| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <401E386C.24983.14F27DE2@localhost> From: nick at virus-l.demon.co.uk (Nick FitzGerald) Subject: MyDoom.b samples taken down "first last" <randnut@...mail.com> wrote: > Nick, you being the virus expert and all, how come it took you and your > fellow virus experts two days to "decrypt" (i.e., unpack) the > tElock-protected Sobig.F virus a couple of months ago? ... You being so smart and all, how you still haven't worked out that just because some AV developer's PR twats went rushing to media saying "we just worked out what will happen tomnorrow" may have no bearing on reality? Think about it -- I know that will be a strain for you, but try... The code is available. It runs. Therefore it can be analysed. So guess what? It was. Just because some AV developers did not rush for the publicity spotlight does not mean others were not quietly working away at what they do, contacting the admins of the sites or domains hosting the likely to be affected machines, etc, etc, etc. > ... It appears that your > awesome skill of being able to unpack UPX scrambler protected programs such > as MyDoom.B couldn't help you back then. So what any smart virus author > needs to do to stop these self-proclaimed virus experts is to use tElock or > any other non-UPX protector to protect their viruses from being analyzed by > virus "experts". That will buy the virus author 2+ days of time. That is such bad advice I hope all virus writers reading this take it... You seem to have a very misguided view of the significance of tElock in the Sobig.F "decryption incident" -- probably not surprising given that your main source of information on it is the media... > >No -- that's what happens when you actually have half a clue about the huge > >_further_ damage such things can do if actually successfully distributed. > >Mydoom.B has largely _not_ taken off, but all it probably needs is a touch > >of the usual "luck" which is all that distinguishes most successful > >mass-mailers from the huge numbers of unsuccessful ones lamers, like those > >on this list clamouring to get a Mydoom.B sample, never see. > > I never analyzed the MyDoom.A or the MyDoom.B worms because I know the > anti-virus companies already did that the very same day they got the virus. > But from what I've read, the email sent by MyDoom.B is exactly the same one > sent by MyDoom.A. No wonder MyDoom.B never succeeded in infecting more > machines. Even if someone on this list mistakenly got infected by the copy > and sent out the virus to other people it's not going to make it any more > successful than it is because it looks exactly like MyDoom.A in your inbox. And what made Mydoom.A _so_ successful? There is always an element of what, for a better term, the experts refer to as "luck". Technically identical mass mailers suceed and fail more or less randomly (of course, you don't see the hoards of entirely uncessful ones we do, so you wouldn't know this. Mydoom.B has more chance of striking it lucky the more people run it, simply because of the human factor such as the wannabe "analyst" who runs it while connected to the net. Fercrissakes, I've seen far too many "security experts" referring to Mydoom as an "Outlook worm". This is a problem caused by lack of intellect on the part of the "expert" who fails to grasp the signiifcant difference between: ... scans many kinds of files on the victim machine looking for email address (including Widows Address Book, Outlook mail folders, Word documents and .TXT files) and: The worm spreads itself via Outllok's automation interface. I guess if we put "Word document files" at the top of that list and left out mention of "Outlook" completely the same "expert" would refer to it as a "Word macro virus"... 8-) Anyway, based on such erroneous comments from "respected" security experts, there's bound to be at least one wannabe virus analyst out there with a test machine all ready to go, connected to the Internet but "safe" because it does not have Outlook installed. > >I know most of you will not believe this because you so stupid you > > You so smart Nick. Self-proclaimed virus experts like yourself should go > back to your internal virus mailing lists. Or did they kick you out? Is diddums jealous? > >And save me the almost inevitable full-disclosure mantra BS replies! I > >really do not want to hear your ignorance rephrased that way, again -- at > >least walk the walk before you try to talk the talk... > > If you don't want to read what people have to say, don't post to this list. The point is, when I know what they will say and it is wrong and they know it and they know I know it and they know they won't change their mind if I respond, I might as well save them the wasted effort of replying by pointing out I have no intention of responding to such dribblings. If they have something new or interesting to say, by all means they should say it. But if it's going to the be the typical "this is full disclosure" twaddle with the "and I am too stupid to understand that you make self-replicating code problems worse by increasing the code's chance of replicating" sub-text, I have heard it, you are just plain wrong _AND_ dangerously stupidly so. Regards, Nick FitzGerald
Powered by blists - more mailing lists