Re: Another new worm???

[BlueBoar () THIEVCO COM (Blue Boar)]

Obviously I have to drop this thread relatively quickly... I'm surprised
that it has stayed relatively civil even this long. :)  My thanks
to those who sent private messages, or messages I didn't post, of
support of my position.  I let through a few that came in first or were
particularly interesting.  Most of the ones I let through took some
level of disagreement with Dan.  But, most of them took that
side.

I don't feel it necessary to let through any more that have to do
with your position on the subject, I think Dan gets the point.
Naturally, this particular list is skewed in that direction.  You'd
get a much different vote on NTBugtraq.

I'd like to toss a couple particular questions Dan's way, since
he seems willing to answer questions as an AV guy.

Dan Schrader wrote:
> It doesn't matter which antivirus vendor you give it too.  There are
> contractual agreements between most AV vendors to share viruses on request.
> In addition, 20+ AV vendors recently formed an organization called Rapid
> Exchange of Virus Samples (REVS) designed to facilitate the distribution of
> viruses among those who need them.  If you are one of those people, contact
> Joe Wells at wildlist.org and join the group.

Any idea what the qualifications are?  I assume one would have to agree not
to distribute outside of the group.  Would the group let in someone who
was producing a free AV product?

> The last thing any AV vendor needs is more viruses - we get (no
> exaggeration) over 500 new viruses a month.  Thousands of files are sent to
> us each month for analysis.

I understand your point, but again to turn it around... you actually
need "all" viruses to remain competitive, no?

> What I was trying to do was reduce the likelyhood of copy cat viruses.  AV
> vendors have a firm policy of never giving virus samples to anyone who we
> are not sure will be responsible in their handling of the virus.

That is the same as saying "we don't hire hackers."  How do you know?
MS tried escrowing exploits once... just once (so far.)  Aleph1 had
a copy of the exploit in less than 24 hours.  Not all the guys working
for the "proper" people follow the policy like you'd like them too.

> For those few people who need to do their own analysis, there are faster,
> safer ways of getting the code then relying on someone sending it to you
> over on uncontrolled email group days or weeks after the av vendors had
> analyzed the virus and provided detailed descriptions of it on our web
> sites.  By last Friday every major av vendor had posted write-ups

And what are the faster safer ways, for Joe Nobody, to get those?  If
those exist, why do you care if I mail it out?  Here is where the mailing
lists and media are serving a purpose.  The AV guys had the info they
needed early, and presumable some had updated signature databases.  The
outbreak didn't happen until Monday though.. by definition for this type of
virus, if people were prepared, there wouldn't have been an outbreak.  The
failing is still people who don't update their virus databases often
enough.  They still need the media to cry wolf to alert them that something
is up.

I think the AV companies use the same mechanism that I do to weigh how
high the risk level is... how many people get nailed.  I've only put
through like 7 pieces of malware to the list.  It most cases, it was
based on how widespread it was, and therefore interest level.

> Let me ask the list, did one person on this list use this posting to better
> protect their environment?

Several people claim to have done just that.  I didn't necessarily let
those messages through, and I don't really want to post a message from
everyone who did.

                                        BB