[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: [Full-Disclosure] AV "feature" does more DDoS than Sobig
- To: full-disclosure@lists.netsys.com
- Subject: RE: [Full-Disclosure] AV "feature" does more DDoS than Sobig
- From: "Barrett, Rob" <Rob.Barrett@zurnwilkins.com>
- Date: Thu, 28 Aug 2003 07:57:39 -0700
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN">
<HTML>
<HEAD>
<META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=iso-8859-1">
<META NAME="Generator" CONTENT="MS Exchange Server version 5.5.2653.12">
<TITLE>RE: [Full-Disclosure] AV "feature" does more DDoS than Sobig</TITLE>
</HEAD>
<BODY>
<P><FONT SIZE=2>If you don't like the feature, turn it off. That is why we have the options tab. Obviously we can not control what others do with the AV but you could minimize what extra traffic you may be creating with these messages. I personally have never had it send a message to the sender, this being one of the reasons. </FONT></P>
<P><FONT SIZE=2>As far as the "marketing" goes for Big AV businesses I believe most of the items you listed can be disabled and you can bet the AV companies are surely not going to send it out that way...It's all about the $$$$ my $.02</FONT></P>
<P><FONT SIZE=2>Take Care</FONT>
<BR><FONT SIZE=2>Rob </FONT>
</P>
<BR>
<P><FONT SIZE=2> -----Original Message-----</FONT>
<BR><FONT SIZE=2>From: 3APA3A [<A HREF="mailto:3APA3A@SECURITY.NNOV.RU";>mailto:3APA3A@SECURITY.NNOV.RU</A>] </FONT>
<BR><FONT SIZE=2>Sent: Thursday, August 28, 2003 6:12 AM</FONT>
<BR><FONT SIZE=2>To: Fabio Gomes de Souza; Russ; da@securityfocus.com</FONT>
<BR><FONT SIZE=2>Cc: bugtraq@securityfocus.com; full-disclosure@lists.netsys.com</FONT>
<BR><FONT SIZE=2>Subject: Re: [Full-Disclosure] AV "feature" does more DDoS than Sobig</FONT>
</P>
<P><FONT SIZE=2>Dear Fabio Gomes de Souza,</FONT>
</P>
<P><FONT SIZE=2>Few Russian security and Internet professionals who's mailboxes were</FONT>
<BR><FONT SIZE=2>flooded by AV reports signed an open letter to antiviral developers,</FONT>
<BR><FONT SIZE=2>administrators and users called "AntiViruses to ruin Internet?". It ends</FONT>
<BR><FONT SIZE=2>up with words "If we want to live here we must shut up all these</FONT>
<BR><FONT SIZE=2>robots".</FONT>
</P>
<P><FONT SIZE=2><A HREF="http://www.bugtraq.ru/library/security/antiantivirus.html"; TARGET="_blank">http://www.bugtraq.ru/library/security/antiantivirus.html</A> (sorry, it's</FONT>
<BR><FONT SIZE=2>in Russian).</FONT>
</P>
<P><FONT SIZE=2>It was published on few well-known sites. At least few huge mail</FONT>
<BR><FONT SIZE=2>services now do not generate AV reports to sender. May be it's a time to</FONT>
<BR><FONT SIZE=2>make same PR action worldwide.</FONT>
</P>
<P><FONT SIZE=2>--Thursday, August 28, 2003, 5:05:20 PM, you wrote to bugtraq@securityfocus.com:</FONT>
</P>
<P><FONT SIZE=2>FGdS> Hello,</FONT>
</P>
<P><FONT SIZE=2>FGdS> Anti-virus products are causing more harm than the Sobig Worm.</FONT>
</P>
<P><FONT SIZE=2>FGdS> Some of my customers are having the following problem:</FONT>
</P>
<P><FONT SIZE=2>FGdS> B = Customer of my customer (infected)</FONT>
<BR><FONT SIZE=2>FGdS> C,D,E = Some random company (victims of Sobig)</FONT>
<BR><FONT SIZE=2>FGdS> A = My customer (victim of AV marketing)</FONT>
</P>
<P><FONT SIZE=2>FGdS> The Sobig worm infected B.</FONT>
</P>
<P><FONT SIZE=2>FGdS> In its propagation loop, the worm composes a message, chooses two random </FONT>
<BR><FONT SIZE=2>FGdS> items in the Address Book, and puts the first in the "From:" and the </FONT>
<BR><FONT SIZE=2>FGdS> second in the "To:" header. Then all virus messages are spoofed.</FONT>
</P>
<P><FONT SIZE=2>FGdS> The problem is that many e-mail virus scanners send a "You are infected" </FONT>
<BR><FONT SIZE=2>FGdS> reply to the address contained in the "From" header. Since the messages </FONT>
<BR><FONT SIZE=2>FGdS> are spoofed, the inoccent, uninfected user "A" is flooded by automatic </FONT>
<BR><FONT SIZE=2>FGdS> complaints from "C","D","E" regarding the virus that "B" sends.</FONT>
</P>
<P><FONT SIZE=2>FGdS> Anti-virus companies seem to spend more money on marketing/visibility </FONT>
<BR><FONT SIZE=2>FGdS> than on actually protecting their customers. This marketing stupidity is </FONT>
<BR><FONT SIZE=2>FGdS> done by adding USELESS features, which spreads false information and </FONT>
<BR><FONT SIZE=2>FGdS> delivers false sense of security:</FONT>
</P>
<P><FONT SIZE=2>FGdS> - "You're infected" reply (false positive)</FONT>
<BR><FONT SIZE=2>FGdS> - "This message is 100% virus-free certified" signature line (false </FONT>
<BR><FONT SIZE=2>FGdS> sense of security)</FONT>
<BR><FONT SIZE=2>FGdS> - Anti-virus buttons on Internet Explorer toolbar (just to launch the AV)</FONT>
<BR><FONT SIZE=2>FGdS> - Splash screens every time you:</FONT>
<BR><FONT SIZE=2>FGdS> - boot your computer</FONT>
<BR><FONT SIZE=2>FGdS> - send e-mail</FONT>
<BR><FONT SIZE=2>FGdS> - check pop3 e-mail</FONT>
<BR><FONT SIZE=2>FGdS> - turn your computer off</FONT>
<BR><FONT SIZE=2>FGdS> - System tray useless icons (in some AVs, the system tray icon does </FONT>
<BR><FONT SIZE=2>FGdS> nothing except for launching the AV program)</FONT>
<BR><FONT SIZE=2>FGdS> - Redundant shortcut icons in Desktop, Start Menu root, Quick Launch </FONT>
<BR><FONT SIZE=2>FGdS> and Start Menu program folder</FONT>
</P>
<P><FONT SIZE=2>FGdS> This kind of stupidity from AV companies makes me hate them more every day.</FONT>
</P>
<BR>
<BR>
<P><FONT SIZE=2>-- </FONT>
<BR><FONT SIZE=2>~/ZARAZA</FONT>
<BR><FONT SIZE=2>Впрочем, важнее всего - алгоритм! (Лем)</FONT>
</P>
<P><FONT SIZE=2>_______________________________________________</FONT>
<BR><FONT SIZE=2>Full-Disclosure - We believe in it.</FONT>
<BR><FONT SIZE=2>Charter: <A HREF="http://lists.netsys.com/full-disclosure-charter.html"; TARGET="_blank">http://lists.netsys.com/full-disclosure-charter.html</A></FONT>
</P>
</BODY>
</HTML>