Random SoBig.F Thoughts

["Jason Coombs" <jasonc () science org>]

Consider the following creative interpretation of the spread of SoBig.F --

1. View each e-mail address found by the virus that it used to send forged
e-mail (From:) as a universe of potential re-infection.

2. Consider that some electronic social circles are more or less clueless, and
that certain From: addresses will have highly successful reinfection rates
versus other From: addresses, particularly when a more clueless social circle
is penetrated by a highly-successful From: address.

3. Reinfection *should* cause the original highly-successful e-mail address to
end up present as plaintext on the newly-infected computer, where it most
likely was not present before the virus delivered itself to the target using
the From: address.

4. Given enough time to execute and spread itself on the newly-infected host,
the same highly-successful From: address *should* be used again on the
downstream host in new forged messages; should, by chance, this address end up
used to send a copy of the virus to another member of the original more
clueless social circle whose first member's computer originally contained said
e-mail address, perhaps the chances of reinfection increase?

5. Regardless of probabilities and cluelessness of those people targetted by
the virus with forged e-mails, there *should* be a marked difference between
the recurrence of infection based on From: address, and there *must* be some
address in particular that ends up being the *winner* -- the most successful
address used to spread reinfections.

6. Is there any way to determine who the winner is?

7. Does anyone care?

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html