[ Date Index ][
Thread Index ]
[ <= Previous by date /
thread ]
[ Next by date /
thread => ]
On Wednesday 28 Jan 2004 11:51 pm, David Johnson wrote:
On Wednesday 28 Jan 2004 10:51 pm, Neil Williams wrote:(OK, after reading reports from Symantec and El Reg, I'd discount the conspiracy - this doesn't look like an empty threat.)While there are the usual people crying "conspiracy" (as per usual when anything SCO-related happens), I have to wonder whether this time they might be right. This all looks a little too convenient for SCO. Firstly, the virus attacks SCO's website and the -B variant attacks Microsoft.com as well. Just the kind of thing these Linux-using-terrorists would do. Then, according to an analysis I read, the virus does not spread to any e-mail address containing certain strings, including "linux", "unix" and "root". Oh come on. Anyone writing a virus clearly wants to cause maximum disruption; why would they care who gets affected? If it had indeed been
It also avoids .gov, .mil, sopho, syma, borlan, avp, secur, fsf, gnu and pgp. The Register article proposes that this, in part, is a method of evading AV scanners by extending the timeframe between release and detection/scanner update release. The longer it is undetected by the AV monitors, the higher the number of Windows users infected? To me, that sounds like evading a situation that really isn't there yet - what percentage of Windows users actually update their AV software that regularly??
written by a Linux-using-terrorist, they would realise that there's no point excluding *nix related addresses because they are naturally not likely to be running Windows at the other end... Or maybe the conspiracy theorists have got to me, and I'm just talking rubbish ;-)
It depends on whether the 'payload' is hype or real - everyone is assuming the dDOS payload is real but until Feb 1st, no-one really knows.
It is already the fastest spreading virus ever according to El Reg. I suspect spammers are to blame for this; one infected machine = a hard disk containing several million e-mail addresses to spread to.
Don't forget it also contains it's own SMTP server too - it will use the windows registry to locate the configured SMTP server for the ISP but will use it's own if that fails. Therefore the infected machine becomes an undetectable spam-proxy, something every spammer wants. Even if the SCO payload is all hype, the SMTP spam backdoor is more than enough trouble. Maybe the email regexp avoidance patterns are there to catch corporate machines that might update more regularly after SoBig and nimda. These would certainly make better spam-proxies than a home user. Even a home user on broadband usually turns the machine off at some point each day. A proxy isn't a lot of use if it's switched off. -- Neil Williams ============= http://www.codehelp.co.uk/ http://www.dclug.org.uk/ http://www.isbn.org.uk/ http://sourceforge.net/projects/isbnsearch/ http://www.biglumber.com/x/web?qs=0x8801094A28BCB3E3
Attachment:
pgp00113.pgp
Description: signature