RE: MyDoom.b samples taken down

[Nick FitzGerald <nick () virus-l demon co uk>]

"first last" <randnut () hotmail com> wrote:

> Nick, you being the virus expert and all, how come it took you and your 
> fellow virus experts two days to "decrypt" (i.e., unpack) the 
> tElock-protected Sobig.F virus a couple of months ago?  ...

You being so smart and all, how you still haven't worked out that just 
because some AV developer's PR twats went rushing to media saying "we 
just worked out what will happen tomnorrow" may have no bearing on 
reality?

Think about it -- I know that will be a strain for you, but try...

The code is available.  It runs.  Therefore it can be analysed.

So guess what?

It was.

Just because some AV developers did not rush for the publicity 
spotlight does not mean others were not quietly working away at what 
they do, contacting the admins of the sites or domains hosting the 
likely to be affected machines, etc, etc, etc.

> ...  It appears that your 
> awesome skill of being able to unpack UPX scrambler protected programs such 
> as MyDoom.B couldn't help you back then. So what any smart virus author 
> needs to do to stop these self-proclaimed virus experts is to use tElock or 
> any other non-UPX protector to protect their viruses from being analyzed by 
> virus "experts". That will buy the virus author 2+ days of time.

That is such bad advice I hope all virus writers reading this take 
it...

You seem to have a very misguided view of the significance of tElock in 
the Sobig.F "decryption incident" -- probably not surprising given that 
your main source of information on it is the media...

> > No -- that's what happens when you actually have half a clue about the huge 
> > _further_ damage such things can do if actually successfully distributed.  
> > Mydoom.B has largely _not_ taken off, but all it probably needs is a touch 
> > of the usual "luck" which is all that distinguishes most successful 
> > mass-mailers from the huge numbers of unsuccessful ones lamers, like those 
> > on this list clamouring to get a Mydoom.B sample, never see.
>
> I never analyzed the MyDoom.A or the MyDoom.B worms because I know the 
> anti-virus companies already did that the very same day they got the virus. 
> But from what I've read, the email sent by MyDoom.B is exactly the same one 
> sent by MyDoom.A. No wonder MyDoom.B never succeeded in infecting more 
> machines. Even if someone on this list mistakenly got infected by the copy 
> and sent out the virus to other people it's not going to make it any more 
> successful than it is because it looks exactly like MyDoom.A in your inbox.

And what made Mydoom.A _so_ successful?

There is always an element of what, for a better term, the experts 
refer to as "luck".  Technically identical mass mailers suceed and fail 
more or less randomly (of course, you don't see the hoards of entirely 
uncessful ones we do, so you wouldn't know this.  Mydoom.B has more 
chance of striking it lucky the more people run it, simply because of 
the human factor such as the wannabe "analyst" who runs it while 
connected to the net.  Fercrissakes, I've seen far too many "security 
experts" referring to Mydoom as an "Outlook worm".  This is a problem 
caused by lack of intellect on the part of the "expert" who fails to 
grasp the signiifcant difference between:

   ... scans many kinds of files on the victim machine looking
   for email address (including Widows Address Book, Outlook mail
   folders, Word documents and .TXT files)

and:

   The worm spreads itself via Outllok's automation interface.

I guess if we put "Word document files" at the top of that list and 
left out mention of "Outlook" completely the same "expert" would refer 
to it as a "Word macro virus"...    8-)

Anyway, based on such erroneous comments from "respected" security 
experts, there's bound to be at least one wannabe virus analyst out 
there with a test machine all ready to go, connected to the Internet 
but "safe" because it does not have Outlook installed.

> > I know most of you will not believe this because you so stupid you
>
> You so smart Nick. Self-proclaimed virus experts like yourself should go 
> back to your internal virus mailing lists. Or did they kick you out?

Is diddums jealous?

> > And save me the almost inevitable full-disclosure mantra BS replies!  I 
> > really do not want to hear your ignorance rephrased that way, again -- at 
> > least walk the walk before you try to talk the talk...
>
> If you don't want to read what people have to say, don't post to this list.

The point is, when I know what they will say and it is wrong and they 
know it and they know I know it and they know they won't change their 
mind if I respond, I might as well save them the wasted effort of 
replying by pointing out I have no intention of responding to such 
dribblings.

If they have something new or interesting to say, by all means they 
should say it.  But if it's going to the be the typical "this is full 
disclosure" twaddle with the "and I am too stupid to understand that 
you make self-replicating code problems worse by increasing the code's 
chance of replicating" sub-text, I have heard it, you are just plain 
wrong _AND_ dangerously stupidly so.


Regards,

Nick FitzGerald

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html