[Dshield] cracking SoBig/SINIT/MyDoom, et alius

Joseph Stahley 3rd jestahley3 at cox.net
Wed Feb 11 22:08:06 GMT 2004

I think the other problems consist of newer machines sitting on shelves for
months before being sold,and being sold with WinXP (Xtra Protection
required) without any of security patches installed and people just going
home, plugging it in and connecting to the networks without knowing how to
setup security policies, firewalls and Av software cause alot of the

Then ISP's are part of the mix. Due to privacy and interstae commerce laws,
it is difficult for American ISP's to cut off service to spammers or people
whose machines are propagating worms and such.You would think ISP's have the
right to shutdown a machine or machines that either intentionally or by
virtue of being infected, but that is not the case from what I have seen.

----- Original Message ----- 
From: "John Draper" <lists at webcrunchers.com>
To: "General DShield Discussion List" <list at dshield.org>
Sent: Wednesday, February 11, 2004 12:52 PM
Subject: Re: [Dshield] cracking SoBig/SINIT/MyDoom, et alius

> On Feb 10, 2004, at 7:14 AM, Joe Stewart wrote:
> > I don't feel that there are that many hosts still infected with MyDoom.
> > So far I have only gotten hits on my honeypot from about 25 hosts
> > infected with Doomjuice.
> Since you have a honeypot (lucky you),  have you considered deliberately
> infecting it,  in the hopes of catching someone trying to grab control
> of it?
> > With 64 threads scanning on each infected
> > host, you'd expect there would be more by now. I think the actual
> > amount of infected users is in line with all the other viruses we know
> > about - just the sheer amount of mail each one produces causes a
> > perception that there are a lot of infected hosts.
> There are...   I estimate more then 250,000 out there.  Shit man,
> time to go on Discovery channel and go on TV to tell John Q public
> about their responsibilities for getting on the internet,  and how not
> to be part of the problem and be part of the solution.
> >> At this point we have at least three highly successful
> >> implementations of the same idea: compromise a vast number of hosts
> >> and use them for...whatever.  Yes, I know this isn't an original
> >> idea--and I know we see scads of Botnets every day--but these three
> >> have been wildly successful whereas other attempts have not.
> >
> > I think these have been widely publicized, but that's not necessarily
> > an
> > indication of their success. Autoproxy/Coreflood has probably infected
> > more people than all of these, yet you never hear about it. And it's
> > been operating for at least two years. It seems like every other piece
> > of malware I've looked at in the past six months has a proxy component.
> > Jeem, Guzu, Lixy, Roxy, Ranck, Bagle, Bedrill, Migmaf, Kridge, and
> > more.
> > Combined, they easily exceed a million hosts.
> I tend to agree....  and the ONLY way to deal with it,  is to get the
> word
> out to mainstream media and tell people they need to run AV software on
> their
> machines.
> >> So what I'm wondering at this point is...are there any commonalities
> >> among these things?  I'm not about to suggest that they were written
> >> by the same person...but you have to wonder.
> >
> > The three you mentioned were definitely not written by the same person.
> > However, they were written with the same motive: profit. There is now a
> > black market for trojaned Windows systems, and it's not even that well
> > hidden.
> Yup - and it's high time people know this and deal with it right away.
> And the best way to start is by reporting your spam to ISP's to get as
> many shut down as possible.
> This is a case where spam is a good thing...   Because most of the
> reasons
> for the existence of these proxies is for spam,  it stands to reason
> that
> if you have a really good spam "magnet",  lets use them to locate the
> proxies
> and shut them down.   My spam magnet is the best....  so far,  it
> gathers
> about 1200 spams per day.
> > There are public message boards where malware authors offer
> > networks of trojaned systems for sale. Because most of them are in
> > countries who do not have effective cybercrime laws or enforcement,
> > they feel pretty confident they can get away with this.
> Yup - that is what they are all saying.... now if Interpol can get
> involved
> and work with other LE agencies,  perhaps we can stop this,  but
> Interpol has
> other interests in mind at the moment.
> John
> _______________________________________________
> list mailing list
> list at dshield.org
> To change your subscription options (or unsubscribe), see:

More information about the list mailing list