Full Disclosure mailing list archives
Re: [Fwd: [TH-research] Modified Bagle]
From: Nick FitzGerald <nick () virus-l demon co uk>
Date: Fri, 23 Jan 2004 11:40:25 +1300
Gadi Evron <ge () egotistical reprehensible net> wrote:
Hi, here's an heads-up from Daniel Otis Vigil on TH-Research (The Trojan Horses Research Mailing List) about a modified Bagle worm, a lot sooner than expected by most experts, but not too surprising.
Well, I wouldn't say that it was expected or unexpected... "Real experts" in this industry take with a grain of salt such vapid prognostications as the inexperienced, outright dim and excessively PR-hungry are prone to make about such things -- "because the virus has a built-in drop-dead date of 28 January, we expect a new variant to be released around that date". Yeah, right, like we have deep psychological insight into the mind/s of the person/s responsible for these things... Evron's "problem" here is that he believes his own hype. A recently self-appointed malware expert, he has been hyping himself up through his virus-exchange mailing list and posting the work of others from that list to other security lists such as Bugtraq and Full-Disclosure. Unfortunately for Evron, he took Otis-Vigil's recent, but seriously misguided post to his own mailing list at face value and rushed off to the world (well, Full-Disclosure, Bugtraq, incidents@sf and focus-virus that I know of) to further his dick-waving "look how I/we are saving the world" campaign. It seems that Evron believes that to be seen to be on top of things, you have to be seen to be the first with significant alerts. This syndrome is not uncommon -- another group of folk concerned about malware issues, but not comprised of those who "do anti-malware" for a living is often joked to have "discovered twenty of the last ten major outbreaks". If Evron is even half as smart as he thinks he is, he will learn even more from his latest misjudged public outburst than his next potential employer already has... Anyway, Otis-Vigil's message to Evron's list was a tad short of clue. The modified .EXE Otis-Vigil received simply had a few PE header fields altered (relative to a "normal" Bagle sample). While such trivial file- tweaking will still "beat" a few woefully clueless scanners (perhaps Otis-Vigil's own "The Cleaner"?), it should not get past any half decent ones as it is widely agreed within the AV research community that such alterations alone are insufficient to warrant a new variant ascription. In short, the _code_ has not changed so it is not a new variant even though the carrier file is not identical to the "original" -- something you may expect of a simple monolithic replicator. This is a very old and well-known issue in the AV research world, again perhaps suggesting something about the level of knowledge and expertise of those who would rush to yell "the sky is falling... Again!". Seizing on what Evron took to be Otis-Vigil's "expert opinion" (remember, Evron believes his own hype and his mailing list is reputed to be comprised of "malware experts"), and before others on the list had a chance to post amplifications and corrections to Otis-Vigil's post, Evron was out touting his "watch us save the world" efforts. (Of course, he did not have any time to lose -- who knew how soon it would be before the PR companies retained by NAI or Symantec or any of the other serious security companies would have a press release out...)
More information will be posted if it will be determined that this is a new outbreak situation.
And what are the chances you'll now post an apology for being a chronic show-off?
As always, this message is forwarded under the guidelines as they are specified in the TH-Research FAQ.
Ahhh yes, the "Evron can do anything with your messages but you had better not mention anything you learned on the list anywhere else" clause. Most professional, I must say... Regards, Nick FitzGerald _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- [Fwd: [TH-research] Modified Bagle] Gadi Evron (Jan 22)
- Re: [Fwd: [TH-research] Modified Bagle] Nick FitzGerald (Jan 22)
- Re: Re: [Fwd: [TH-research] Modified Bagle] Gadi Evron (Jan 22)
- Re: [Fwd: [TH-research] Modified Bagle] Nick FitzGerald (Jan 22)