Full Disclosure mailing list archives
RE: [inbox] Re: Fwd: Re: Administrivia: Binary Executables w/o Source
From: Nick FitzGerald <nick () virus-l demon co uk>
Date: Fri, 22 Aug 2003 11:46:49 +1200
"Jason Coombs" <jasonc () science org> wrote:
Nick FitzGerald came to his senses and removed me from the pedestal he had placed me on, and then launched into a well-written barrage of fact, beginning thus:
Nice... 8-)
I agree completely. The sobig spam is valuable -- it shows us who we should not trust to operate a computer._If_ you know what to take from the headers _AND_ have omniscient access to the mythical IP-to-user mapping address list...Ah, but Nick, I *DO* have omniscient access to the non-mythical IP-to-user mapping list -- and so do you. ...
No, we don't.
... How many FD subscribers post to the list from the ISP "NetZero/United Online/untd.com" out of Honolulu, Hawaii? I can assure you that I am the only one. Received: from smtp04.lax.untd.com (outbound28-2.lax.untd.com [64.136.28.160])
<<snip>> Posting is not the issue. The virus can harvest the posters' addresses (yours and mind and Thor's and Len's and all the others) from the drives of any _subscriber_. It then can post from that machine using whichever of the addresses it chooses. How many subscribers (who have posted or not) are on popular cable, DSL and even dial-up connects? You may be the only poster from that domain, but are you sure you're the only subscriber? And what about non-subscribers who, for whatever reason (perhaps looking for help with just this virus) searched the web, found some web archive of F-D and thus gave up your address to the virus through the contents of their local web cache directories?
Likewise, you are quite possibly the only person who posts from CLEAR Net Mail, New Zealand. At least while using your mobile device... From: Nick FitzGerald <nick () virus-l demon co uk> Received: from smtp2.clear.net.nz (smtp2.clear.net.nz [203.97.37.27])
<<snip>> Yep -- but am I the only person using clear.net.nz who susbscribes? And recall, the worm does not use the default (or any particular) mail client on the victim machine. As has become the fashion among "successful" self-mailers with the introduction of object blocking on the Outlook application object, Sobig rolls its own SMTP, even going so far as trying to properly look up MX records for its targets, so all you get in the virus' message headers is what the first SMTP relay it hit records in its Received: headers. Finally, consider the subscriber to poster (or "lurker") ratio. Len may have a better idea, but I'd hazard that in large-ish lists such as this, fewer than 10% of subscribers post and probably less than half of them are "regular" posters.
I appreciate your attention to detail, ...
Thank-you. I hope you still appreciate it given the further flaws in your thinking about this incident described above.
... but the relevant detail you missed was my conclusion, a witty challenge to Len Rose to stop concealing the truth and give us full disclosure:
I did not miss that that was rather playful. However, I also noted that your post, along with several others yesterday, supported a chronically ignorant view of how to properly deal with such messages and I felt the greater good was served by challenging and correcting that ignorance, as Sobig.F is just one of many of this type of malware event and there will certainly be many similar ones yet. Thus it seems that having the folk who can greatly influence the handling of such events be properly informed of the issues they must consider when faced with such incidents, before launching any of the apparently popular but hare-brained "solutions" that have been suggested, is a good thing and contributes to the overall solution, rather than to the problem. <<snip>>
Thor Larholm then came up with a very good idea to post a Web-based full-disclosure archive of everything received not just everything that ends up distributed to the list. The potential forensic value of Thor's suggestion is staggering. Thor Larholm wrote:In that case, I would prefer if Len put up an archive of all the virus mails sent to FD so everybody on the list could have fun analyzing it. Couple it with the archives of normal posts and some regging+grep'ing you will be bound to find correlations between posting IP addresses.
I'm sure you might find a small number of such interesting detects, but the odds are very high that the infected parties that seem to have FD posters' addresses in their sights are not themselves posters to FD (recall the lurker ratio). You may find and shame a few of the lamer posters (who are probably generally derided or ignored anyway) but most of the virus-sending IPs will turn up no reasonably verifiable relationships to known FD posters because, as I've said many times now, there are many, many ways the FD posters' addresses get onto Sobig victims' machines and thus into Sobig's target list. On balance, I just don't think it would be worth the effort of even looking.
Nick, I truly did not deserve to be on your pedestal, anyway, so this has all been very constructive.
It was a pedestal in the sense that I would choose to read your posts ahead of Mr Woods' and most others. I was genuinely surprised that your message showed so many fundamental misunderstandings of the workings of the virus and their obvious implications for any "SMTP forensics" based on the virus' messages.
It's important that we remember to laugh a little, especially at ourselves.
Indeed, and I hope you are still...
The funniest thing I've seen in a long time is the direct relationship between Symantec's stock price (SYMC) and the release of successful worms/virii... Antivirus software vendors may not be paying the authors of malware directly, but it sure looks like a good business to write and release malware in order to manipulate the market price of certain A/V vendors' stock. You gotta love the free market...
I think you meant "saddest" for that second word... Regards, Nick FitzGerald _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Re: Fwd: Re: Administrivia: Binary Executables w/o Source, (continued)
- Re: Fwd: Re: Administrivia: Binary Executables w/o Source Valdis . Kletnieks (Aug 18)
- Re: Fwd: Re: Administrivia: Binary Executables w/o Source Russell Fulton (Aug 18)
- Re: Fwd: Re: Administrivia: Binary Executables w/o Source Ron DuFresne (Aug 18)
- RE: Fwd: Re: Administrivia: Binary Executables w/o Source Steve Wray (Aug 19)
- RE: [inbox] Re: Fwd: Re: Administrivia: Binary Executables w/o Source Curt Purdy (Aug 19)
- RE: [inbox] Re: Fwd: Re: Administrivia: Binary Executables w/o Source Jason Coombs (Aug 20)
- Re: [inbox] Re: Fwd: Re: Administrivia: Binary Executables w/o Source Dietmar Goldbeck (Aug 20)
- Re: [inbox] Re: Fwd: Re: Administrivia: Binary Executables w/o Source Thor Larholm (Aug 20)
- RE: [inbox] Re: Fwd: Re: Administrivia: Binary Executables w/o Source Nick FitzGerald (Aug 21)
- RE: [inbox] Re: Fwd: Re: Administrivia: Binary Executables w/o Source Jason Coombs (Aug 21)
- RE: [inbox] Re: Fwd: Re: Administrivia: Binary Executables w/o Source Nick FitzGerald (Aug 21)
- RE: [inbox] Re: Fwd: Re: Administrivia: Binary Executables w/o Source Jason Coombs (Aug 22)
- Re: Fwd: Re: Administrivia: Binary Executables w/o Source Valdis . Kletnieks (Aug 18)
- RE: [inbox] Re: Fwd: Re: Administrivia: Binary Executables w/o Source Jason Coombs (Aug 21)
- RE: [inbox] Re: Fwd: Re: Administrivia: Binary Executables w/o Source Jason Coombs (Aug 21)