Full Disclosure mailing list archives
RE: MyDoom.b samples taken down
From: Nick FitzGerald <nick () virus-l demon co uk>
Date: Mon, 02 Feb 2004 11:45:48 +1300
"first last" <randnut () hotmail com> wrote:
Nick, you being the virus expert and all, how come it took you and your fellow virus experts two days to "decrypt" (i.e., unpack) the tElock-protected Sobig.F virus a couple of months ago? ...
You being so smart and all, how you still haven't worked out that just because some AV developer's PR twats went rushing to media saying "we just worked out what will happen tomnorrow" may have no bearing on reality? Think about it -- I know that will be a strain for you, but try... The code is available. It runs. Therefore it can be analysed. So guess what? It was. Just because some AV developers did not rush for the publicity spotlight does not mean others were not quietly working away at what they do, contacting the admins of the sites or domains hosting the likely to be affected machines, etc, etc, etc.
... It appears that your awesome skill of being able to unpack UPX scrambler protected programs such as MyDoom.B couldn't help you back then. So what any smart virus author needs to do to stop these self-proclaimed virus experts is to use tElock or any other non-UPX protector to protect their viruses from being analyzed by virus "experts". That will buy the virus author 2+ days of time.
That is such bad advice I hope all virus writers reading this take it... You seem to have a very misguided view of the significance of tElock in the Sobig.F "decryption incident" -- probably not surprising given that your main source of information on it is the media...
No -- that's what happens when you actually have half a clue about the huge _further_ damage such things can do if actually successfully distributed. Mydoom.B has largely _not_ taken off, but all it probably needs is a touch of the usual "luck" which is all that distinguishes most successful mass-mailers from the huge numbers of unsuccessful ones lamers, like those on this list clamouring to get a Mydoom.B sample, never see.I never analyzed the MyDoom.A or the MyDoom.B worms because I know the anti-virus companies already did that the very same day they got the virus. But from what I've read, the email sent by MyDoom.B is exactly the same one sent by MyDoom.A. No wonder MyDoom.B never succeeded in infecting more machines. Even if someone on this list mistakenly got infected by the copy and sent out the virus to other people it's not going to make it any more successful than it is because it looks exactly like MyDoom.A in your inbox.
And what made Mydoom.A _so_ successful? There is always an element of what, for a better term, the experts refer to as "luck". Technically identical mass mailers suceed and fail more or less randomly (of course, you don't see the hoards of entirely uncessful ones we do, so you wouldn't know this. Mydoom.B has more chance of striking it lucky the more people run it, simply because of the human factor such as the wannabe "analyst" who runs it while connected to the net. Fercrissakes, I've seen far too many "security experts" referring to Mydoom as an "Outlook worm". This is a problem caused by lack of intellect on the part of the "expert" who fails to grasp the signiifcant difference between: ... scans many kinds of files on the victim machine looking for email address (including Widows Address Book, Outlook mail folders, Word documents and .TXT files) and: The worm spreads itself via Outllok's automation interface. I guess if we put "Word document files" at the top of that list and left out mention of "Outlook" completely the same "expert" would refer to it as a "Word macro virus"... 8-) Anyway, based on such erroneous comments from "respected" security experts, there's bound to be at least one wannabe virus analyst out there with a test machine all ready to go, connected to the Internet but "safe" because it does not have Outlook installed.
I know most of you will not believe this because you so stupid youYou so smart Nick. Self-proclaimed virus experts like yourself should go back to your internal virus mailing lists. Or did they kick you out?
Is diddums jealous?
And save me the almost inevitable full-disclosure mantra BS replies! I really do not want to hear your ignorance rephrased that way, again -- at least walk the walk before you try to talk the talk...If you don't want to read what people have to say, don't post to this list.
The point is, when I know what they will say and it is wrong and they know it and they know I know it and they know they won't change their mind if I respond, I might as well save them the wasted effort of replying by pointing out I have no intention of responding to such dribblings. If they have something new or interesting to say, by all means they should say it. But if it's going to the be the typical "this is full disclosure" twaddle with the "and I am too stupid to understand that you make self-replicating code problems worse by increasing the code's chance of replicating" sub-text, I have heard it, you are just plain wrong _AND_ dangerously stupidly so. Regards, Nick FitzGerald _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Re: MyDoom.b samples taken down, (continued)
- Re: MyDoom.b samples taken down Nick FitzGerald (Feb 01)
- old bug - new wired Papp Geza (Feb 01)
- Re: MyDoom.b samples taken down Kurt Weiske (Jan 31)
- RE: MyDoom.b samples taken down Brad Griffin (Feb 01)
- RE: MyDoom.b samples taken down first last (Feb 01)
- RE: MyDoom.b samples taken down Bill Royds (Feb 01)
- Re: MyDoom.b samples taken down Valdis . Kletnieks (Feb 01)
- RE: MyDoom.b samples taken down Steve Wray (Feb 02)
- RE: MyDoom.b samples taken down Steve Wray (Feb 02)
- RE: MyDoom.b samples taken down Bill Royds (Feb 01)
- RE: MyDoom.b samples taken down Nick FitzGerald (Feb 01)
- RE: MyDoom.b samples taken down Todd Burroughs (Feb 02)