funsec mailing list archives

Re: RE: Nice RBN/Storm worm writup in Ă—Ă— Ă—Ă—Ă—-X/X-Mas Blog

From: Gadi Evron <ge () linuxbox org>
Date: Fri, 11 Jan 2008 14:28:31 -0600 (CST)

On Fri, 11 Jan 2008, Paul Ferguson wrote:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- -- Gadi Evron <ge () linuxbox org> wrote:

On Fri, 11 Jan 2008, Nick FitzGerald wrote:


Much as I am possibly perceived as a raving MS (among others) critic,
it's only fair to give credit where it's due, and I try to do that as
and where appropriate...


Determining factors, underline causes and why things happened in general

is never easy, but it is clear MSFT had a hand in the critical mass of
bring storm down to size *currently*.


I think we should give them public credit.


Yes and no. :-)

Yes: They deserve credit for bringing down the number of infected
Storm nodes back in (or around September 2007 (if I recall correctly)
when they released detection & removal for several Storm variants
in the MSRT (Malicious Software Removal Tool).

I think this was outlined in the last Microsoft Security Intelligence
Report -- I know I talked with Ziv Mador from MS about this in detail
during the WORM 2007 (The 5th ACM Workshop on Recurring Malcode)
workshop back in early Nov. 2007.

http://www.auto.tuwien.ac.at/~chris/worm07.html

However, the puppet-masters behind Storm worked diligently during
the holidays last month to repopulate the botnet, in fact, to over
200% of it's size at the beginning of the month:

http://honeyblog.org/archives/156-Measuring-the-Success-Rate-of-Storm-Worm.
html

Anyone's guess is as good as mine was to why this effort was
undertaken, but the recent developments which include phishing
might be related. :-)

- - ferg


Nitpicker! :)


-----BEGIN PGP SIGNATURE-----
Version: PGP Desktop 9.6.3 (Build 3017)

wj8DBQFHh8djq1pz9mNUZTMRAhVOAJoD2X4qcFwjlO4km+gc8XLE1Cx4/gCfa7iU
1zmkfrWcpVuCm5vNWSWjrYA=
=oxpY
-----END PGP SIGNATURE-----



--
"Fergie", a.k.a. Paul Ferguson
Engineering Architecture for the Internet
fergdawg(at)netzero.net
ferg's tech blog: http://fergdawg.blogspot.com/

_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.

Current thread:

Re: RE: Nice RBN/Storm worm writup in ×× ×××-X/X-Mas Blog Paul Ferguson (Jan 11)
- Re: RE: Nice RBN/Storm worm writup in Ă—Ă— Ă—Ă—Ă—-X/X-Mas Blog Gadi Evron (Jan 11)
- Re: RE: Nice RBN/Storm worm writup in Ă—Ă— Ă—Ă—Ă—-X/X-Mas Blog Dude VanWinkle (Jan 13)
  - Re: RE: Nice RBN/Storm worm writup in Ă—Ă— Ă—Ă—Ă—-X/X-Mas Blog Nick FitzGerald (Jan 14)