[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [Full-Disclosure] Authorities eye MSBlaster suspect

To: "the lumpalaya" <lumpy@city.haze.net>
Subject: RE: [Full-Disclosure] Authorities eye MSBlaster suspect
From: "Jerry Heidtke" <jheidtke@fmlh.edu>
Date: Fri, 29 Aug 2003 15:47:22 -0500


http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_MSB
LAST.B&VSect=S

Trend's stat can be off by a factor of ten or more for very small
infections. For Blaster.A, they say there were about 60,000; more likely
there were between half a million and a million. For Blaster.B, they say
there were 16; the likely total is almost definitely under a thousand.

Recent articles indicate that he was "responsible" for Blaster.C, not B
(although this had been misidentified in every article I've seen). The
executable for this was named "teekids.exe". Since his handle was teekid
and he was active in chat rooms and IRC, he must have been very
difficult to find. Trend says they detected 929 infections with
Blaster.C, so 7,000 total is probably not unrealistic. Still, it's less
than 0.1% of what Blaster.A or Nachia did, although from the press you'd
think this kid was responsible for it all.

The "virus" that was listed on his website was actually a p2p "worm"
that spread over kazaa. He claimed authorship, and had a link to the
file, which was actually located at
http://www.chaos-networks.com/staff/teekid/p2p.teekid.C.rar (it's no
longer there). Chaos Networks apparently was the hosting provider
referenced in the article.

I'm sure that the FBI would never exaggerate the extent of the damage,
in order to look like they were busting a major hacker after a difficult
investigation instead of some kid like millions of others with more time
and anger than skills. 

It looks like it took the FBI 6 days to find what took 10 minutes on
Google. Let's see, executable name is teekids.exe, here's a
script-kiddie that goes by teekid, he's got a web site called
t33kid.com, the whois for the domain gives his real name and address.
Enough probable cause to get a warrant right there.

Jerry


-----Original Message-----
From: the lumpalaya [mailto:lumpy@city.haze.net] 
Sent: Friday, August 29, 2003 3:03 PM
To: Jerry Heidtke
Subject: RE: [Full-Disclosure] Authorities eye MSBlaster suspect


Court documents obtained by CNN allege that Parson's version of the worm
infected at least 7,000 computers. Investigators say they were able to
track him down after interviewing the person who hosted Parson's site
t33kid.com. The site, which the FBI says used to list the code for at
least one virus, appeared not to contain any content Friday.



Where did you get the total of 16?



Confidentiality Notice: This e-mail message, including any attachments,
is for the sole use of the intended recipient(s) and may contain
confidential and privileged information.  Any unauthorized review, use,
disclosure or distribution is prohibited.  If you are not the intended
recipient, please contact the sender by reply e-mail and destroy all
copies of the original message.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Follow-Ups:
- RE: [Full-Disclosure] Authorities eye MSBlaster suspect
  - From: "Brent Colflesh" <Brent.Colflesh@ulticom.com>
- RE: [Full-Disclosure] Authorities eye MSBlaster suspect
  - From: Paul Schmehl <pauls@utdallas.edu>
- RE: [Full-Disclosure] Authorities eye MSBlaster suspect
  - From: "Richard M. Smith" <rms@computerbytesman.com>
- Re: [Full-Disclosure] Authorities eye MSBlaster suspect
  - From: Valdis.Kletnieks@vt.edu

Prev by Date: Re: [Full-Disclosure] Authorities eye MSBlaster suspect
Next by Date: RE: [Full-Disclosure] Authorities eye MSBlaster suspect
Prev by thread: RE: [Full-Disclosure] Authorities eye MSBlaster suspect
Next by thread: RE: [Full-Disclosure] Authorities eye MSBlaster suspect
Index(es):
- Date
- Thread