[Full-Disclosure] MyDoom.b samples taken down
nick at virus-l.demon.co.uk
Sun Feb 1 01:47:07 GMT 2004
Kurt Weiske <kweiske at kataan.org> wrote:
> Daniel and Mike, thanks for making those files available for those of us
> who wish to research this virus firsthand, instead of relying on
> (sometimes) wildly innacurate media and "expert" reporting.
> Shame on McAfee for succeeding in intimidating a fellow researcher - I
It seems that "intimidation" may have been too strong a word -- see
Daniel's latest post -- but whatever...
> guess that's what happens when viruses become Big Business; use whatever
> FUD is available to limit your competitio, increase market share and
> maximize shareholder value. Foo.
No -- that's what happens when you actually have half a clue about the
huge _further_ damage such things can do if actually successfully
distributed. Mydoom.B has largely _not_ taken off, but all it probably
needs is a touch of the usual "luck" which is all that distinguishes
most successful mass-mailers from the huge numbers of unsuccessful ones
lamers, like those on this list clamouring to get a Mydoom.B sample,
I know most of you will not believe this because you so stupid you
already believe that live virus samples are _just_ information and
therefore _should_ be subject to "full disclosure" (this is a special
form of ignorance that very little empirical evidence seems able to
budge -- at least until a holder of the ignorance is the person bitten
by it), _but_ each extra copy of Mydoom.B downloaded from the various
URLs published on this list increases the likelihood that the virus
writer will have his "glory" with the Mydoom.B variant as well. The
cost of that far outweighs the value of the jollies a few of you will
get from working out how to unpack the "hacked" UPX compression used,
poking a few clever comments into your disasm, or mastering ROT13 to
"decrypt" the virus' internal strings. In the process, some of you
will run it in a VM connected via virtual network to the real Internet
(because you are so stupid you believe that "because you run Linux you
are safe" or you forgot you enabled bridged networking for some
"special reason" and never got round to disabling it) and more copies
of it will "escape" (we see this often). And you want to subject the
world to that threat because you want to spend hours and hours doing
what has been done "well enough" in multiple professional security
company labs for them to ship detection and repair utilities within
minutes to an hour or two of first receiving a sample of it several
days ago. Get real...
Try handling dozens of these a day and then see what you feel about the
quality of the work of those labs and that 'wildly innacurate [...]
And save me the almost inevitable full-disclosure mantra BS replies! I
really do not want to hear your ignorance rephrased that way, again --
at least walk the walk before you try to talk the talk...
Computer Virus Consulting Ltd.
Ph/FAX: +64 3 3529854
Full-Disclosure is hosted and sponsored by Secunia.