Full Disclosure mailing list archives
RE: Authorities eye MSBlaster suspect
From: "Jerry Heidtke" <jheidtke () fmlh edu>
Date: Fri, 29 Aug 2003 15:47:22 -0500
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_MSB LAST.B&VSect=S Trend's stat can be off by a factor of ten or more for very small infections. For Blaster.A, they say there were about 60,000; more likely there were between half a million and a million. For Blaster.B, they say there were 16; the likely total is almost definitely under a thousand. Recent articles indicate that he was "responsible" for Blaster.C, not B (although this had been misidentified in every article I've seen). The executable for this was named "teekids.exe". Since his handle was teekid and he was active in chat rooms and IRC, he must have been very difficult to find. Trend says they detected 929 infections with Blaster.C, so 7,000 total is probably not unrealistic. Still, it's less than 0.1% of what Blaster.A or Nachia did, although from the press you'd think this kid was responsible for it all. The "virus" that was listed on his website was actually a p2p "worm" that spread over kazaa. He claimed authorship, and had a link to the file, which was actually located at http://www.chaos-networks.com/staff/teekid/p2p.teekid.C.rar (it's no longer there). Chaos Networks apparently was the hosting provider referenced in the article. I'm sure that the FBI would never exaggerate the extent of the damage, in order to look like they were busting a major hacker after a difficult investigation instead of some kid like millions of others with more time and anger than skills. It looks like it took the FBI 6 days to find what took 10 minutes on Google. Let's see, executable name is teekids.exe, here's a script-kiddie that goes by teekid, he's got a web site called t33kid.com, the whois for the domain gives his real name and address. Enough probable cause to get a warrant right there. Jerry -----Original Message----- From: the lumpalaya [mailto:lumpy () city haze net] Sent: Friday, August 29, 2003 3:03 PM To: Jerry Heidtke Subject: RE: [Full-disclosure] Authorities eye MSBlaster suspect Court documents obtained by CNN allege that Parson's version of the worm infected at least 7,000 computers. Investigators say they were able to track him down after interviewing the person who hosted Parson's site t33kid.com. The site, which the FBI says used to list the code for at least one virus, appeared not to contain any content Friday. Where did you get the total of 16? Confidentiality Notice: This e-mail message, including any attachments, is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Re: Authorities eye MSBlaster suspect, (continued)
- Re: Authorities eye MSBlaster suspect Michael D Schleif (Aug 29)
- Re: Authorities eye MSBlaster suspect morning_wood (Aug 29)
- RE: Authorities eye MSBlaster suspect Steve Wray (Aug 29)
- Re: Authorities eye MSBlaster suspect Jeremiah Cornelius (Aug 29)
- RE: Authorities eye MSBlaster suspect Jason Coombs (Aug 29)
- RE: Authorities eye MSBlaster suspect Jason Coombs (Aug 29)
- RE: Authorities eye MSBlaster suspect Jason Coombs (Aug 29)
- RE: Authorities eye MSBlaster suspect Jason Coombs (Aug 29)
- RE: Authorities eye MSBlaster suspect Paul Schmehl (Aug 29)
- RE: Authorities eye MSBlaster suspect Jason Coombs (Aug 29)
- RE: Authorities eye MSBlaster suspect Jerry Heidtke (Aug 29)
- RE: Authorities eye MSBlaster suspect Brent Colflesh (Aug 29)
- RE: Authorities eye MSBlaster suspect Byron Copeland (Aug 29)
- RE: Authorities eye MSBlaster suspect Paul Schmehl (Aug 29)
- RE: Authorities eye MSBlaster suspect Richard M. Smith (Aug 29)
- RE: Authorities eye MSBlaster suspect gml (Aug 29)
- RE: Authorities eye MSBlaster suspect Byron Copeland (Aug 29)
- Re: Authorities eye MSBlaster suspect bitbucket (Aug 30)
- Re: Authorities eye MSBlaster suspect Valdis . Kletnieks (Aug 29)
- Re: Authorities eye MSBlaster suspect Michael D Schleif (Aug 30)
- Re: Authorities eye MSBlaster suspect Paul Schmehl (Aug 30)
- RE: Authorities eye MSBlaster suspect Brent Colflesh (Aug 29)