[Dshield] cracking SoBig/SINIT/MyDoom, et alius

John Draper lists at webcrunchers.com
Wed Feb 11 20:42:39 GMT 2004


On Feb 10, 2004, at 6:10 AM, Pete Cap wrote:

> Greetings all,
>
> Was just going through my folders.  I've been collecting info on 
> various (possibly OC-related) malware that has come across my radar 
> screen in the past year or so.  Here's what I'm thinking:
>
> FACT: the SoBig network is apparently still in existence since people 
> are seeing SoBig traffic again/still...
> FACT: the SINIT network is still in operation (that's the P2P one)...
> FACT: MyDoom has opened the door for ANOTHER network of compromised 
> hosts
>
> At this point we have at least three highly successful implementations 
> of the same idea: compromise a vast number of hosts and use them 
> for...whatever.  Yes, I know this isn't an original idea--and I know 
> we see scads of Botnets every day--but these three have been wildly 
> successful whereas other attempts have not.
>
> So what I'm wondering at this point is...are there any commonalities 
> among these things?  I'm not about to suggest that they were written 
> by the same person...but you have to wonder.

My take on this is that these viruses are written by different people.  
I've already infiltrated into
some virus hangouts,  and am keeping a pulse on these operations.

It is more likely there are just script kiddies using the many numerous 
virus kits floating around
the internet,  according to most of the conversations I've intercepted 
from listening to the Chat
sessions on public Russian Chat groups.

It seems that virus writers are now releasing their wares in the hopes 
of getting more people to
write malware to obscure the original virus writers.

Some other interesting things also came to my attention from some virus 
houses in E Europe
that appear to be fighting among themselves.

Most of these chat rooms are in Russian,  and other E European 
languages,  but my contacts
are filtering out the more relevant information and passing it onto me. 
  I cant talk about
specifics because of an ongoing FBI investigation as well as the German 
ver of the FBI.  But
I can definately say there is a strong link between the virus writers 
and the huge spam
gangs operating in E. Europe.

A few years ago,  there never used to be much of a financial incentive 
to write and spread viruses,
but not anymore.   From the chatter I'm getting,  it seems the going 
rate for payment for a virus
is about $25,000 to $35,000,  and with MOST of the jobs floating away 
off-shore these days,
you can expect to see a lot more of them,  as more and more unemployed 
programmers give in to
the temptation of writing them for cash,   especially when rent is 3 
months overdue.

We need to work towards shutting these trojans down,  and a good way to 
do that,  is to report
spam,  but then again,  the ISP's are falling way behind in dealing 
with this.  Kinda like swatting
flies...   WHAP!  one down,  99,999,999,999,999,998 to go.

John




More information about the list mailing list