Vulnerability Development mailing list archives
Re: Another new worm???
From: MHarmer () MVG COM (Harmer, Mike)
Date: Wed, 21 Jun 2000 07:37:14 -0400
I have to say that I strongly disagree with dear old Dan. However, as others have covered that slant well enough, I will say something about Virus Exchange though. This is a little bit from Sophos's Web site. I noticed it when I was getting the latest identity. They make reference to a REVS program. It seems that WildList Org. and Sophos have some partnership that promotes sharing of virus samples. Perhaps you could get fragments from them, but I have a feeling that it is only open to people that are "trusted". For some more information see http://www.us.sophos.com/pressoffice/pressrel/uk/20000427revs.html. And Dan, I am a sys admin, programmer, DBA. I have no interest in spreading viruses or creating them, but I do have an interest in the viruses themselves. I do have copies of LoveLetter that neutered and took apart. Some viruses have cute tricks, others I get on how to remove them. As for security through obscurity, come on, hasn't that been covered enough yet. You can't stop the virus channels, so what do you gain by stooping others? A bunch of under informed system administrators is what you get. Michael E. Harmer Miller-Valentine Group 4000 Miller-Valentine Ct. Dayton, OH 45439-1487 x804 mharmer () mvg com ---------------------------------------------- In the middle of difficulty lies opportunity. --Albert Einstein ---------------------------------------------- -----Original Message----- From: Blue Boar [mailto:BlueBoar () THIEVCO COM] Sent: Tuesday, June 20, 2000 10:57 PM To: VULN-DEV () SECURITYFOCUS COM Subject: Re: Another new worm??? Dan Schrader wrote:
Thank you
You're welcome.
You have no provided the virus to 40,000 people who have nothing in common
I've got less than 10,000 subscribers. Dunno how many people read the archives on the SecurityFocus.com site.
except that they are interested in security. Go to usenet and you will
find
dozens of posts from virus writers and vx wannabes asking for viruses to play with - you answered their prayers.
I'm not really the best source of viruses, but I help out when I can.
This virus has already been extensively analyzed - there was no need to spread it further.
Hm... now there's a sticky point. I've tried once or twice to get a copy of a virus from Trend Micro (and other AV vendors.) I've been turned down flat each time. Seems there's a policy to not give out the code. Now, if I wanted to by cynical, I'd assume that was because the AV vendors have a direct financial interest in the code not being publicly available, thereby forcing people to buy AV software for protection. I get the distinct impression that they don't share with each other as well. I'll leave that for you to comment on if you like. However, there are loads of us who maintain our own mail filters and IDS signatures, and who want to understand the root issues behind the virus spread. We don't necessarily want to pay someone else to do that for us. The "information" that AV companies publish about viruses is nearly useless for these purposes.
In the future if you wish to have a file analyzed, send to known, trusted experts or send to one or more of the antivirus vendors. Trend Micro will analyze unsolicated files if you send them to: virus_doctor () trendmicro com
So now you've got it, let's see the analysis. Keep in mind that the kind of analysis that has gone on here before often includes picking through the code and commenting on interesting bits. BB
Current thread:
- Re: Capturing System Calls, (continued)
- Re: Capturing System Calls Pavel Kankovsky (Jun 22)
- Re: Capturing System Calls Todd Garrison (Jun 22)
- Re: Capturing System Calls Andrew Reisse (Jun 22)
- Re: Capturing System Calls Rajiv Dighe (Jun 22)
- Re: Capturing System Calls Granquist, Lamont (Jun 22)
- Re: Capturing System Calls Michal Zalewski (Jun 22)
- Fwd: ShowFile CGI Security Vulnerability Barry Russell (Jun 21)
- Re: Fwd: ShowFile CGI Security Vulnerability Blue Boar (Jun 21)
- Re: Another new worm??? Blue Boar (Jun 21)
- Re: Another new worm??? Crispin Cowan (Jun 22)
- Re: Another new worm??? Harmer, Mike (Jun 21)
- Re: Another new worm??? Frank Town (Jun 21)
- Re: Another new worm??? Justin Lintz (Jun 21)
- Re: Another new worm??? Steve Mosher (Jun 22)
- Re: Another new worm??? Michael S Hines (Jun 23)
- Re: Another new worm??? David Knaack (Jun 22)
- Re: Another new worm??? Jason Legate (Jun 22)
- Re: Another new worm??? David Knaack (Jun 22)
- Re: Another new worm??? Jason Legate (Jun 22)
- Red Hat 6.2's ftp segmentation fault Paulo Ribeiro (Jun 22)
- Re: Red Hat 6.2's ftp segmentation fault Osvaldo J. Filho (Jun 23)
- Re: Another new worm??? Justin Lintz (Jun 21)