Re: Bogus FBI Email

[Nick FitzGerald <nick () virus-l demon co uk>]

"Casey Townsend" replied to Valdis Kletnieks:

[restructured to correct for top posting-itis...]

> > W32/Sober-C, I believe.  Consult your favorite AV vendor's info
> > pages for details.
>
> I received the following private reply which makes me think it is NOT
> W32/Sober-C, as Norton would have caught it.
>
> "An associate of mine had this one hit his computer and he had to start
> from scratch with a complete rebuild. He told me he felt pretty stupid
> about it because he isn't one of the people that don't have a clue, but
> the fact that it was intimidating enough led him to open the mail and it
> ran. It got by Norton as well and he could not recover when it hit him.
> That is about all I know about it at this time."

Ahhh yes, a FOAF denial -- generally even harder to refute than 
"firsthand" FOAFs...

> From the described content, the odds are phenomenally high that the 
message he saw was produced by Sober.C.  As to why NAV "missed" 
detecting the attachment (or not), there are myriad possible 
explanations, none of which can be satisfactorily divined from your 
friend's chronically deficient description of the events.  However, 
based on much experience of such things in general (and some experience 
with Sober.C) I'll list, in no particular order, a few of the most 
likely explanations of NAV's failure in this case...

1.  He had unwittingly turned off NAV's Email scanning...

2.  ... or his kids deliberately turned it off to speed up their 
favourite shoot'em up.

3.  He had been infested with some other, unknown to NAV (at the time), 
malware which disabled NAV before the message arrived.

4.  His NAV update subscription has expired so he has not received a 
NAV update since before Symantec added detection of Sober.C.

5.  Some other systematic problem has recently been introduced into his 
setup which has prevented NAV updating (how clueful is his ISP?  Did he 
block LiveUpdate from accessing the Internet in the firewall?).

6.  The copy of Sober.C attached to the message was truncated, and thus 
corrupted and (probably) unrunnable.  Regardless of its runnability, 
NAV failed to detect it because some part of the file critical to NAV's 
detection of Sober.C is "missing".  Yes, I've seen this with Sober.C.

7.  The copy of Sober.C attached to the message has been infected with 
some other, parasitic PE infector which is now tagging along with 
Sober.C.  Because this is a new virus, NAV may not detect it (and 
almost certainly wouldn't report Sober.C)  I've not seen any other 
virus piggybacking with Sober.C yet, but based on much experience with 
other self-mailing PE viruses, it's only a matter of time...

...and many others I now can't be bothered describing.

Anyway, the bogus FBI messages you asked about (plus several other 
interesting SE approaches) are used by Sober.C, and as of this writing 
_only_ by Sober.C.


-- 
Nick FitzGerald
Computer Virus Consulting Ltd.
Ph/FAX: +64 3 3529854

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html