Gadi Busted In Massive Conspiracy

["Randy Abrams" <abrams () eset com>]

I thought I was just writing a blog - many thanks to Joel E. for partial
inspiration :)

Gadi thought I was taking notes from this morning's call.

http://209.59.135.198/threat-center/eset_threat_blog.php

I hope you enjoy.

Cheers,

Randy

ESET
Thursday, February 02, 2006
  
The Great Anti-Virus Conspiracy 

Working in the anti-virus industry requires a good stock of tin foil hats to
hand out to some strange conspiracy theorists. The fact is that the
anti-virus industry didn't name a worm "Kama Sutra", the media did. The AV
industry didn't name the worm "Blackworm", that was a group (TISF BlackWorm
task force) from a pair of security lists called MWP (Malicious Websites and
Phishing) and DA (Drone Army). Blackworm is a bit easier to remember than
VB.NEI, or most of the other names this one goes by. Ultimately I believe
that Mitre showed their metal with the Common Malware Enumeration (CME)
system. We can all say CME-24 and know we are talking about the same item.
This became quite handy when talking to people whose products call CME-24 by
the names VB.NEI, Nyxem, Blackmal, and the lot.

And yet, the AV industry is accused of a conspiracy to hype things up.
Silly.

The Real Conspiracy. (thunder, lightening, and a smoldering cigar please)

The DA and MWP lists, coordinated and moderated by Gadi Evron, consist of
security professionals who work in most any industry that has a role in
internet security. Member of law enforcement, ISPs, ASPs, education, and
security vendors all are represented. I'm sure I forgot a few, like ESET,
Microsoft and various CERTs.

This group of people has conspired with many others to attempt to warn users
about CME-24 in an effort to mitigate the harmful effects of the worm. I
know - I was on a conference call today where we all shared information
about efforts to deal with the problem. Here's some of what we heard.

Dr. Johannes Ullrich (SAN ISC) and Prof. Randy Vaughn (Baylor University)
both spent a week tracking down which ISPs had infected users, and then
contacting these ISPs to help them help their users. Much of their work
involved tedious work parsing logs that the worm creates.

Joe Stewart, Senior Security Researcher with LURHQ (http://www.lurhq.com/)
assisted in the effort and provided analysis of the worm very early on and
updated the large group on a variety of facets of his work.

We heard from KRCert, the Korea Computer Emergency Response team that this
worm is not as wide spread as some have been in the past, but Alex Shipp
(MessageLabs), and others have warned that they are seeing particularly
large numbers of infection indications coming from India. It's not going to
be pretty there.

My former co-worker, Greg Galford from Microsoft let us know that call
volumes from Asia (it is already the 3rd there, are not above normal. Good
news there. Additionally, you better have some anti-virus software on your
PC, CME-24 detection isn't being added to the Malicious Software Removal
tool until the usual monthly update time. This makes sense - the security
vulnerability is users clicking on attachments they shouldn't. There is no
Microsoft vulnerability at work and the MSRT is not a replacement for
anti-virus.

I invited people from competing anti-virus companies to join the call (I
know conspiracy written all over it) and several people did contribute to
the conversation. I felt that we did a great job, but suggested we do a
better job with naming next time. None of the anti-virus compnaies were
calling CME-24 "Blackworm" so we probably should have gone with someting
that was already being used.

The FBI had a representative on the call who indicated that they have
received some good leads in recent days.

Yes, I admit it. The conspiracy is larger than previously disclosed in
public. Microsoft, The FBI, ISPs, Registrars, ASNs, Anti-Virus, US-CERT,
UNIRAS (UK), FIRST, SANS ISC and MANY, MANY other security people and groups
from a variety of industries and all over the world are working together to
try to help minimize the damage fro this worm. What's worse is that we've
been doing this type of thing for years and will continue to get better at
it.

This conference call, and a smaller one a week earlier (also organized by
Gadi Evron) not only have help protect users, but significantly contributes
to enhancing collaboration between security professionals from a diverse
array of security disciplines.

Yeah, there's a conspiracy for you.

By the way, I think the CIA might have been listening to the call, but my
phone was wrapped in foil. I don't think they heard me.

Randy Abrams
Director of Technical Education
ESET LLC
www.eset.com



_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.