Description:
A bunch of VB script files is created in the root, Windows, Startup
(!), etc. directories named "network.vbs". The file is dated 1-9-2000.
Evidently caught by Exploder from the Startup, this file causes
logging of network activities which leads to the slowing down.
F-Prot with virus signatures dated 2-18-00 does not detect this virus.
NAV with signatures before 2-11-00 does not detect the virus.
The 2-11-00 version of NAV does not detect the infected file in the
_scanning_mode_ but in the _shield_mode_ it alerts the
"Bloodhound.unknown" infection when this file is accessed (copied).
?
What is goin on? Does the NAV use different virus
definitions/heuristic algorithms when scanning and monitoring?
?
The next day after "network.vbs" files were erased from one computer,
(my network engineer forgot to do it on other machines) the infection
reoccured.
Has it been passed from my LAN?
Where could it come from, originally?
Active web pages? MSOffice shit? HappyXXX.exe gifts?
Can somebody respond???
Vlad Olchanski
I received an email from Nick FitzGerald <ni...@virus-l.demon.co.uk> in
which he asked me to remove the code from my site.
I understand Nick's objection to my posting of the code. I share his
concerns about its use in further exploits by the odd malefactor who
lurks among us.
Yet I believe in passing on knowledge too, which I believe benefits the
majority who would only gain from it.
This is not a simple question and I think I would benefit by some sage
advice. So I ask this newsgroup: what shall I do?
Shall I remove the code? Or shall I keep it available for all to see?
I welcome responses from anyone, but most especially those of people
with long-term knowledge and experience and who are capable of reasoned
communication.
My analysis, as yet unchanged, is available at:
http://pc-help.org/news/scriptworm.htm
pchelp
> My network computers considerably slowed down recently.
> I checked them with the AVP, which reported infection with VBS.Netlog
> virus.
> Description:
> A bunch of VB script files is created in the root, Windows, Startup
> (!), etc. directories named "network.vbs". The file is dated 1-9-2000.
> Evidently caught by Exploder from the Startup, this file causes
> logging of network activities which leads to the slowing down.
> F-Prot with virus signatures dated 2-18-00 does not detect this virus.
> NAV with signatures before 2-11-00 does not detect the virus.
> The 2-11-00 version of NAV does not detect the infected file in the
> _scanning_mode_ but in the _shield_mode_ it alerts the
> "Bloodhound.unknown" infection when this file is accessed (copied).
> ?
> What is goin on? Does the NAV use different virus
> definitions/heuristic algorithms when scanning and monitoring?
> ?
I can't speak for the AV makers but it's pretty clear this worm is very
new.
(I found it yesterday on a client's computer, and unaware it was known
to others, I posted the entire script, along with an analysis, on my
website.)
> The next day after "network.vbs" files were erased from one computer,
> (my network engineer forgot to do it on other machines) the infection
> reoccured.
> Has it been passed from my LAN?
If it remained on any machine on the LAN, that machine would eventually
have passed it to others on the LAN. The script grinds through vast
numbers of random IP addresses.
I can see how this thing might lead you on a merry chase. It might well
be installed on to a machine from which you had just removed it, by
another elsewhere on the LAN, even as you're going thru them all
removing it. But its random nature would also mean it would not spread
efficiently.
> Where could it come from, originally?
I can't really answer that of course, but if you want my two cents, I
suggest you rule out the possibility you may have a machine with a
shared C: drive open to sans-password access over the Internet.
> Active web pages? MSOffice shit? HappyXXX.exe gifts?
Naturally this script could be planted by a trojan, or inserted via a
backdoor. Or placed by an employee.
> Can somebody respond???
> Vlad Olchanski
Hope I've helped, Vlad.
pchelp
Would it not have been more sensible to mail it to Symantec since you
discovered it using their heuristic detection ?
>
>I received an email from Nick FitzGerald <ni...@virus-l.demon.co.uk> in
>which he asked me to remove the code from my site.
A sensible request
>
>I understand Nick's objection to my posting of the code. I share his
>concerns about its use in further exploits by the odd malefactor who
>lurks among us.
I hope that this is true, but what you say next leads me to doubt
>
>Yet I believe in passing on knowledge too, which I believe benefits the
>majority who would only gain from it.
If you wished to pass knowledge on so that the majority could benefit,
then you would have sent the code to Symantec after NAV detected the
malware but told you it was unable to offer an exact identification.
In doing so, you would have benefited, not only customers of NAV such as
your client, but also those of other AV suites.
In posting the code on the web, you have made it available to all those
who wish to spread malicious software, be they wannabee virus writers or
just plain vicious.
>
>This is not a simple question and I think I would benefit by some sage
>advice. So I ask this newsgroup: what shall I do?
The *first* thing to do would be to remove the code, the *second* to
forward the file concerned to Symantec Antivirus Research Centre
>
>Shall I remove the code?
This would be sensible. Those who are most able to benefit from the
script fall into two categories:
1 People who would deliberately spread the malicious software
2 Those who would combat it
In the latter case, it is *far* more sensible to combat malware via an
integrated approach (e.g. AV suites) rather than on a case by case
basis.
There are approximately 50 000 known pieces of malware in circulation, I
doubt whether you would propose defending yourself against these by
studying each sample personally then writing specific software to detect
and remove each one. How would you remember to run all 50 000 programs
on a regular basis ?
> Or shall I keep it available for all to see?
You are, of course, free to continue to disseminate this malware via
your site. Others, in this case, would be equally free to complain.
--
Robert Those who can, do
Those who can't, teach
The rest are consultants
> My network computers considerably slowed down recently.
> I checked them with the AVP, which reported infection with VBS.Netlog
> virus.
>
> Description:
> A bunch of VB script files is created in the root, Windows, Startup
> (!), etc. directories named "network.vbs". The file is dated 1-9-2000.
>
> Evidently caught by Exploder from the Startup, this file causes
> logging of network activities which leads to the slowing down.
Well, there are only two things wrong with that
statement -- it is not caught "by" Explorer or the
Startup mechanism, and the slow-down is not due to
"logging network activities".
It *is* caught through writable, non-password
protected shares on the root of C. It slows your
machine because of a continual hammering away at
randomly derived IP addresses looking for such open
shares then copying itself to those it finds.
> ?
> What is goin on? Does the NAV use different virus
> definitions/heuristic algorithms when scanning and monitoring?
> ?
IIRC, by default NAV's on-demand scanner does not have
heuristics enabled, whereas the on-access one does.
"Bllodhound" is a heuristic detection.
> The next day after "network.vbs" files were erased from one computer,
> (my network engineer forgot to do it on other machines) the infection
> reoccured.
Well, if you cleaned all of them but did not disable
the open shares, or only cleaned one (as you say) and
didn't close the open share on that one, there is a
fair chance it would come back due to the way it spreads.
> Has it been passed from my LAN?
Most likely...
> Where could it come from, originally?
...and it most likely came in from the Internet.
> Active web pages? MSOffice shit? HappyXXX.exe gifts?
It could have been dropped by a script or ActiveX control
in a web page or similr in an HTML Email. There is no
evidence as yet that it has been distributed this way.
> Can somebody respond???
Hope that helps. If you have further questions, please
Email me.
--
Nick FitzGerald
>I found this worm yesterday on a client's computer, and unaware that it
>was known to others, I posted the entire script, along with an analysis,
>on my website.
>
>I received an email from Nick FitzGerald <ni...@virus-l.demon.co.uk> in
>which he asked me to remove the code from my site.
>
>I understand Nick's objection to my posting of the code. I share his
>concerns about its use in further exploits by the odd malefactor who
>lurks among us.
The "odd malefactor"? There are more than just a few out there.
>
>Yet I believe in passing on knowledge too, which I believe benefits the
>majority who would only gain from it.
All of those "odd malefactors" out there will really appreciate it,
also. It makes their electronic vandalism easier to accomplish.
If you do this for every new virus or trojan that you come across,
we'll be able to add you to the list of vx sites.
Getting the code to Symantec, so they could add proper detection would
be really helpful.
>This is not a simple question and I think I would benefit by some sage
>advice. So I ask this newsgroup: what shall I do?
>
>Shall I remove the code? Or shall I keep it available for all to see?
Doesn't seem like such a difficult question to me. The answer is in
your question - "keep it available for all to see?" NOT a *good*
thing. :-((((
>
LDH
Whatever in the world led you to believe I had found it that way?
> >I received an email from Nick FitzGerald <ni...@virus-l.demon.co.uk> in
> >which he asked me to remove the code from my site.
> A sensible request
Possibly. Possibly not.
> >I understand Nick's objection to my posting of the code. I share his
> >concerns about its use in further exploits by the odd malefactor who
> >lurks among us.
> I hope that this is true, but what you say next leads me to doubt
I'm interested in input. The rationale behind your viewpoint is
interesting to me. Your doubt of my integrity is not.
> >Yet I believe in passing on knowledge too, which I believe benefits the
> >majority who would only gain from it.
> If you wished to pass knowledge on so that the majority could benefit,
> then you would have sent the code to Symantec after NAV detected the
> malware but told you it was unable to offer an exact identification.
No such thing happened.
I am completely nonplussed. Whatever did I say to lead you to conclude
that NAV found the worm?
For the record, at my client's request I set about trying to determine
why that system had misbehaved. Netscape wasn't prompting dialup as it
had done just days before, the printer setups had vanished, and it had
crashed several times.
I looked over running processes, and started surveying the system with
an eye to cleaning out unnecessary TSRs. This led me to the Startup
group, where I found the script. I had no idea what it was doing there,
but knowing what the .VBS extension meant, I opened it in Notepad for
inspection. That's all there was to it.
> In doing so, you would have benefited, not only customers of NAV such as
> your client, but also those of other AV suites.
I might well have passed it on to an AV vendor. You make a good point.
Past experience had soured me on the thing, however. I once tried to
get a response from two well-known vendors with respect to "malware" I
thought would interest them. I was resoundingly ignored.
But I'll try it freshly next time circumstances require.
> In posting the code on the web, you have made it available to all those
> who wish to spread malicious software, be they wannabee virus writers or
> just plain vicious.
I also made it available to YOU.
And lest we forget, it's traveling 'round the global Net as we speak,
handing out clear-text copies of itself to what must be many thousands
of people.
> >This is not a simple question and I think I would benefit by some sage
> >advice. So I ask this newsgroup: what shall I do?
> The *first* thing to do would be to remove the code, the *second* to
> forward the file concerned to Symantec Antivirus Research Centre
Sorry. I'm not conditioned to jump in response to barked orders. I do
however respond to reasoned arguments. I invite you to offer any you
may like to articulate in a respectful manner. Hell, if you can make
your case, do it in any tone you like.
> >Shall I remove the code?
> This would be sensible. Those who are most able to benefit from the
> script fall into two categories:
> 1 People who would deliberately spread the malicious software
> 2 Those who would combat it
You can't pigeonhole all of humanity, and limit their motives to two
categories. I think there are plenty more you should consider.
I got this in an email a short while ago in response to my page on this
worm:
"... It motivated me to FINALLY download the scripting host and get to
experimenting."
This individual's interest in WSH was piqued. He was taking in new
territory! He wasn't talking about engaging in hostile scripting, but
about the fact that he was inspired to learn.
I couldn't hope for a more creditable impact. Where this fellow was
concerned at least, I did the emphatically-right thing.
> In the latter case, it is *far* more sensible to combat malware via an
> integrated approach (e.g. AV suites) rather than on a case by case
> basis.
People are going to discover this thing on their systems. Many of them
will want to understand it in depth.
> There are approximately 50 000 known pieces of malware in circulation, I
> doubt whether you would propose defending yourself against these by
> studying each sample personally then writing specific software to detect
> and remove each one. How would you remember to run all 50 000 programs
> on a regular basis ?
This is an irrational argument. I haven't opposed the concept of an
"integrated approach," and my publication of the script is not an
expression against that idea in any way whatsoever.
I get the distinct impression you're talking to some ghost you see
before you, not me. You seem to be arguing with some spectre of past
conflict.
> > Or shall I keep it available for all to see?
> You are, of course, free to continue to disseminate this malware via
> your site. Others, in this case, would be equally free to complain.
I am not "disseminating malware." I am kindly making facts known to
people who have every right to know what a rather unusual worm may have
done on their PC. I am in some cases at least, opening a new dimension
for people, many of whom never had a clue this script language existed
at all, much less on their own computer. I'm reasonably sure that 99%
of those who read it will very much appreciate being well informed.
Some, as my experience has already proven, will be fascinated and
inspired to know more.
You might even gain by it. Would you have me keep such information from
YOU?
I would wager that not one single reader of this message regards HIMSELF
as the person from whom I should keep the facts.
Only a very tiny minority of my fellow humans is a malicious jerk who'll
use whatever they learn to assault their betters. And I don't think
those very few jerks should be first in my thoughts.
When I regard this question, one thing I do is to place myself in the
position of the seeker of fact. (Which isn't difficult, that's a daily
activity for me.) If I want in-depth information about something for
whatever reason, how shall I regard someone who has those facts, doesn't
own them as any sort of exclusive property, yet he's not only refusing
to allow me access, but demanding others do the same? Easy. I object.
I want that guy to have a damned good reason, and I want to know why he
thinks it applies to ME. I also want to know who elected him as
Knowledge Cop.
Lest you believe I'm merely here to oppose your position, recognize that
I'm open to REAL communication. The fact is, Nick has made some
eloquent arguments for his position, and I'd like to see more of the
same - on both sides.
pchelp
In article <38B795...@nwi.net>, pchelp <pch...@nwi.net> wrote
>Robert wrote:
>>
>> In article <38B764...@nwi.net>, pchelp <pch...@nwi.net> wrote
>> >I found this worm yesterday on a client's computer, and unaware that it
>> >was known to others, I posted the entire script, along with an analysis,
>> >on my website.
>>
>> Would it not have been more sensible to mail it to Symantec since you
>> discovered it using their heuristic detection ?
>
>Whatever in the world led you to believe I had found it that way?
Your Subject line states "VBS Netlog aka Bloodhound.unknown aka
Netlog.vbs"
Since Bloodhound.xxx is a diagnostic from Norton Anti Virus, you either
discovered this malware via Norton or are leading us astray by your
mention thereof (whether intentionally or not)
>
>
>> >I received an email from Nick FitzGerald <ni...@virus-l.demon.co.uk> in
>> >which he asked me to remove the code from my site.
>
>> A sensible request
>
>Possibly. Possibly not.
>
You asked for an opinion, you got it. If you think that one of the most
respected people in this newsgroup is not making sensible requests, that
is your prerogative, but you will have to do better than "I believe in
passing on knowledge" if you are to convince people that publishing
malware is in the common interest.
>
>> >I understand Nick's objection to my posting of the code. I share his
>> >concerns about its use in further exploits by the odd malefactor who
>> >lurks among us.
>
>> I hope that this is true, but what you say next leads me to doubt
>
>I'm interested in input. The rationale behind your viewpoint is
>interesting to me. Your doubt of my integrity is not.
>
My opinion, expressed here, is a matter of public record. If you don't
like it, either disprove it or ignore it.
>
>> >Yet I believe in passing on knowledge too, which I believe benefits the
>> >majority who would only gain from it.
>
>> If you wished to pass knowledge on so that the majority could benefit,
>> then you would have sent the code to Symantec after NAV detected the
>> malware but told you it was unable to offer an exact identification.
>
>No such thing happened.
So why do you refer to Bloodhound.unknown ?
>
>I am completely nonplussed. Whatever did I say to lead you to conclude
>that NAV found the worm?
"VBS Netlog aka Bloodhound.unknown aka Netlog.vbs"
>
>For the record, at my client's request I set about trying to determine
>why that system had misbehaved. Netscape wasn't prompting dialup as it
>had done just days before, the printer setups had vanished, and it had
>crashed several times.
>
>I looked over running processes, and started surveying the system with
>an eye to cleaning out unnecessary TSRs. This led me to the Startup
>group, where I found the script. I had no idea what it was doing there,
>but knowing what the .VBS extension meant, I opened it in Notepad for
>inspection. That's all there was to it.
>
>
>> In doing so, you would have benefited, not only customers of NAV such as
>> your client, but also those of other AV suites.
>
>I might well have passed it on to an AV vendor. You make a good point.
>
>Past experience had soured me on the thing, however. I once tried to
>get a response from two well-known vendors with respect to "malware" I
>thought would interest them. I was resoundingly ignored.
>
>But I'll try it freshly next time circumstances require.
>
>
>> In posting the code on the web, you have made it available to all those
>> who wish to spread malicious software, be they wannabee virus writers or
>> just plain vicious.
>
>I also made it available to YOU.
>
>And lest we forget, it's traveling 'round the global Net as we speak,
>handing out clear-text copies of itself to what must be many thousands
>of people.
And how many of those who download it will do so because (in words
similar to those that appear so regularly here) "XYZ has seriously
pissed me off, so I want to bugger his computer" ?
Those who *seriously* seek AV knowledge have resources available to them
many of which I ignore because I don't have the time or the expertise to
write AV code. The AV industry shares knowledge on a web of trust basis.
AFAICT neither of these involves the indiscriminate posting of malicious
code.
>
>
>> >This is not a simple question and I think I would benefit by some sage
>> >advice. So I ask this newsgroup: what shall I do?
>
>> The *first* thing to do would be to remove the code, the *second* to
>> forward the file concerned to Symantec Antivirus Research Centre
>
>Sorry. I'm not conditioned to jump in response to barked orders. I do
>however respond to reasoned arguments. I invite you to offer any you
>may like to articulate in a respectful manner.
^^^^^^^^^^^^^^^^^^^^^^
What have you done to demonstrate that you have earned my respect ?
What have I done that has suggested that I do not accord you the default
amount of respect that I reserve for all newcomers before they disgrace
themselves ?
> Hell, if you can make
>your case, do it in any tone you like.
>
>
>> >Shall I remove the code?
>
>> This would be sensible. Those who are most able to benefit from the
>> script fall into two categories:
>
>> 1 People who would deliberately spread the malicious software
>> 2 Those who would combat it
>
>You can't pigeonhole all of humanity, and limit their motives to two
>categories. I think there are plenty more you should consider.
>
>I got this in an email a short while ago in response to my page on this
>worm:
>
>"... It motivated me to FINALLY download the scripting host and get to
>experimenting."
>
>This individual's interest in WSH was piqued. He was taking in new
>territory! He wasn't talking about engaging in hostile scripting, but
>about the fact that he was inspired to learn.
Can you prove that his interest was beneficent ?
>
>I couldn't hope for a more creditable impact. Where this fellow was
>concerned at least, I did the emphatically-right thing.
>
Or set off another wannabee malware author on a path I would rather he
did not take. The fact that the person thanked you does not prove even
benign intent. He may have thought you to be a new source of information
to feed his desire to "distinguish" himself in the malware realm.
OTOH, you could be in possession of proof that the person's only
interest was to learn enough to be of benefit to others.
>
>> In the latter case, it is *far* more sensible to combat malware via an
>> integrated approach (e.g. AV suites) rather than on a case by case
>> basis.
>
>People are going to discover this thing on their systems. Many of them
>will want to understand it in depth.
>
They *can* learn from experts. The auto-didactic approach to many things
is sub-optimal. When I teach myself, who corrects the errors of the
pupil ?
>
>> There are approximately 50 000 known pieces of malware in circulation, I
>> doubt whether you would propose defending yourself against these by
>> studying each sample personally then writing specific software to detect
>> and remove each one. How would you remember to run all 50 000 programs
>> on a regular basis ?
>
>This is an irrational argument. I haven't opposed the concept of an
>"integrated approach," and my publication of the script is not an
>expression against that idea in any way whatsoever.
>
>I get the distinct impression you're talking to some ghost you see
>before you, not me. You seem to be arguing with some spectre of past
>conflict.
>
If you are publishing this code in order that people protect themselves
against it, then that is a logical extension of your intent.
>
>> > Or shall I keep it available for all to see?
>
>> You are, of course, free to continue to disseminate this malware via
>> your site. Others, in this case, would be equally free to complain.
>
>I am not "disseminating malware."
By publishing this malicious code in an uncontrolled manner, you are
disseminating malware whether you like it or not.
OTOH, you could post here the measures that you have taken to ensure
that no-one who downloads this code could possibly use it for nefarious
purposes. In *that* case, I would have to apologise for assuming that it
was generally available from your site.
>I am kindly making facts known to
>people who have every right to know what a rather unusual worm may have
>done on their PC. I am in some cases at least, opening a new dimension
>for people, many of whom never had a clue this script language existed
>at all, much less on their own computer. I'm reasonably sure that 99%
>of those who read it will very much appreciate being well informed.
>Some, as my experience has already proven, will be fascinated and
>inspired to know more.
>
>You might even gain by it. Would you have me keep such information from
>YOU?
I would not seek that knowledge in that form
>
>I would wager that not one single reader of this message regards HIMSELF
>as the person from whom I should keep the facts.
Wager lost.
>
>Only a very tiny minority of my fellow humans is a malicious jerk who'll
>use whatever they learn to assault their betters. And I don't think
>those very few jerks should be first in my thoughts.
You think that the authors of some 50 000 pieces of malicious code are
only a tiny minority ?
>
>When I regard this question, one thing I do is to place myself in the
>position of the seeker of fact. (Which isn't difficult, that's a daily
>activity for me.) If I want in-depth information about something for
>whatever reason, how shall I regard someone who has those facts, doesn't
>own them as any sort of exclusive property, yet he's not only refusing
>to allow me access, but demanding others do the same?
In this case, if you have proven yourself trustworthy I would agree with
you - but *only* on that basis.
I am in possession of a great deal of knowledge from my professional
activities that I will not impart to all comers. Much of that knowledge
has the potential either to be used for good or for evil. If I
*thoroughly* trust someone then I *might* share my knowledge. Sometimes
even this is not sufficient, but those circumstances do not apply to
your dilemma about Bloodhound.unknown
>Easy. I object.
>I want that guy to have a damned good reason, and I want to know why he
>thinks it applies to ME.
If a person decides that uncontrolled dissemination of facts to which
he/she is party could be contrary to the general good, then he/she has a
right to withhold that knowledge from people he/she does not *know* to
be trustworthy.
BTW, how many of those who have downloaded your script from your website
do you know *personally* ?
How many of those that you don't know can you prove have no malicious
intent ?
> I also want to know who elected him as
>Knowledge Cop.
Here come the emotive terms. Why is it that anyone who argues for
precaution in the dissemination of potentially abusable information is
always termed a something-or-other Cop (as if that were of necessity a
dishonourable thing ?
>
>Lest you believe I'm merely here to oppose your position, recognize that
>I'm open to REAL communication.
Define real - since you chose to shout it
>The fact is, Nick has made some
>eloquent arguments for his position, and I'd like to see more of the
>same - on both sides.
I don't doubt Nick's ability to argue his viewpoint
--
Robert
The opinions I have expressed in this post are mine alone
and are not intended to represent the House of Windsor
in any way whatsoever.
Not surprising it's definitely in the wild. We've received about a
dozen inquiries from clients about it.
> I received an email from Nick FitzGerald <ni...@virus-l.demon.co.uk> in
> which he asked me to remove the code from my site.
>
Seconded... Please remove the code.
> I understand Nick's objection to my posting of the code. I share his
> concerns about its use in further exploits by the odd malefactor who
> lurks among us.
>
> Yet I believe in passing on knowledge too, which I believe benefits the
> majority who would only gain from it.
>
Fine but pass on an analysis of the code not the code. Think back to
when W97M/Melissa was discovered... A host of well meaning people
posted the code here and on the web under the assumption that it would
help combat the spread of the virus. Unfortunately all it really did
was enable other virus writers to create roughly a dozen new variants
in a matter of days. I suspect your posting the VBS/Netlog.A code
publicly will unfortunately have the same effect (FWIW there are now
about 30 known Melissa variants).
> This is not a simple question and I think I would benefit by some sage
> advice. So I ask this newsgroup: what shall I do?
>
> Shall I remove the code? Or shall I keep it available for all to see?
>
Yes you should remove the code. Why? Because the intentional
distribution of malicious computer codes is:
1) A bad thing and is likely to raise the ire of people who's business
it is to combat the spread of malicious code.
2) Illegal several countries. FWIW given the public fallout over the
recent distributed denial of service attacks in this country it's only
a matter of time before the intentional distribution of malicious
computer codes is criminalized here.
3) In violation of the Acceptable Use Policies of most major ISPs. If
your going to distribute malicious code someone is going to complain
to your ISP.
> I welcome responses from anyone, but most especially those of people
> with long-term knowledge and experience and who are capable of reasoned
> communication.
>
> My analysis, as yet unchanged, is available at:
>
[URL Snipped]
HTH.
--
Cheers-
Jeff Setaro
jase...@sprynet.com
http://home.sprynet.com/~jasetaro/
PGP Key IDs DH/DSS: 0x5D41429D RSA: 0x599D2A99
NOTE: POSTED AND MAILED.
Even though headers which I think are usually visible make it obvious.
How this wasted your time isn't clear. You didn't reply by email.
> In article <38B795...@nwi.net>, pchelp <pch...@nwi.net> wrote
> >Robert wrote:
> >>
> >> In article <38B764...@nwi.net>, pchelp <pch...@nwi.net> wrote
> >> >I found this worm yesterday on a client's computer, and unaware that it
> >> >was known to others, I posted the entire script, along with an analysis,
> >> >on my website.
> >>
> >> Would it not have been more sensible to mail it to Symantec since you
> >> discovered it using their heuristic detection ?
> >
> >Whatever in the world led you to believe I had found it that way?
>
> Your Subject line states "VBS Netlog aka Bloodhound.unknown aka
> Netlog.vbs"
Doesn't your newsreader support threading?
> Since Bloodhound.xxx is a diagnostic from Norton Anti Virus, you either
> discovered this malware via Norton or are leading us astray by your
> mention thereof (whether intentionally or not)
> >> >I received an email from Nick FitzGerald <ni...@virus-l.demon.co.uk> in
> >> >which he asked me to remove the code from my site.
> >
> >> A sensible request
> >
> >Possibly. Possibly not.
> >
> You asked for an opinion, you got it. If you think that one of the most
> respected people in this newsgroup is not making sensible requests, that
> is your prerogative, but you will have to do better than "I believe in
> passing on knowledge" if you are to convince people that publishing
> malware is in the common interest.
I don't operate on the basis that "respected" persons or anyone at all
who chooses to style himself an authority is by default RIGHT and to be
OBEYED.
I use my judgment.
I have said I will state my rationale for my decision, and I will.
> >> >I understand Nick's objection to my posting of the code. I share his
> >> >concerns about its use in further exploits by the odd malefactor who
> >> >lurks among us.
> >
> >> I hope that this is true, but what you say next leads me to doubt
> >
> >I'm interested in input. The rationale behind your viewpoint is
> >interesting to me. Your doubt of my integrity is not.
> >
> My opinion, expressed here, is a matter of public record. If you don't
> like it, either disprove it or ignore it.
What am I to disprove -- that you have doubts what I say is true? I'm
saying, address the issue. Don't make it personal.
> >> >Yet I believe in passing on knowledge too, which I believe benefits the
> >> >majority who would only gain from it.
> >
> >> If you wished to pass knowledge on so that the majority could benefit,
> >> then you would have sent the code to Symantec after NAV detected the
> >> malware but told you it was unable to offer an exact identification.
> >
> >No such thing happened.
>
> So why do you refer to Bloodhound.unknown ?
Your newsreader doesn't support threading?
> >I am completely nonplussed. Whatever did I say to lead you to conclude
> >that NAV found the worm?
>
> "VBS Netlog aka Bloodhound.unknown aka Netlog.vbs"
Look back on the thread. I can see where it might be confusing,
though. It started as a reply to Vlad Olchansky's message. I decided
then to raise the question we're debating here, and replied separately
to Vlad's questions.
> >For the record, at my client's request I set about trying to determine
> >why that system had misbehaved. Netscape wasn't prompting dialup as it
> >had done just days before, the printer setups had vanished, and it had
> >crashed several times.
> >I looked over running processes, and started surveying the system with
> >an eye to cleaning out unnecessary TSRs. This led me to the Startup
> >group, where I found the script. I had no idea what it was doing there,
> >but knowing what the .VBS extension meant, I opened it in Notepad for
> >inspection. That's all there was to it.
> >> In posting the code on the web, you have made it available to all those
> >> who wish to spread malicious software, be they wannabee virus writers or
> >> just plain vicious.
> >I also made it available to YOU.
> >And lest we forget, it's traveling 'round the global Net as we speak,
> >handing out clear-text copies of itself to what must be many thousands
> >of people.
> And how many of those who download it will do so because (in words
> similar to those that appear so regularly here) "XYZ has seriously
> pissed me off, so I want to bugger his computer" ?
Get serious. XYZ has open shares? Who needs a script?
> Those who *seriously* seek AV knowledge have resources available to them
> many of which I ignore because I don't have the time or the expertise to
> write AV code. The AV industry shares knowledge on a web of trust basis.
Yeah. Insiders. No one but themselves is serious or trustworthy?
Thanks, but I do not and never will think that way. Those people have a
livelihood which, for some of them especially, depends upon maintaining
exclusivity. Because of this, they will tell us, whether it's necessary
and true or not, that the information they have shouldn't be known to
YOU and ME.
I prefer to treat my fellow man BY DEFAULT as if he were trustworthy.
To do less is insulting and it destroys the cooperation that is the
basis of our entire history of success as a species.
> AFAICT neither of these involves the indiscriminate posting of malicious
> code.
Indiscriminate?
I wouldn't have engaged this discussion if I were "indiscriminate." And
if you wish to apply that term to me, please find where ELSE I have
posted "malicious code."
Even your terms "malicious" and "malware" can be brought into valid
question in this case. This worm can justly be termed intrusive. But
malicious it isn't. It does absolutely nothing but to spread. For
malice the approach has potential. But it's worthy of note that the
writer didn't take advantage of that potential.
> >> >This is not a simple question and I think I would benefit by some sage
> >> >advice. So I ask this newsgroup: what shall I do?
> >
> >> The *first* thing to do would be to remove the code, the *second* to
> >> forward the file concerned to Symantec Antivirus Research Centre
> >
> >Sorry. I'm not conditioned to jump in response to barked orders. I do
> >however respond to reasoned arguments. I invite you to offer any you
> >may like to articulate in a respectful manner.
> ^^^^^^^^^^^^^^^^^^^^^^
> What have you done to demonstrate that you have earned my respect ?
Forget it. I won't bother trying.
Where I come from, one starts off with respect, but I realize some of us
don't bother with such niceties of etiquette.
...
> >I got this in an email a short while ago in response to my page on this
> >worm:
> >
> >"... It motivated me to FINALLY download the scripting host and get to
> >experimenting."
> >
> >This individual's interest in WSH was piqued. He was taking in new
> >territory! He wasn't talking about engaging in hostile scripting, but
> >about the fact that he was inspired to learn.
>
> Can you prove that his interest was beneficent ?
What a cynical life you must lead.
I'm not going to quote his whole email without permission. Suffice it
to say he publishes free code, identifies himself totally, and is quite
evidently a truly nice guy.
> >I couldn't hope for a more creditable impact. Where this fellow was
> >concerned at least, I did the emphatically-right thing.
> Or set off another wannabee malware author on a path I would rather he
> did not take. The fact that the person thanked you does not prove even
> benign intent. He may have thought you to be a new source of information
> to feed his desire to "distinguish" himself in the malware realm.
> OTOH, you could be in possession of proof that the person's only
> interest was to learn enough to be of benefit to others.
You, quite obviously, presume the opposite of people you haven't met.
So be it. That explains the reception you've given me and it ends any
further response I'll make to you unless you make it unavoidable.
> >> In the latter case, it is *far* more sensible to combat malware via an
> >> integrated approach (e.g. AV suites) rather than on a case by case
> >> basis.
> >People are going to discover this thing on their systems. Many of them
> >will want to understand it in depth.
> They *can* learn from experts. The auto-didactic approach to many things
> is sub-optimal. When I teach myself, who corrects the errors of the
> pupil ?
Sorry, this doesn't compute. You're not proposing to teach anyone
anything, you're instead saying I should NOT.
> >> There are approximately 50 000 known pieces of malware in circulation, I
> >> doubt whether you would propose defending yourself against these by
> >> studying each sample personally then writing specific software to detect
> >> and remove each one. How would you remember to run all 50 000 programs
> >> on a regular basis ?
> >This is an irrational argument. I haven't opposed the concept of an
> >"integrated approach," and my publication of the script is not an
> >expression against that idea in any way whatsoever.
> >I get the distinct impression you're talking to some ghost you see
> >before you, not me. You seem to be arguing with some spectre of past
> >conflict.
> If you are publishing this code in order that people protect themselves
> against it, then that is a logical extension of your intent.
There's more to it than that, which you're ignoring because I made it
CLEAR.
No more time to waste. Remainder redacted.
pchelp
> ... If it were my page I would leave it up if for no other reason
> just to see if all this stuff about it being "Illegal" to post even
crippled
> code that wont replicate let alone an elegant elaborate and concisely
written
> package as the one you have on your page. ...
Who told you such things were "illegal"?
You seem to have confused doing what you may have a legal
right to do and being brought to task within the legal
system for a *consequence* of your choice to to exercise
that right. You have the right to say or publish anything
you like in the US, but try publishing military secrets on
a web page and see how long you are allowed to continue
exercising that right. Try inciting extreme racial
prejudice and see how long you stay out of prison. The
fact is, that with rights come responsibilities to
exercise them, well, "responsibly". People who
irresponsibly exercise the right of free speech can end up
facing societal apporbrium in many ways.
*That* was pointed out to you.
> ... But
> some in here would have you believe that your page would have so many
hits from
> the so called malicious fringe, wanting the code to release upon denizens
of the
> web, that your page would come down from the shear number of hits it
would get.
Don't put words in our mouths, especially when you have
repeatedly shown a complete inability to paraphrase or
understand the position of those here who disagree with you.
The fact of the matter is that a *single* download of that
page could result in much further trouble, the cost of which
could be huge. As "pchelp" has *absolutely no idea* which,
if any, of the hits on his page is that one hit, it *is*
irresponsible to post the code.
If, instead, he had a public link to, say, a file PGP crypted
with the keys of the people he believes he can trust with
such material, then there is no greater risk than any other
distribution method he chooses that depends on his personal
judgement of competence and lack of malice on the part of the
recipients (at least, I am giving him the benefit of the doubt
that these are significant criteria he uses when deciding to
give malware samples to anyone).
I believe in the dictum "first do no harm" and publicly
posting ready-to-run malware code cannot match that most
crucial requirement. If this exploited some obscure bug in
some server or application software and the vendors were pre-
warned and had patches ready to release, then the equation is
somewhat different (though I still do believe that full
disclosure is *necessarily* justified).
That is *nothing* like the case here. This is simply an issue
of ignorant system administration on a machine by machine
basis, on the OS that vastly outweighs all the other OSes
combined on the Internet. Thus, the potential for harm is
enormous and the likelihood of "improving things" is
immeasurably distant from zero.
Posting the code is reckless at best.
--
Nick FitzGerald
> I found this worm yesterday on a client's computer, and unaware that it
> was known to others, I posted the entire script, along with an analysis,
> on my website.
>
> I received an email from Nick FitzGerald <ni...@virus-l.demon.co.uk> in
> which he asked me to remove the code from my site.
Indeed, and I'd guess the regulars here have a fair idea
of the kinds of arguments I made...
> I understand Nick's objection to my posting of the code. I share his
> concerns about its use in further exploits by the odd malefactor who
> lurks among us.
>
> Yet I believe in passing on knowledge too, which I believe benefits the
> majority who would only gain from it.
>
> This is not a simple question and I think I would benefit by some sage
> advice. So I ask this newsgroup: what shall I do?
>
> Shall I remove the code? Or shall I keep it available for all to see?
By your own, apparent, past standards, the code should never
have been posted. I refer you to your own "How I Handle
Email" page (http://www.nwi.net/~pchelp/email.htm), and
specifically to the last section "Messages I Do Not Answer".
The first point is:
Requests for trojans, exploits and hacker tools. Yes, I
have a huge collection, probably 300 trojans and hundreds
of "hAx0r t0o1z." NO, I don't distribute them. Occasionally
I will pass on specific items to people who identify
themselves and whom I feel completely certain will use them
for positive purposes.
Whilst I, and probably most of the acv "regulars" applaud that
position, I find it entirely contradicted by your decision to
post the full source code and thereby the full beast, as VBS
is an interpreted script language. Surely your decision to
post the code goes directly against your own (laudable!)
guidelines for redistributing malware.
Please explain this apparent total contradiction of your
previously stated position of cautious distribution.
--
Nick FitzGerald
(further discussion of pchelp's posting of code for vbs malware)
pchelp, your past reputation as one of the good guys gave me no hint
that you would post the complete code to something like this, and I
didn't scroll down your page far enough to realize you had done so, or I
would never have posted myself including a link to your site.
Why not post on your site your general analysis of the code, and offer
to email the full code with your line analysis to those you find
trustworthy? Would this not satisfy objections from both sides?
.02.
Bill
--
William Thomas Quick : Iceberg Productions
ice...@iw3p.com : http://www.iw3p.com
Science Fiction Writers of America : The Authors Guild
Writers Guild of America, West
http://www.iw3p.com/pgp.htm for PGP Public Key
Nick FitzGerald wrote:>Don't put words in our mouths, especially when you have repeatedly shown a complete inability to paraphrase or
understand the position of those here who disagree with you
___________________________________________I don't have to put words in your mouth the AV people in here do quite all right on there own. I completely understand your position, I just don't happen to agree with it. It always seems at least, that anyone whom disagrees with you and others of like mindedness' are ipso facto wrong. Even if your opinions is the majority opinions that still doesn't qualify it as the only just opinions.We have bandied this point back and forth time and time again, and we should both realize by now neither of us will probably ever change the others opinion. I am of the opinion that we should just agree to disagree, and then try and be civil when expounding on our divergence of ideas.
>> My network computers considerably slowed down recently.
>> I checked them with the AVP, which reported infection with VBS.Netlog
>> virus.
>> Description:
>> A bunch of VB script files is created in the root, Windows, Startup
>> (!), etc. directories named "network.vbs". The file is dated 1-9-2000.
>> The next day after "network.vbs" files were erased from one computer,
>> (my network engineer forgot to do it on other machines) the infection
>> reoccured.
>> Has it been passed from my LAN?
Prolly.
>> Where could it come from, originally?
Routes of entry:
1) Humans
2) Diskettes (boot, and copy)
3) CDs (AutoRun.inf, and copy)
4) e-mail attachments
5) e-mail message body (HTML active content)
6) Web sites, download
7) Web sites, active content
8) Hacked auto-update
9) Uploaded via existing RAT
Code vectors:
1) Native machine code
2) Active content scripts
3) Application scripts, i.e. Office macros etc.
4) Windows installation mechanism
Points of attack:
1) Startup axis, pre-OS (MBR, partition boot)
2) Startup axis, real-mode (Config.sys, AutoExec.bat etc.)
3) Startup axis, GUI mode (.ini, registry, StartUp)
4) File associations
5) Application startup folders and templates
6) Active content as interpreted locally by Windows
7) Explorer, via Shell=, via drive letters, etc.
Recurrance sources:
1) Mailboxes
2) Backups, diskettes, etc.
3) Remote users (laptops connecting in via DUN etc.)
4) Sibling file survivability
5) Recurrance of original infection vector
As a general rule, do **NOT** share the startup axis, i.e. C:\ or
%WinDir%, and ideally don't share application base dirs.
Unless you need shared Internet access or IP addressability, suggest
don't use TCP/IP on LAN.
>--------------- ----- ---- --- -- - - -
Error Messages Are Your Friends
Bob code: KHok Lwdo EMD! CPEIV B-NAN O9x SCs
T---- A6! H6(-8)omc
>--------------- ----- ---- --- -- - - -
Robert wrote:
>
> In article <38B820...@nwi.net>, pchelp <pch...@nwi.net> wrote
> >Robert wrote:
[lots of stuff redacted]
> >I don't operate on the basis that "respected" persons or anyone at all
> >who chooses to style himself an authority is by default RIGHT and to be
> >OBEYED.
> You suggest that Nick's request (try looking up the meaning of that
> word) is not sensible. It is your prerogative to pretend to that
> position, as I said before.
Apparently it doesn't occur to you that my viewpoint as stated might be
sincerely held.
You must be very hard on the people around you.
[snippo]
> >I have said I will state my rationale for my decision, and I will.
> Yet you do not
O ye of little faith and less patience, I have done so as promised.
Don't bother telling me you don't like it. I know.
> >> >For the record, at my client's request I set about trying to determine
> >> >why that system had misbehaved. Netscape wasn't prompting dialup as it
> >> >had done just days before, the printer setups had vanished, and it had
> >> >crashed several times.
> Yet you claim that this code has nothing to do with that, make your mind
> up
You're jumping to conclusions. I was explaining why I was looking the
system over.
The Netscape and printer problems were totally unrelated to the worm.
I'm not sure about the crashes, but hey -- look at the code. It's not,
on the face of it, anything that _should_ cause a crash. But of course
we are talking about Windows here.
How do I know the worm didn't cause the dialup problem? Because
although that particular symptom seems fixed, Netscape is still
misbehaving on that machine, in related ways I didn't bother to mention
-- apparently because it doesn't get along well with the proxy.
How do I know it didn't cause the printer problem? Because another
machine on the LAN had _precisely_ the same thing happen -- with no
worm. Something with one of the drivers, apparently. When a shared
printer wasn't found by Windows because its connected system was
offline, the thing would hang horribly on any effort to print; and
unless the systems were rebooted, any effort to open the printers folder
would somehow disappear the printer setups. No connection whatsoever to
the worm.
Clear enough now?
> >> And how many of those who download it will do so because (in words
> >> similar to those that appear so regularly here) "XYZ has seriously
> >> pissed me off, so I want to bugger his computer" ?
> >Get serious. XYZ has open shares? Who needs a script?
> No answer to that one ? Have you any proof that *no* XYZ _anywhere on
> this planet_ is vulnerable to attack by the code you publish ?
Know what? I'm leaving this in to embarrass you.
You may never get it, but others will.
> You are contradicting yourself here - you said that it impacted upon the
> performance of your client's machine (not I).
I actually did not say that.
Interesting, though. I'm learning about you.
There's a pattern here. I write one thing, you read another.
pchelp