RE: [inbox] Re: Fwd: Re: [Full-Disclosure] Administrivia: BinaryExecutables w/o Source

[Nick FitzGerald <nick@virus-l.demon.co.uk>]

"Jason Coombs" <jasonc@science.org> wrote:

> Nick FitzGerald came to his senses and removed me from the pedestal he had
> placed me on, and then launched into a well-written barrage of fact, beginning
> thus:

Nice...   8-)

> >> I agree completely. The sobig spam is valuable -- it shows us who we
> >> should not trust to operate a computer.
> >_If_ you know what to take from the headers _AND_ have omniscient
> >access to the mythical IP-to-user mapping address list...
> 
> Ah, but Nick, I *DO* have omniscient access to the non-mythical IP-to-user
> mapping list -- and so do you. ...

No, we don't.

> ...  How many FD subscribers post to the list from
> the ISP "NetZero/United Online/untd.com" out of Honolulu, Hawaii? I can assure
> you that I am the only one.
> Received: from smtp04.lax.untd.com (outbound28-2.lax.untd.com [64.136.28.160])
<<snip>>

Posting is not the issue.  The virus can harvest the posters' addresses 
(yours and mind and Thor's and Len's and all the others) from the 
drives of any _subscriber_.  It then can post from that machine using 
whichever of the addresses it chooses.  How many subscribers (who have 
posted or not) are on popular cable, DSL and even dial-up connects?

You may be the only poster from that domain, but are you sure you're 
the only subscriber?  And what about non-subscribers who, for whatever 
reason (perhaps looking for help with just this virus) searched the 
web, found some web archive of F-D and thus gave up your address to the 
virus through the contents of their local web cache directories?

> Likewise, you are quite possibly the only person who posts from CLEAR Net
> Mail, New Zealand. At least while using your mobile device...
> 
> From: Nick FitzGerald <nick@virus-l.demon.co.uk>
> Received: from smtp2.clear.net.nz (smtp2.clear.net.nz [203.97.37.27])
<<snip>>

Yep -- but am I the only person using clear.net.nz who susbscribes?

And recall, the worm does not use the default (or any particular) mail 
client on the victim machine.  As has become the fashion among 
"successful" self-mailers with the introduction of object blocking on 
the Outlook application object, Sobig rolls its own SMTP, even going so 
far as trying to properly look up MX records for its targets, so all 
you get in the virus' message headers is what the first SMTP relay it 
hit records in its Received: headers.

Finally, consider the subscriber to poster (or "lurker") ratio.  Len 
may have a better idea, but I'd hazard that in large-ish lists such as 
this, fewer than 10% of subscribers post and probably less than half of 
them are "regular" posters.

> I appreciate your attention to detail, ...

Thank-you.

I hope you still appreciate it given the further flaws in your thinking 
about this incident described above.

> ... but the relevant detail you missed was
> my conclusion, a witty challenge to Len Rose to stop concealing the truth and
> give us full disclosure:

I did not miss that that was rather playful.

However, I also noted that your post, along with several others 
yesterday, supported a chronically ignorant view of how to properly 
deal with such messages and I felt the greater good was served by 
challenging and correcting that ignorance, as Sobig.F is just one of 
many of this type of malware event and there will certainly be many 
similar ones yet.  Thus it seems that having the folk who can greatly 
influence the handling of such events be properly informed of the 
issues they must consider when faced with such incidents, before 
launching any of the apparently popular but hare-brained "solutions" 
that have been suggested, is a good thing and contributes to the 
overall solution, rather than to the problem.

<<snip>>
> Thor Larholm then came up with a very good idea to post a Web-based
> full-disclosure archive of everything received not just everything that ends
> up distributed to the list. The potential forensic value of Thor's suggestion
> is staggering.
> 
> Thor Larholm wrote:
> > In that case, I would prefer if Len put up an archive of all the virus
> > mails sent to FD so everybody on the list could have fun analyzing it.
> > Couple it with the archives of normal posts and some regging+grep'ing
> > you will be bound to find correlations between posting IP addresses.

I'm sure you might find a small number of such interesting detects, but 
the odds are very high that the infected parties that seem to have FD 
posters' addresses in their sights are not themselves posters to FD 
(recall the lurker ratio).  You may find and shame a few of the lamer 
posters (who are probably generally derided or ignored anyway) but most 
of the virus-sending IPs will turn up no reasonably verifiable 
relationships to known FD posters because, as I've said many times now, 
there are many, many ways the FD posters' addresses get onto Sobig 
victims' machines and thus into Sobig's target list.  On balance, I 
just don't think it would be worth the effort of even looking.

> Nick, I truly did not deserve to be on your pedestal, anyway, so this has all
> been very constructive.

It was a pedestal in the sense that I would choose to read your posts 
ahead of Mr Woods' and most others.  I was genuinely surprised that 
your message showed so many fundamental misunderstandings of the 
workings of the virus and their obvious implications for any "SMTP 
forensics" based on the virus' messages.

> It's important that we remember to laugh a little, especially at ourselves.

Indeed, and I hope you are still...

> The funniest thing I've seen in a long time is the direct relationship between
> Symantec's stock price (SYMC) and the release of successful worms/virii...
> Antivirus software vendors may not be paying the authors of malware directly,
> but it sure looks like a good business to write and release malware in order
> to manipulate the market price of certain A/V vendors' stock. You gotta love
> the free market...

I think you meant "saddest" for that second word...


Regards,

Nick FitzGerald

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html