely, if not entirely, misrepresented -- a 
significant amount of the "popular media" coverage (and quite some of 
the FBI, etc sourced material) would lead you to believe that the 
"second stage" that was so galantly prevented was a DoS against 20 
hapless and apparently arbitrarily chosen cable and DSL users around 
the world.

The media coverage of the whole Sobig.F fiasco, and the publicity chase 
that it inspired -- both in the antivirus & security industry and in 
law enforcement -- and/or that drove it, would be hilarious had it not 
done massive damage to the competent forensics work that could have 
been achieved if the jibbering half-wits that had to tattle their 
imagined glory to the media had just STFU for a while, for once.


-- 
Nick FitzGerald
Computer Virus Consulting Ltd.
Ph/FAX: +64 3 3529854


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ