RE: HEADS UP VIRUS BEING SPREAD one of our rea

[Nick FitzGerald <nick () virus-l demon co uk>]

Ed Carp to me to someone else:

> > It is an existing, well-known (and "old") virus, reliably ID'ed by
> > just about any virus scanner updated since late Feb this year.  There
> > are abundant informed and informative descriptions of how it works
> > all over the web.  It seems Mr Wood and your good self must be about
> > the only "security experts" who have not already encountered it.
>
> I wonder, how does one make oneself such an excellent target for virii so
> one can claim bragging rights such as those?  "Gee, we were the *first* to
> discover XXX virus!"  ...

Generally, one does not.

It is quite a long time since I'd have bragging rights to being "one
of the first to discover <some virus>" based on stuuff arriving
through my Email.  Being on and posting to many mailing lists and
reading and posting Usenet news increases the amount of all manner of
unsolicted Email -- from spam to self-mailing viruses to occasional
requests for help with things you wrote about so many years ago you
barely recall knowing anything about them -- that comes through your
mailbox.

"We were the first to discover <some virus>" claims tend to go to the 
larger AV companies as they have the largest "catchment areas" (i.e. 
most customers) and thus get more new malware submitted (often 
entirely automatically by their Email and content scanners) to their 
processing queues.  Knowing about them is simply a matter of 
foollowing antivirus news -- be it through subscribing to a few AV 
vendors' mailing lists, various non-vendor AV mailing lists or simply
through scanning the relevant "newly discovered threats" type pages 
on a few AV vendors' web sites.

> ...  Or does that mean someone at the company was stupid
> enough to double-click on an unknown attachment from someone they didn't
> know?  ...

That happens some places, but not here...  (Well, actually it does, 
but it is never through stupidity but through the deliberate actions 
of someone performing a real analytical study of the suspect program 
in a safely isolated test environment.)

> ...  Or is the trick to subscribe to every known mailing list in
> existence, so as to be spammed to death in hopes of discovering something
> new?

I don't recommend that as an approach for discovering new malware, as 
my experience is that it has a poor return if discovering new malware 
is your (main) objective.


-- 
Nick FitzGerald
Computer Virus Consulting Ltd.
Ph/FAX: +64 3 3529854
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html