[Dshield] Skeptical: WAS Srv.SSA-KeyLogger

Axel Pettinger api at worldonline.de
Thu Aug 11 18:34:48 GMT 2005

Mrcorp wrote:
> I am going to play the role of skeptic here, but how do we know what 
> they are saying is accurate? Wouldnt it be possible that one be wrong, 
> exagerate or even make up a claim to develop a tool, cause mass 
> marketing for free, and look like the good guy for there products?  
> The first virus created by an AV company theory.

I doubt it. There's much hype because of the amount of logged data but
apart from that it is an ordinary infection with a backdoor trojan.
Nothing special. They mention that the trojan is known as Dumaru aka
Nibu and that Kaspersky identifies their sample as "Win32.Dumador.df".
Note the ".df"! It means that it is variant number 110 on Kaspersky's
list. McAfee added detection for the first Dumaru variant two years ago.

> And what is this tool going to do?  patch the OS, patch an 
> application?  If it just removes the code, whats to prevent 
> reinfection?

Standard procedure for compromised systems. Build from scratch ...

> I am a bit hesitant when I read on the blog "It is very sophisticated, 
> however, we aren't sharing a lot of data for obvious reasons."

Well, the FBI is involved ... Apart from that it sounds better this way.
Don't forget, it's a great PR opportunity for Sunbelt.

Axel Pettinger

More information about the list mailing list