[Dshield] Taking the courtesy of warning about links to infected or malicious web pages
ed.truitt at etee2k.net
Sat Mar 20 17:50:28 GMT 2004
Peter Stendahl-Juvonen wrote:
>Taking the courtesy of warning about links to infected or malicious web pages
>You may have noticed references in a few posts to this list (on March 9 and 10)
>containing a hyperlink to one of the web pages of Columbia University (in the
>City of New York).
>After clicking the hyperlink for this specific page, auto-protect features of
>anti-virus programs alarmed that a specific virus resides in the browser's
>cache. For instance, NAV2004 detected and identified the threat as
>W32.Sobig.F at mm.enc.
>Would someone with in-depth understanding on the incident kindly shed light on
>1) Does this university's web page actually contain viral code?
>2) Or does the web page merely contain enough of the viral code to match the
>virus' signature, and hence cause the alert?
>3) Is the existence of the viral code in the browser's temporary cache file
>harmful or harmless?
>4) If the code is actually viral, is it also hostile?
>5) Could the viral code activate, if left unnoticed in the browser's cache
>6) Should the university be notified about the web page causing alerts by
>I assume that sender(s) of post(s) containing link(s) targeting to infected or
>malicious web pages take the courtesy of warning about the possible danger.
>For your convenience, I repeat the link of this sample case below.
>*** Please note that the following link targets to a web page that possibly
>contains viral code: ***
>(If memory serves well, the certificate for this web server has expired.)
> "The cause is hidden. The effect is visible to all."
> Ovid (43BC-17AD); Roman poet.
>list mailing list
>list at dshield.org
>To change your subscription options (or unsubscribe), see: http://www.dshield.org/mailman/listinfo/list
1) and 2) I sucked down the page using "wget" on a Liinux box. It
appears to be an email message, with a subject of "failure notice", and
a rather large base64-encoded attachment named "application.pif". Looks
like the page actually does contain a virus.
3) If it is Sobig.F, it is most likely harmful, if you execute it.
4) The SoBig series of malware were pretty darn hostile, if I recall.
5) Only if someone executed it. Pretty hard to do remotely, but I guess
it is possible.
6) Yes. In fact, I am cc'ing their "abuse" address on this email.
6a) Unfortunately, the scanning engines of many A/V products will "hit"
on things that look (to them) like viruses, but in reality aren't. This
is one of the problems with pattern-based scanning. Therefore, while
putting such a warning on the email/post is a nice 'Netiquette-y thing
to do, the lack of such a warning should not be taken as an indication
the web page is safe. When in doubt, act paranoid (like I did above.)
Better safe than sorry.
Note to abuse at columbia.edu: It appears that a message posted on one of
your Web-based bulletin boards contains a copy of the SoBig virus. The
Please investigate this, and take corrective action as needed. Thanks.
PGP fingerprint: 5368 D25E 468C A250 9833 CCD6 DBAE 9C25 02F9 0AB9
"Note to spammers: my 'delete' key is connected to YOUR ISP.
Also, if you send me UCE, I reserve the right to post your spew
on my Web site, with the appropriate color commentary, so that
others may have a good laugh at your expense."
More information about the list