lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  PHC 
Open Source and information security mailing list archives
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
From: nick at (Nick FitzGerald)
Subject: Re: [Fwd: [TH-research] Modified Bagle]

Gadi Evron <> wrote:

> Hi, here's an heads-up from Daniel Otis Vigil on TH-Research (The Trojan 
> Horses Research Mailing List) about a modified Bagle worm, a lot sooner 
> than expected by most experts, but not too surprising.

Well, I wouldn't say that it was expected or unexpected...

"Real experts" in this industry take with a grain of salt such vapid 
prognostications as the inexperienced, outright dim and excessively
PR-hungry are prone to make about such things -- "because the virus has 
a built-in drop-dead date of 28 January, we expect a new variant to be 
released around that date".  Yeah, right, like we have deep 
psychological insight into the mind/s of the person/s responsible for 
these things...

Evron's "problem" here is that he believes his own hype.  A recently 
self-appointed malware expert, he has been hyping himself up through 
his virus-exchange mailing list and posting the work of others from 
that list to other security lists such as Bugtraq and Full-Disclosure. 
Unfortunately for Evron, he took Otis-Vigil's recent, but seriously 
misguided post to his own mailing list at face value and rushed off to 
the world (well, Full-Disclosure, Bugtraq, incidents@sf and focus-virus 
that I know of) to further his dick-waving "look how I/we are saving 
the world" campaign.  It seems that Evron believes that to be seen to 
be on top of things, you have to be seen to be the first with 
significant alerts.  This syndrome is not uncommon -- another group of 
folk concerned about malware issues, but not comprised of those who "do 
anti-malware" for a living is often joked to have "discovered twenty of 
the last ten major outbreaks".  If Evron is even half as smart as he 
thinks he is, he will learn even more from his latest misjudged public 
outburst than his next potential employer already has...

Anyway, Otis-Vigil's message to Evron's list was a tad short of clue.  
The modified .EXE Otis-Vigil received simply had a few PE header fields 
altered (relative to a "normal" Bagle sample).  While such trivial file-
tweaking will still "beat" a few woefully clueless scanners (perhaps 
Otis-Vigil's own "The Cleaner"?), it should not get past any half 
decent ones as it is widely agreed within the AV research community 
that such alterations alone are insufficient to warrant a new variant 
ascription.  In short, the _code_ has not changed so it is not a new 
variant even though the carrier file is not identical to the "original" 
-- something you may expect of a simple monolithic replicator.  This is 
a very old and well-known issue in the AV research world, again perhaps 
suggesting something about the level of knowledge and expertise of 
those who would rush to yell "the sky is falling... Again!".

Seizing on what Evron took to be Otis-Vigil's "expert opinion" 
(remember, Evron believes his own hype and his mailing list is reputed 
to be comprised of "malware experts"), and before others on the list 
had a chance to post amplifications and corrections to Otis-Vigil's 
post, Evron was out touting his "watch us save the world" efforts.  (Of 
course, he did not have any time to lose -- who knew how soon it would 
be before the PR companies retained by NAI or Symantec or any of the 
other serious security companies would have a press release out...)

> More information will be posted if it will be determined that this is a 
> new outbreak situation.

And what are the chances you'll now post an apology for being a chronic 

> As always, this message is forwarded under the guidelines as they are 
> specified in the TH-Research FAQ.

Ahhh yes, the "Evron can do anything with your messages but you had 
better not mention anything you learned on the list anywhere else" 
clause.  Most professional, I must say...


Nick FitzGerald

Powered by blists - more mailing lists