Re: War with Iraq will mean virus outbreak, hacker says

[InfoSec News <isn () c4i org>]

Fowarded from: security curmudgeon <jericho () attrition org>

Few comments about this FUD fest..

> http://www.computerworld.com/securitytopics/security/cybercrime/story/0,10801,76071,00.html
>
> By DAN VERTON
> NOVEMBER 20, 2002
>
> A Malaysian virus writer who is sympathetic to the cause of the
> al-Qaeda terrorist group and Iraq and who has been connected to at
> least five other malicious code outbreaks is threatening to release
> a megavirus if the U.S. launches a military attack against Iraq.
>
> The virus writer, who goes by the handle Melhacker and is believed
> to have the real name of Vladimor Chamlkovic, is thought to have
> written or been involved in the development of the
> VBS.OsamaLaden@mm, Melhack, Kamil, BleBla.J and Nedal worms.

Searching Symantec's site, there is no record of VBS.OsamaLaden (or
the search engine there is bad). Broaden the search to just
"OsamaLaden" and you get .. VBS.Melhack.B:

http://securityresponse.symantec.com/avcenter/venc/data/vbs.melhack.b.html

VBS.Melhack.B is an intended mass mailing worm that is written in
Visual Basic. It copies itself as OsamaLaden.vbs into two locations.

Threat Assessment?

Number of infections: 0 - 49
Number of sites: 0 - 2
Geographical distribution: Low
Threat containment: Easy
Removal: Easy

Searching for "Kamil" we find:

http://securityresponse.symantec.com/avcenter/venc/data/vbs.melhack () mm html

Number of infections: 0 - 49
Number of sites: 0 - 2
Geographical distribution: Low
Threat containment: Easy
Removal: Moderate

Searching for "blebla" we find:

http://securityresponse.symantec.com/avcenter/venc/data/w32.blebla.j.worm.html

Number of infections: 0 - 49
Number of sites: 0 - 2
Geographical distribution: Low
Threat containment: Easy
Removal: Easy

Also find:

http://securityresponse.symantec.com/avcenter/venc/data/w32.kamil.html

Number of infections: 0 - 49
Number of sites: 0 - 2
Geographical distribution: Low
Threat containment: Easy
Removal: Easy

Also find:

http://securityresponse.symantec.com/avcenter/venc/data/w32.hllp.nedal.html

Number of infections: 0 - 49
Number of sites: 0 - 2
Geographical distribution: Low
Threat containment: Easy
Removal: Easy


So in summary.. we have five or six of the most pathetic worms you can
possibly find on Symantec's site I believe. These are the same crappy
worms we have seen for the last year or more. Look at the number of
infections, distribution, threat containment and removal. Easy and Low
(was re: pathetic). This guy sounds like a script kiddy of the virus
world. Why don't I perceive this as a threat?

> However, in an exclusive interview today with Computerworld,
> Melhacker confirmed earlier reports by Chantilly, Va.-based iDefense
> Inc. that he has developed and tested a "three-in-one" megaworm
> code-named Scezda that combines features from the well-known SirCam,
> Klez and Nimda worms.

All of which are easy to identify and block if a company actually
updates their virus signatures...

> Brian Kelly, president and CEO of iDefense, said that while
> Melhacker hasn't proved adept at seeding new worms in the wild, this
> worm could be difficult to stop. IDefense quietly warned its clients
> last week

Why? Doesn't iDefense analyze the data before making decisions? Don't
they see a clear pattern on the previous? Doesn't the mere fact that
they know when the worm would be released, what components and
signatures are present.. that it wouldn't be difficult to stop?

But we know.. iDefense sells FUD. Their customers won't buy
advisories/alerts that say "some dork in malaysia is going to release
a worm that might hit 49 machines".

> "If he were to be successful with this one, it could be very serious,"

SO BUY OUR SERVICES OMG! Because it COULD be serious! It COULD be all
out cyber war! Just like we predicted for years! BUY OUR SERVICES THNX.

> Vincent Gullotto, vice president at McAfee Security's Avert, a
> division of Network Associates Inc., said the threat posed by Scezda
> is completely dependent on whether or not Melhacker is successful in
> getting it to propagate.
>
> "If he is, it could be very large," said Gullotto.

SO BUY OUR PRODUCT OMG! Doesn't matter that his other five or more
worms were dismal failures as far as worms go... BUY OUR PRODUCT AND
WE WILL PROTECT YOU.

> Melhacker, who has also gone by the name Kamil, may have had some
> involvement in the September release of the BugBear mass-mailing
> network attack worm. According to iDefense, Melhacker has close ties
> to Nur Mohammad Kamil, who identifies himself as part of a group
> known as "A.Q.T.E. Al-Qaeda Network." Melhacker has also associated
> himself with the al-Qaeda network for a long period and has been an
> active Malaysian malicious coder threat for at least six years.

Six years and those five worms are the best he could do?

> "While it might be true that al-Qaeda operatives are not well
> organized, skilled or equipped to mount a serious cyberoffensive, it
> is likely that al-Qaeda sympathizers will serve as surrogates in
> their cyberoffensive," said Kelly.

To summarize: They aren't organized. They have no skills. They have no
capability to mount a CYB3R0FFENSIVE, but it COULD BE BAD OMG OMG OMG
BUY OUR SERVICE JUST IN CASE.

Jeez, talk about irresponsible. Verton, Kelley and that Symantec dork
need to start being honest with the public and their clients, and
maybe themselves some day.



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
in the BODY of the mail.