[Dshield] cracking SoBig/SINIT/MyDoom, et alius

John Draper lists at webcrunchers.com
Wed Feb 11 20:52:50 GMT 2004


On Feb 10, 2004, at 7:14 AM, Joe Stewart wrote:

> I don't feel that there are that many hosts still infected with MyDoom.
> So far I have only gotten hits on my honeypot from about 25 hosts
> infected with Doomjuice.

Since you have a honeypot (lucky you),  have you considered deliberately
infecting it,  in the hopes of catching someone trying to grab control
of it?

> With 64 threads scanning on each infected
> host, you'd expect there would be more by now. I think the actual
> amount of infected users is in line with all the other viruses we know
> about - just the sheer amount of mail each one produces causes a
> perception that there are a lot of infected hosts.

There are...   I estimate more then 250,000 out there.  Shit man,
time to go on Discovery channel and go on TV to tell John Q public
about their responsibilities for getting on the internet,  and how not
to be part of the problem and be part of the solution.

>> At this point we have at least three highly successful
>> implementations of the same idea: compromise a vast number of hosts
>> and use them for...whatever.  Yes, I know this isn't an original
>> idea--and I know we see scads of Botnets every day--but these three
>> have been wildly successful whereas other attempts have not.
>
> I think these have been widely publicized, but that's not necessarily 
> an
> indication of their success. Autoproxy/Coreflood has probably infected
> more people than all of these, yet you never hear about it. And it's
> been operating for at least two years. It seems like every other piece
> of malware I've looked at in the past six months has a proxy component.
> Jeem, Guzu, Lixy, Roxy, Ranck, Bagle, Bedrill, Migmaf, Kridge, and 
> more.
> Combined, they easily exceed a million hosts.

I tend to agree....  and the ONLY way to deal with it,  is to get the 
word
out to mainstream media and tell people they need to run AV software on 
their
machines.

>> So what I'm wondering at this point is...are there any commonalities
>> among these things?  I'm not about to suggest that they were written
>> by the same person...but you have to wonder.
>
> The three you mentioned were definitely not written by the same person.
> However, they were written with the same motive: profit. There is now a
> black market for trojaned Windows systems, and it's not even that well
> hidden.

Yup - and it's high time people know this and deal with it right away.
And the best way to start is by reporting your spam to ISP's to get as
many shut down as possible.

This is a case where spam is a good thing...   Because most of the 
reasons
for the existence of these proxies is for spam,  it stands to reason 
that
if you have a really good spam "magnet",  lets use them to locate the 
proxies
and shut them down.   My spam magnet is the best....  so far,  it 
gathers
about 1200 spams per day.

> There are public message boards where malware authors offer
> networks of trojaned systems for sale. Because most of them are in
> countries who do not have effective cybercrime laws or enforcement,
> they feel pretty confident they can get away with this.

Yup - that is what they are all saying.... now if Interpol can get 
involved
and work with other LE agencies,  perhaps we can stop this,  but 
Interpol has
other interests in mind at the moment.

John




More information about the list mailing list