Thank you for the details about that movie regarding my application for the approved wicked screensaver

[InfoSec News <isn () c4i org>]

Forwarded from: "Rob, grandpa of Ryan, Trevor, Devon & Hannah" <rslade () sprint ca>

Given that Sobig.F seems to have subsided from its weekend peak (from
my numbers, it was doubling every day last week up until Sunday and
then suddenly dropped off--to a rate that is still roughly as high as
Klez at its worst) and that "Stage 2" seems to have been averted, a
few thoughts.

Blaster, a worm, infected relatively few machines but inconvenienced
(and in some cases worse) companies, so it gets it's name in the
paper.  Sobig surpasses all records in terms of number of email
messages generated, and almost nobody (outside of our little security
circle) is paying attention.

Spoofing of email headers in virus messages goes back to Hybris or
before.  Most of the successful email viruses have used some form of
spoofing.  Yet antivirus companies, in their mail server based
products, are continuing to generate bounce messages to the nominal
sender, probably in an attempt to market their products.

I got a lot of bounced Sobig over the past week.  None, of course, had
been sent from me.  What these bounces are actually doing is aiding
the virus: the bounce messages send the virus (a full copy of the
original message is often included) to yet another machine.  Spammers
have also been using spoofed email addresses for some time.  Bounced
spam is therefore also helping spammers to spread their messages.  
Two spam for the price of one, thanks to bounces.  (Occasionally I
hear of a server being inundated by a faked sender address on spam,
but this seems to be rare.  Which would seem to indicate that spammers
are deliberately using random addresses, possibly for reasons of
multiplication through bounces.)

One of the interesting points to come out the height of the Sobig
numbers on Saturday, was that I saw relatively *few* bounces, in
proportion to what one might have thought was the case.  My address is
obviously on enough infected machines for me to get huge numbers of
infected messages: due to the way the virus spoofs addresses, a large
number of the Sobig messages would have been sent "from" me.  Given
that the majority of server based antiviral packages do bounce
messages, the penetration of server based virus scanning would
therefore seem to be quite low.  (Interesting, the indirect things you
can learn in the aftermath of an attack.  Consider the subject line of
this message a test of content scanners still doing simplistic subject
line rejections.)

I have been warning about the type of convergence of malware
technologies involved in the "stage 2" situation for a few years now.  
Will it be taken seriously after Sobig?  (Listen to the sound of me
*not* holding my breath.)  Sobig seems to have been planned and
designed with much greater care than is usually the case with viruses
and malware.  Up until now, we have been spared what viruses *could*
do primarily by the fact that we have been facing a bunch of
disorganized amateurs.  A number of comments about Sobig have raised
the possibility of an involvement with spammers and/or organized
crime.  (We already know that "red guest" groups in China are much
more organized and disciplined than traditional blackhats.)  Sobig may
simply be the result of an isolated creative mind, but relying on that
supposition as fact is dangerous security planning.

Buried in the investigations into Sobig.F, you will find reference to
the fact that it stops reproducing after September 10th.  I'm afraid
it took my wife pointing it out to make me realize that this is one
day before September 11th.  Sobig.G, anyone?


======================  (quote inserted randomly by Pegasus Mailer)
rslade () vcn bc ca      slade () victoria tc ca      rslade () sun soci niu edu
You know the type.  They like to blame it all on the Jews or the
Blacks, 'cause if they couldn't, they'd have to wake up to the
fact that life's one big, scary, glorious, complex and ultimately
unfathomable crapshoot -- and the only reason THEY can't seem to
keep up is they're a bunch of misfits and losers
                 - An analysis of Neo-Nazis, from `The Badger' comic
http://victoria.tc.ca/techrev    or    http://sun.soci.niu.edu/~rslade



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
in the BODY of the mail.