NetSec Response over Trojan scare: From HackerNews

[William Knowles <wk () C4I ORG>]

http://www.hackernews.com/press/netsec.html

Date: 6/12/00 10:14 AM
Received: 6/12/00 11:58 AM
From: Scott Shreve, mss () netsec net
To: contact () hackernews com
CC: Jerry, jph () netsec net

Howdy all,

Just wanted to take a moment to respond to your top news article
today. Nobody at NetSec ever said the Trojan was new. We stated that
several thousand infected clients were being utilized for DDOS's by
two administered servers. As for this variant of SubSeven being
incapable of performing a DDOS- that's incorrect.

Unless my definition of DDOS is skewed, I'm relatively sure that an
installed agent capable of producing focused burst of packets from 1
of many infected clients(at a single target) and at the whim of a
single point of administration is the very definition of a DDOS.
NetSec was not surmising that the trojan was "possibly" a tool that
could be used to perform a DDOS, the event was logged and recorded
this past week. I think that the majority of the infected clients (who
are in the process of being informed as I write) will disagree with
Frank's opinion.

While the media has performed to their regular standard of sowing the
seeds of FUD, we have been guilty of nothing more than attempting to
alert people to the fact that many hosts have been put in a position
to unknowingly wreak mayhem. If we wanted press, NetSec would release
the list of infected clients - THAT would would make good press.

Nobody said there was a cutting edge new tool out there. We just found
definitive evidence that several thousand machines fell victim to a
slightly modified version of an old tool.

The binary has been torn apart and distributed to several sources in
the vain attempt to perform a service to the community and avoid much
of the mudslinging that is currently going on. If anybody bothered to
watch the CBS morning show they would have seen us state on National
TV that the trojan was a modified version of SubSeven and the focus of
the threat was not the "scariness" of the tool- it was the size of the
infected populace and the serious nature of SOME of the infected
clients.

NetSec does it's best to detect impending problems before they occur,
not after a bunch of kids have inconvenienced the hell (as well as
cost a lot of money) out of some .com they have a grudge against.
That's our job, that's what we do.

I'd appreciate it if this reponse was posted. It's certainly not an
attempt to start a debate, merely to set the record straight.

Have a nice day.
___________________________
M. Scott Shreve
Director of NSOC Technologies
NETSEC
703.561.0420


*-------------------------------------------------*
"Communications without intelligence is noise;
Intelligence without communications is irrelevant."
Gen. Alfred. M. Gray, USMC
---------------------------------------------------
C4I Secure Solutions             http://www.c4i.org
*-------------------------------------------------*

ISN is sponsored by SecurityFocus.com
---
To unsubscribe email LISTSERV () SecurityFocus com with a message body of
"SIGNOFF ISN".