Outbreak warning - Bagle worm
Gadi Evron
Trojan Horses Research Mailing List) from Moosoft Development
(www.moosoft.com) a few hours ago.
AV and AT firms have had a few hours to update their databases.
Info can be found only on viruslist's web page, so far:
http://www.viruslist.com/eng/alert.html?id=783050
To date, only The Cleaner and Kaspersky detect it.
Let's hope it is stopped before it can do too much damage!
This post comes as an heads-up and FYI so you can take measures to
stop it.
To help block it, here is a URL list the worm accesses, trying to
download (recieved from MooSoft (www.moosoft.com), all URL's are
currently showing 404:
http://www.elrasshop.de/1.php
http://www.it-msc.de/1.php
http://www.getyourfree.net/1.php
http://www.dmdesign.de/1.php
http://64.176.228.13/1.php
http://www.leonzernitsky.com/1.php
http://216.98.136.248/1.php
http://216.98.134.247/1.php
http://www.cdromca.com/1.php
http://www.kunst-in-templin.de/1.php
http://vipweb.ru/1.php
http://antol-co.ru/1.php
http://www.bags-dostavka.mags.ru/1.php
http://www.5x12.ru/1.php
http://bose-audio.net/1.php
http://www.sttngdata.de/1.php
http://wh9.tu-dresden.de/1.php
http://www.micronuke.net/1.php
http://www.stadthagen.org/1.php
http://www.beasty-cars.de/1.php
http://www.polohexe.de/1.php
http://www.bino88.de/1.php
http://www.grefrathpaenz.de/1.php
http://www.bhamidy.de/1.php
http://www.mystic-vws.de/1.php
http://www.auto-hobby-essen.de/1.php
http://www.polozicke.de/1.php
http://www.twr-music.de/1.php
http://www.sc-erbendorf.de/1.php
http://www.montania.de/1.php
http://www.medi-martin.de/1.php
http://vvcgn.de/1.php
http://www.ballonfoto.com/1.php
http://www.marder-gmbh.de/1.php
http://www.dvd-filme.com/1.php
http://www.smeangol.com/1.php
Gadi Evron
The Trojan Horses Research Mailing List - http://ecompute.org/th-list
Igi
"Gadi Evron" <g...@linuxbox.org.INVALID> píse v diskusním príspevku
news:newscache$lfbprh$ax1$1...@lnews.actcom.co.il...
> This possible worm outbreak warning was received on TH-Research (The
> Trojan Horses Research Mailing List) from Moosoft Development
> (www.moosoft.com) a few hours ago.
>
> AV and AT firms have had a few hours to update their databases.
>
> Info can be found only on viruslist's web page, so far:
> http://www.viruslist.com/eng/alert.html?id=783050
>
> To date, only The Cleaner and Kaspersky detect it.
>
Bitdefender, NOD32, RAV detect it too :-]
Igi
Bruce
@lnews.actcom.co.il:
Can this be true!?:
I am currently running McAfee Virus Scan, which automatically updated
itself on 1/16/04 with .dat 4315.
After reading this note, I went to the McAfee site to see if it was aware
of the bagle worm. McAfee says it has added it to their .dat file 4316 on
1/18/04:
http://us.mcafee.com/virusInfo/default.asp?id=description&virus_k=100965
But, on the same page, farther down, under Removal Instructions:
http://vil.nai.com/vil/virus-4d.asp
they say you need .dat 4316 to be protected, but they won't issue it until
their next weekly update (generally Thursday or Friday). So, I decided to
manually update, but when I do, I'm told my security services are up to
date. Apparently, their 4316 is still in 'beta'. All they offer is to
reinstall my subscription.
Is this rediculous, or what? I know...
Bruce
Buford T. Justice
http://www.nod32.com/support/info.htm#CurVersion
BTJustice
"Bruce" <parc...@netscape.net> wrote in message
news:Xns9474BE1D12601p...@204.127.199.17...
David H. Lipman
It is NOT rediculous. Reading the description: http://vil.nai.com/vil/content/v_100965.htm
This description was added Today, January 18th.
McAfee considers this to have a low risk. Therefore they have NOT posted an EXTRA.DAT. If
you had a sample of the W32/Bagle@MM virus and you submitted it to Webimmune {
https://www.webimmune.net/default.asp }then they would email you an EXTRA.DAT. If the Risk
Assesment rises then they may post an EXTRA.DAT and/or release DAT v4316. Prior to January
21.
And so you know, McAfee usually will post first to their FTP servers and then to their web
sites by 1600hrs on Wednesdays. I know this becuase "I was the driving force" (by using my
professional personna) in getting NAI/McAfee to standardize their posting on Wednesdays and
to do well before the end of the business day on the US East Coast. In the approx. 3 years
since I made that request of NAI/McAfee they have done very well. The rare times they have
missed that mark is when there are problems with that week's DAT revision or a "hot" virus
is out and they want to make sure that weekly's DAT works properly and covers that "hot"
virus.
Also for your knowledge, the daily SuperDAT http://vil.nai.com/vil/virus-4d.asp probably has
this in it and was posted about 2200hrs Today, January 18th, on the US East Coast.
There is NOTHING ridiculous, you just don't know the product you are using.
In addition:
If you post to UseNet with your TRUE, not a munged, email address then you have invited the
swen Internet worm [aka; W32/Gibe-F] to visit you.
The Swen is news spelled backwards. The reason it is called this is because the Swen worm
harvests email addresses from UseNet News Groups. It has an engine that allows it to post
itself to UseNet News Groups and well as it has its own email engine. From the list of
email addresses that it has harvested, it will then email itself to those addresses.
Dave
"Bruce" <parc...@netscape.net> wrote in message
news:Xns9474BE1D12601p...@204.127.199.17...
Nomen Nescio
"Gadi Evron" <g...@linuxbox.org.INVALID> schreib:
> This possible worm outbreak warning was received on TH-Research (The
> Trojan Horses Research Mailing List) from Moosoft Development
> (www.moosoft.com) a few hours ago.
>
> AV and AT firms have had a few hours to update their databases.
>
> http://www.viruslist.com/eng/alert.html?id=783050
>
> To date, only The Cleaner and Kaspersky detect it.
NOD32 detect him with unknown name on heuristic, and with
known name since 18/01 update.
Kevin
protection, at least in this case. I have received 5 Bagle.W32 emails
so far this morning. While Trend updated in time to catch 4 of them,
McAfee is still stuck on 4315. Perhaps it's just that a weekly update
frequency is no longer sufficient. It would be an interesting
situation in which I had to proactively identify a virus, send it to
my anti-virus software supplier in order to receive an update to allow
me to identify the virus!
I'm anticipating many more infected machines in this area (SE Asia).
"David H. Lipman" <DLipman~nospam~@Verizon.Net> wrote in message news:<a9IOb.13653$9U6....@nwrddc02.gnilink.net>...
Big Will
nasty SWEN virus, still. It's dropped remarkably, though. I'll be knocking
on wood, though, as I'm sure that some of my friends are stupid enough to
open attatchment.
William
"Kevin" <bak...@hotmail.com> wrote in message
news:881fed67.04011...@posting.google.com...
David H. Lipman
McAfee did raise the Risk Assessment and has subsequently released an EXTRA.DAT and DAT
v4316.
In addition:
If you post to UseNet with your TRUE, not a munged, email address then you have invited the
swen Internet worm [aka; W32/Gibe-F] to visit you.
The Swen is news spelled backwards. The reason it is called this is because the Swen worm
harvests email addresses from UseNet News Groups. It has an engine that allows it to post
itself to UseNet News Groups as well as it has its own email engine. From the list of
email addresses that it has harvested, it will then email itself to those addresses.
Dave
"Kevin" <bak...@hotmail.com> wrote in message
news:881fed67.04011...@posting.google.com...
Bruce
> Bruce:
>
> It is NOT rediculous. Reading the description:
> http://vil.nai.com/vil/content/v_100965.htm This description was added
> Today, January 18th.
>
> McAfee considers this to have a low risk.
I'm aware it's classified a low risk, but that's not zero risk. If they've
identified it, then add it to a .dat and push it out to us. Other vendors
have.
Therefore they have NOT
> posted an EXTRA.DAT. If you had a sample of the W32/Bagle@MM virus
> and you submitted it to Webimmune {
> https://www.webimmune.net/default.asp }then they would email you an
> EXTRA.DAT. If the Risk Assesment rises then they may post an
> EXTRA.DAT and/or release DAT v4316. Prior to January 21.
McAfee's customer base is the average pc user, not virus hunters. The only
reason I knew about bagle is because I read newsgroups, which the average
user doesn't even know exists. Mr. Average is not going to be able to
identify what he has caught, let alone be able to safely send it out for
id. This idea is like closing the barn door after the horses have gotten
out.
>
> And so you know, McAfee usually will post first to their FTP servers
> and then to their web sites by 1600hrs on Wednesdays. I know this
> becuase "I was the driving force" (by using my professional personna)
> in getting NAI/McAfee to standardize their posting on Wednesdays and
> to do well before the end of the business day on the US East Coast.
> In the approx. 3 years since I made that request of NAI/McAfee they
> have done very well. The rare times they have missed that mark is
> when there are problems with that week's DAT revision or a "hot" virus
> is out and they want to make sure that weekly's DAT works properly and
> covers that "hot" virus.
>
> Also for your knowledge, the daily SuperDAT
> http://vil.nai.com/vil/virus-4d.asp probably has this in it and was
> posted about 2200hrs Today, January 18th, on the US East Coast.
>
> There is NOTHING ridiculous, you just don't know the product you are
> using.
Yes, I do.
David H. Lipman
previously stated elsewhere in this thread, McAfee has raised the Risk Assessment and has
released both an EXTRA.DAT and DAT v4316.
And I see you are still are not using a munged email address...apparently you like to
receive viruses.
Case closed :-)
Dave
"Bruce" <parc...@netscape.net> wrote in message
news:Xns94755EED056E4p...@63.240.76.16...
Bruce
> No you don't know McAfee software or practices. Your post proves
> that.
Yes, I do, I just don't think their practices are adequate. By the way,
you've evaded the fact that other vendors were protecting their users
against bagle, while McAfee was not.
As I have previously stated elsewhere in this thread, McAfee
> has raised the Risk Assessment and has released both an EXTRA.DAT and
> DAT v4316.
Yes, they have, but again, that's not the point of my OP. You've
conveniently changed the timing of my response.
But, now that McAfee has issued both extra.dat and 4316, let me state
this again... consider the average user. He would never have known this,
let alone how to get/install these updates. And, if the average user
depends upon the weekly automatic update function, he's not protected
until this coming Wednesday, which is too long to be exposed, especially
if McAfee has raised the risk to moderate. I'm set for automatic
updates, but I had to do a manual update to get 4316. That's no good.
>
> And I see you are still are not using a munged email
> address...
What makes you think that's a live email addy, Dave?
> apparently you like to receive viruses.
In eighteen years, I've been hit by 2 viruses. Actually, it was my kids
who just had to open an exe they got over a p2p network. Both were pesky
viruses, but f-prot for dos did the trick.
I didn't intend my OP to create such a firestorm with you, but you've got
one hell of a defensive and confrontational attitude.
David H. Lipman
"Bruce" <parc...@netscape.net> wrote in message
news:Xns947591CE0B76Fp...@63.240.76.16...
| "David H. Lipman" <DLipman~nospam~@Verizon.Net> wrote in
| news:CTUOb.4646$_u4....@nwrdny02.gnilink.net:
|
| > No you don't know McAfee software or practices. Your post proves
| > that.
|
| Yes, I do, I just don't think their practices are adequate. By the way,
| you've evaded the fact that other vendors were protecting their users
| against bagle, while McAfee was not.
That's debateable but, its not worth kicking about...
| As I have previously stated elsewhere in this thread, McAfee
| > has raised the Risk Assessment and has released both an EXTRA.DAT and
| > DAT v4316.
|
| Yes, they have, but again, that's not the point of my OP. You've
| conveniently changed the timing of my response.
Not every company can come up with signature files as fast as we would like. Often an AV
vendor has to wait to receive a sample. They don't always share information. It just so
happens that McAfee is excellent in releasing signature files before their competitors. I
think 24 ~ 36 hours after an outbreak has started is reasonable.
| But, now that McAfee has issued both extra.dat and 4316, let me state
| this again... consider the average user. He would never have known this,
| let alone how to get/install these updates. And, if the average user
| depends upon the weekly automatic update function, he's not protected
| until this coming Wednesday, which is too long to be exposed, especially
| if McAfee has raised the risk to moderate. I'm set for automatic
| updates, but I had to do a manual update to get 4316. That's no good.
Sure, he could. One just has to add their email address to their listserver, to receive
information on when DAT files are released and/or when the Risk Assessment of an infector
changes.
| > And I see you are still are not using a munged email
| > address...
|
| What makes you think that's a live email addy, Dave?
Because netscape.com is a legitimate Domain and it shows no sigh of obfuscation. What
happens if there is a REAL person behind that address ? Then what ?
| > apparently you like to receive viruses.
|
| In eighteen years, I've been hit by 2 viruses. Actually, it was my kids
| who just had to open an exe they got over a p2p network. Both were pesky
| viruses, but f-prot for dos did the trick.
In that period I have seen, been hit or erradicated thousands. From the old Jerusalem.B on
a Netware v2.x network to the almost benign Geshenk
| I didn't intend my OP to create such a firestorm with you, but you've got
| one hell of a defensive and confrontational attitude.
|
Nobody's perfect ! But it has given me an "edge" in the corporate (and other) IT arena.
Trust me when I say I mean no offense. My intention is just to level your expectation - to
be closer to ground level.
In that 18 year period you mentioned, how long have you been using the reatil version of
McAfee software ?
Have you used the enterprise or corporate versions ?
Dave
Anonymous
In message news:Xns947591CE0B76Fp...@63.240.76.16,
"Bruce" <parc...@netscape.net> wrote...
> "David H. Lipman" <DLipman~nospam~@Verizon.Net> wrote in
> news:CTUOb.4646$_u4....@nwrdny02.gnilink.net:
>
> > that.
>
> Yes, I do, I just dont think their practices are adequate. By the way,
> youve evaded the fact that other vendors were protecting their users
Of course he will evade this fact, as he will evade any contradicting
McAfees perfection. You waste your time discoursing with Lipman,
he is a professional McAfee shill.
-=-
This message was posted via two or more anonymous remailing services.
Kevin
> The point is moot.
Maybe you missed the point then, which is that McAfee left me, and my
customers, exposed to a new and active virus, despite acknowledging it
on the website, while at the same time declaring my anti virus
definitions to be up-to-date.
Clearly this is not a good situation. I am a computer professional and
it took me too long to get McAfee to protect me against Bagle, which I
did by taking actions that the average user would not know how, or
have the inclination, to take.
McAfee finally updated automatically this morning, giving a full 24
hours of exposure to anyone here using their system for anti virus
protection. In that 24 hours, one of my networks received 12 Bagle
infected mails.
As I said before, if not ridiculous, it's not giving a good level of
virus protection. Based on that performance I would find it difficult
to recommend McAfee over some of the competition.
taff
Why don't these companies bring out their definitions before the virus
is released. Then we could all have a holiday. :-=))
Taff.............
David H. Lipman
vendor to produce signature for given infector. I think the time frame was well within a
reasonable time period for posting the various forms of signature files. Yesterday they
provided it in the Daily SuperDAT when the Risk Assessment was low. When that risk
Assessment was raised they released both an EXTRA.DAT and DAT v4316. McAfee can only
provide a signature file for a virus they have a sample for. This takes time. I can't
recount how many time McAfee beat the other vendors at recognizing a given infector. This
time they weren't first. I see no problem with this.
Bill Sanderson and I went through an exercise a month or so back. He sent me an PXE packed
file, SecurityUpdate_v.3.1.1.exe, that NAV/SAV and CA eTrust did not recognize. McAfee did
recognize the infector. Research showed that it was known to McAfee since DAT v4277 ,
7/'03, as Multipdropper-GP.a. The others did not put out signatures until Mid Dec '03.
So I can't accept you assessment.
Dave
"Kevin" <bak...@hotmail.com> wrote in message
news:881fed67.04011...@posting.google.com...
James Egan
<DLipman~nospam~@Verizon.Net> wrote:
>And I see you are still are not using a munged email address...apparently you like to
>receive viruses.
Don't knock someone for being less spineless than you.
You make it sound like a poster without a munged address is some sort
of moron who doesn't know what he's doing. On the contrary, there are
those who won't submit quite so easily to the will of the virus writer
or spammer.
Jim.
Dalt
All anti virus is reactive,it's the nature of the beast.ALL av products
promise protection but the sad fact is they all rely on some poor sap losing
their data before they can do anything about truely *new* viruses.
Having said that a degree of common sense and safe practice will rule out
99% of viruses,if people insist on openning and executing files of unknown
origin then the worlds best anti virus is not going to help them and it
won't matter what company the software is from or how fast they get their
updates out.
The anti virus industry is always going to come second in the battle against
the virus menace,it's the way it is,anybody who believes otherwise is only a
short click away from losing their files.
You also have to take into account that the average PC user wouldn't (in PC
terms) be able to find their own butt with both hands.Hell the people who
are most likely to need help wouldn't be able to work out how to use a
newsgroup so wouldn't see anything that's posted here anyways.
Bottom line? the individual that runs a 15K files called BritneysTits.scr is
beyond help even from the best AV programs.It's about education...AV
software is a very small tool in what should be a much bigger box.
cheers Dalt
Buford T. Justice
http://www.nod32.com/msgs/baglea.htm
"Win32/Bagle.A is one of a long series of worms that NOD32 detects using a
unique “Advanced Heuristics”, which means that all NOD32 users are protected
against this worm from the time it was released in the wild."
BTJustice
"Dalt" <D...@unknown.com> wrote in message
news:buiu44$2b5$1...@titan.btinternet.com...
Buford T. Justice
Heuristics” meaning they use (the term escapes me) 'a list of known viruses'
in order to find viruses. Some antivirus software that comes to mind that
do this are McAfee, Norton, PC-cillin, etc. In fact, when I was running
Norton AntiVirus 2003, I use to read the update text files and was horrified
to see they actually removed viruses from the list. And damn Norton slows a
computer down anyway, lol.
BTJustice
"Buford T. Justice" <???@msn.com> wrote in message
news:buiuco$hrf5t$1...@ID-208839.news.uni-berlin.de...
> I am proud to be a NOD32 user...
>
> http://www.nod32.com/msgs/baglea.htm
>
> "Win32/Bagle.A is one of a long series of worms that NOD32 detects using a
> unique “Advanced Heuristics”, which means that all NOD32 users are
protected
> against this worm from the time it was released in the wild."
>
> BTJustice
__________ NOD32 1.602 (20040119) Information __________
This message was checked by NOD32 Antivirus System.
http://www.nod32.com
Dalt
"James Egan" <je...@mailinator.com> wrote in message
news:6rip001qhc779rvrj...@4ax.com...
Hiya Jim :)
I don't use a valid email mainly due to being too lazy to respond to mail :)
I don't much give a toss what turns up in my mailbox :) if it's not from
somebody I know and checking the message source reveals anything even
slightly suspect then it gets deleted :)
It's a chicken and egg syndrome...the more people who get sent viruses and
submit them to the AV companies,the more *fame* the virus writer gets,the
more widespread their message is,the more people hear about the comments in
the virus body (thanks to the av companies) leading on to the more sales the
AV companies get for software that by it's very nature CAN'T help them
anyways.
Virus writer gets their fame = they win.
Anti virus companies sell software = they win
Poor sap loses half their files...who gives a shit?,the VXers don't..the AV
companies don't..if the AV companies detected everything as "Mindless
shitware #3268" etc and DIDN't post any details about what it does or how it
works the number of viruses in the wild would reduce..remove the fame and
many of the script kiddies would simply vanish..but no..what do the AV
companies do? you got it,they come up with fear inspiring names and lots of
info (usually including the text from the virus that the author wants
published) and start screaming about "we detected it first"..or "we detect
100% of known viruses" or even "new dats detects 73,000 viruses" when it's
number 73,001 that's just wiped your hard disk...
Do the AV companies really want viruses erradicated? like hell they do...and
it's no good them wheeling out the old soldier of "but there are enough
viruses in the wild to keep us in business" as that's simply bullshit.(the
the math,diminishing returns is a simple system to expedite)
I'm really not sure which is worse...the person who wants to fuck over your
data...or the peson who wants to fuck over your bank balance?
The relationship between AV and VX is much closer than most people
realise...in fact the only people that don't know are the ones paying the
bills.
Consider this (with no offence to the people concerned as I do happen to
like most of them)
Graham Cluley,Sara Gordon,Vess,etc etc...what are they without viruses? you
got it,a few overweight people with no real means of getting on TV or
becomming the household names they are today(relativly speaking).Take good
old Gra (Hi Graham) no viruses? are you ever likely to see him on TV??
course not...
Nothing will change though until the people paying the bills start to say
"OI hold on a fucking minute,isn't it about time we started getting what we
are paying for?" and that's not going to happen anytime soon :)
Cheers Dalt
James Egan
wrote:
>
>I don't use a valid email mainly due to being too lazy to respond to mail :)
>I don't much give a toss what turns up in my mailbox :) if it's not from
>somebody I know and checking the message source reveals anything even
>slightly suspect then it gets deleted :)
Also, you don't knock those who use valid addresses.
>It's a chicken and egg syndrome...the more people who get sent viruses and
>submit them to the AV companies,the more *fame* the virus writer gets,the
>more widespread their message is,the more people hear about the comments in
>the virus body (thanks to the av companies) leading on to the more sales the
>AV companies get for software that by it's very nature CAN'T help them
>anyways.
>Virus writer gets their fame = they win.
>Anti virus companies sell software = they win
>
<snip>
Yep. That's pretty much hit the nail on the head.
The swen worm in particular has forced a lot of usenet participants to
review their procedures and spend loadsacash ironically not because of
it's quality but because of its bloatware value. The dead vx purist
must be turning in his grave. Meanwhile the av fraternity continue to
rake it in. ISP's aren't doing too badly out of it either.
Jim.
JET
Dalt
the top of a pile of shit isn't really much of a recomendation.It's akin to
comparing being shot with being thrown from a 4th floor window.You end up
dead both ways.
Cheers Dalt
"JET" <jetcon...@attbi.com> wrote in message
news:K1bPb.106066$I06.589161@attbi_s01...
kurt wismer
> It seems to me that every other antivirus company does not use “Advanced
> Heuristics” meaning they use (the term escapes me) 'a list of known viruses'
> in order to find viruses.
just yesterday, for the first time since the swen outbreak, f-prot
alerted me to 3 instances of a possible new unknown virus in my
mailbox... i can only assume that it was bagle...
the fact of the matter is just able all the big name scanners these
days have heuristics, but each products heuristics are different and
each one picks up different things... you cannot rely on heuristics to
save your bacon...
--
"hungry people don't stay hungry for long
they get hope from fire and smoke as the weak grow strong
hungry people don't stay hungry for long
they get hope from fire and smoke as they reach for the dawn"
Dalt
files or time :(
Even when I was part of the whole VX thing I never really saw the need to
hide,being honest if the authorities wanted to find any virus writer they
could without too much trouble.Other than some of the more *innovative*
viruses they are all becoming much of a variation on a theme.
1:VXer Modifys code
2:Calls code BritneysTits.exe(scr etc)
3:Mails it out to one or two people(distributes)
4:AV company fortell the end of the world unless you keep subscribing to
their ineffective shitware
5:AV company gives the Vxer a good return on their work by adding the entire
text file from the virus to their web site.
6:Vxer gets his required Fame (imfamy)
7:Aver gets the $$$$
8:Goto 1:
Hell the only other market I can think of that self propogates is toilet
paper.The AV companies don't write viruses,they have no need to when there
is an ever increasing pool of people to do it for them AND take the fall if
it all goes wrong.All done under the banner of "We are here to help you"
when in actual fact that's bullshit....they are here to make money..plain
and simple..
The losers? the people having to pay to get fucked over everytime...
Vic got jail time and did considerable *damage* with Melissa....I wonder how
much the AV companies actually profited from that little adventure???
I'm not anti AV or anti VX...I'm just astounded that people don't see the
transparency of it all for what it really is...afterall when was the last
time you saw a representative of an AV company post good avice that doesn't
make any money for them here?
Would it not be better for them to post "Ok you got screwed this time,use
our software to clean up BUT here is how you can protect yourself in future
without spending money on updates that can't help you"
never going to happen :)
cheers Dalt
"James Egan" <je...@mailinator.com> wrote in message
news:u44q00djg2c019oer...@4ax.com...
kurt wismer
[snip]
> I'm not anti AV or anti VX...I'm just astounded that people don't see the
> transparency of it all for what it really is...afterall when was the last
> time you saw a representative of an AV company post good avice that doesn't
> make any money for them here?
there aren't too many av company reps here anymore... but when there
were it did happen...
in fact, i seem to recall a paper written by jimmy kuo on free macro
anti-virus techniques...
there is, however, some resistence to the idea of security through
education...
kurt wismer
[snip]
> You make it sound like a poster without a munged address is some sort
> of moron who doesn't know what he's doing. On the contrary, there are
> those who won't submit quite so easily to the will of the virus writer
> or spammer.
indeed... some of us will not be bullied...
Gabriele Neukam
> if the AV companies detected everything as "Mindless
> shitware #3268" etc and DIDN't post any details about what it does or how it
> works the number of viruses in the wild would reduce..remove the fame and
> many of the script kiddies would simply vanish.
Maybe the skript kiddies would get less attention and leave, but I am
afraid that the *professional* VXers (I don't mean you but the mob that
created things like the Sobig series in conjunction with the lala
trojan, jeem, migmaf, and now Bagle which looks like it is serving
similar purposes), - I am afraid that said professional malware writers
would love it, if John Average isn't warned and does happily click on
the attachment, as his "recently updated" AV didn't find anything
unusual within it. Bingo, another proxy ready for spamming or hosting a
homepage has been created, just what they wanted.
The clamor of the AV companies is marketing: I do fully agree. But it is
essential for making people aware that there is something out there,
waiting to get them, so they better should be wary and get the newest
definitions, even if their last ones were from yesterday or this
morning. And of course: don't click on anything that came in
unsolicited.
Just my 2 Eurocent
Gabriele Neukam
--
Ah, Information. A good, too valuable these days, to give it away, just
so, at no cost.
cquirke (MVP Win9x)
>No I haven't missed the point. I understand that there is going to be time lag for any AV
>vendor to produce signature for given infector.
There are several time lags:
- creation and release of malware
- release and obtaining a sample
- obtaining a sample and analysing it
- analysing it and designing a fix
- designing a fix and passing testing
- passing testing and integration into data
- integration into data and getting to the site
- getting to the site and integrating into routine updates
- the user pulling down the updates
- the updates going into effect
- encountering the malware
Some av have regular scheduled updates, for the convenience of dumb
newbies who can barely be persuaded to update once a week. But av
that auto-updates via bband, or users who explicitly seek updates
expecting the most up-to-date data, should not have to wait beyond
"integration into data and getting to the site".
McAfee used to be good at this; they used to have an hourly-updated
beta data site for those who needed this.
Because so many ISPs now filter malware, there's selection pressure to
squeeze "old" malware out of the infosphere. Because malware may
break the locality-of-reference barrier by harvesting "distant" email
addresses via global sources (news groups, eb searches), the spread
pattern changes from "rock and ripples" to "rainfall" where even at
the edge of the pond, you have Day 0 exposure.
Putting those two trends together, you can see that it's no longer
appropriate (if it ever was) to batch updates for weekly release.
>--------------- ----- ---- --- -- - - -
Dreams are stack dumps of the soul
>--------------- ----- ---- --- -- - - -
kurt wismer
> Tue, 20 Jan 2004 13:39:27 -0500, kurt wismer wrote:
>
>>there is, however, some resistence to the idea of security through
>>education...
>
> There's resistance to anything that requires effort.
> That's why companies pay retailers a premium to put their product on a
> shelf at eye level and within arms reach, so there's no stretching or
> stooping required to grab it.
no, no... i don't mean there is resistence to implementing it, i mean
there is resistence to believing in it...
of course it's possible that for some people it requires effort to
believe that users can learn something... maybe they aren't used to
stretching their imagination that far...
Kevin
I agree - there was nothing wrong with McAfee's timeliness of posting
the definitions. It was within hours of the competition. Late, but
still reasonable. As you say, you can't win them all.
The problem is with the method of updating. The average user is not
going to bother to go to the vendor site to download an extra.dat file
to protect him against a virus that he isn't aware of. Surely that's
the whole point of having automatic downloads? There were new
definitions available on the McAfee site, but no amount of clicking
the 'Update' button would download them. Either the McAfee update
process is flawed, or someone made a bad call, and, in this case, left
many users unnecessarily exposed.
"David H. Lipman" <DLipman~nospam~@Verizon.Net> wrote in message news:<hT1Pb.593$ro4...@nwrdny02.gnilink.net>...
Anonymous Sender
"David H. Lipman, PMA" (Professional McAfee Apologist) shilled:
I cant recount how many time McAfee beat the other vendors
at recognizing a given infector.
Let me jog your memory!
Does "VERY SELDOM" ring a bell?
Take your McAfee shill and fuck off to the NAI forums!
Dalt
cancer or feed the starving.
I don't hear too many people scream when photoshop crashes(and that can
trash almost as much work) or Autocad throws a bender and inserts an
incorrect dimension (and that costs 50 x what macrapafee does).
Somebody is going to release a virus on friday this week (that's a given)
and the AV companies will all run round like headless chickens once again,a
few hours or maybe a couple of days later the new deffinitions will become
available and if the users exercise some common sense they won't need
protection during the short time differential.
Even the best software can't help somebody who insists on doing something
daft,overall AV programs do a reasonable job.....you can't really expect
something that cheap to be a cureall.
cheers Dalt
"Kevin" <bak...@hotmail.com> wrote in message
news:881fed67.04012...@posting.google.com...
David H. Lipman
Dave
"Kevin" <bak...@hotmail.com> wrote in message
news:881fed67.04012...@posting.google.com...
Big Will
they also have intelligent updater that a user could manually download and
install. The intelligent updater gets updated daily.
"David H. Lipman" <DLipman~nospam~@Verizon.Net> wrote in message
Kevin
comments further up this thread, where he was commenting on there
being an update available on the McAfee site, which couldn't be
downloaded by clicking on the 'Update Now' button. He clearly thought
that this was not a desirable situation. I posted to say I had a
similar experience, and that the result was an unprotected computer
for far longer than if it had been running another antivirus product.
For some reason, Dave seems unable to comprehend.
Again, you're right, it's no big deal, I just won't be
using/recommending McAfee in the future.
"Dalt" <D...@unknown.com> wrote in message news:<bull3c$3vm$1...@hercules.btinternet.com>...
Kevin
it wasn't available. Even when it was on the web site as an extra.dat,
it hadn't been released as an update. Any update, automatic or manual,
wouldn't receive it.
By the way, I'm not as familiar with McAfee as you are. Where would
you change that particular option in McAfee Security Centre?
"David H. Lipman" <DLipman~nospam~@Verizon.Net> wrote in message news:<8etPb.2938$kH2...@nwrdny01.gnilink.net>...
Kevin
it also says "In the event of a rapidly spreading threat, they will be
released through LiveUpdate as soon as they are available." My
experience has been that you don't have to do anything manually to get
these Live Updates.
"Big Will" <SpamWSpamiSpamlSpamlSpamBSpam4S...@nIdontlikeSpametzero.net> wrote in message news:<400ed658$1@darkstar>...
cquirke (MVP Win9x)
>Dalt, you're right. This is all relative, stemming from Bruce's
>comments further up this thread, where he was commenting on there
>being an update available on the McAfee site, which couldn't be
>downloaded by clicking on the 'Update Now' button. He clearly thought
>that this was not a desirable situation.
"Well, throw away the gun, then."
' What gun? '
"You shot Mr Harrison with it!"
' Oh, *that* gun. <klunk> '
What part of "update me to protect me against all new viruses you are
currently aware of" does dumb-ass McAfee not understand?
Big Will
dumbass downloaded britney spears nude (lol), then it's nice to be able to
manually download through symantec's intelligent updater before the next
weekly set of definitions gets out.
William
"Kevin" <bak...@hotmail.com> wrote in message
news:881fed67.04012...@posting.google.com...
> Although the Norton site still mentions weekly updates on a Thursday,
> it also says "In the event of a rapidly spreading threat, they will be
> released through LiveUpdate as soon as they are available." My
> experience has been that you don't have to do anything manually to get
> these Live Updates.
>
>
>
> "Big Will"
<SpamWSpamiSpamlSpamlSpamBSpam4SpameSpamvSpaaaaameSpammityrSpam@nIdontlikeSp
Big Will
offer some protection, and I've even put them in number points for U.
What does AV software do?
1)eradicates known viruses that may not have been known at the time of
the infection, but were recently discovered
2)acts as a last layer of defense, incase someone gets through firewalls
(like blaster and nachi did)
3)PROTECTS FINANCIAL DATA or at least minimizes the loss of financial
records (e.g. online banking passwords, credit cards, etc) by detecting and
deleting known trojan horses.
4)uses heuristics (although not full proof) to find unknown viruses and
trojans, and yes, there is AV software that also searches for trojans.
and
5)deletes known java-script viruses should they creep on computer
because some idiot is browsing the web with security settings too low.
That's enough for me. Of course, I wouldn't rely completely on AV software,
like some people have in the past, because it isn't full proof. However,
with excercising enough common sense, and having some sort of layered
protection (routers and firewalls, with AV as last resort), then the
Anti-Virus is indeed a valuable tool that helps safeguard not only personal
data, but personal financial data if the user does banking online.
Therefore, it has the potential to save its user thousands of dollars.
William
"Dalt" <D...@unknown.com> wrote in message
news:buivg0$5qe$1...@titan.btinternet.com...
Big Will
Big Will
> Yup,everybody makes out of it other than the poor sap who just loses his
> files or time :(
>
> Even when I was part of the whole VX thing I never really saw the need to
> hide,being honest if the authorities wanted to find any virus writer they
> could without too much trouble.Other than some of the more *innovative*
> viruses they are all becoming much of a variation on a theme.
>
> 1:VXer Modifys code
> 2:Calls code BritneysTits.exe(scr etc)
> 3:Mails it out to one or two people(distributes)
> 4:AV company fortell the end of the world unless you keep subscribing to
> their ineffective shitware
> 5:AV company gives the Vxer a good return on their work by adding the
entire
> text file from the virus to their web site.
> 6:Vxer gets his required Fame (imfamy)
> 7:Aver gets the $$$$
> 8:Goto 1:
>
> Hell the only other market I can think of that self propogates is toilet
> paper.The AV companies don't write viruses,they have no need to when there
> is an ever increasing pool of people to do it for them AND take the fall
if
> it all goes wrong.All done under the banner of "We are here to help you"
> when in actual fact that's bullshit....they are here to make money..plain
> and simple..
U don't like it, then don't pay for it. It's not rocket science, it's free
market capitalism.
>
> The losers? the people having to pay to get fucked over everytime...
>
> Vic got jail time and did considerable *damage* with Melissa....I wonder
how
> much the AV companies actually profited from that little adventure???
>
> I'm not anti AV or anti VX...I'm just astounded that people don't see the
> transparency of it all for what it really is...afterall when was the last
> time you saw a representative of an AV company post good avice that
doesn't
> make any money for them here?
symantec posts advice on how to keep your network from getting infected, and
know, it's not profitting them. They're guidelines that do not involve (at
least not directly) their software, nor do they explicitly mention that
their software is the only software to get the job done. If I were U, I'd
check out some of the symantec virus write-ups and see where they post good
advice on virus prevention. If the virus prevention is done, then for that
particular virus, you don't need the freakin' AV software.
Big Will
AOL trojan. Like I said, though, it was a long time ago, and in a galaxy
far far away. We were still using 14.4k modems then. LOL
"Anonymous Sender" <anon...@remailer.metacolo.com> wrote in message
news:6a418e5a10903dc7...@remailer.metacolo.com...