[Dshield] my dilemma

Nicholas Albright wiretapp at shadowserver.org
Thu Nov 24 15:10:30 GMT 2005

On Wednesday 23 November 2005 20:44, P Thompson wrote:
> OK, I had posted a link a while back about a virus tracking page that the
> author of a virus had created.
> http://xxx.xxxxxxxx.xxx/~rolema/source/bin/installs.php /* obscured for 
safety */
> I did a little more investigation, and it is apparent this virus is
> committing some serious identity theft, and most of the proof is evident
> using login information ironically which the virus authors themselves

I'd be careful where you pose the information. Posting to the public just 
increased the chance of identity theft by everyone who reads the forums 
(blackhats do that too)

Perhaps we need to setup a "secret" mailing list for verified members of 
dshield. A mailing list that isn't crawled by index bots. 

> (This is an ethical grey area that I don't pretend to have thought
> through: if someone exposes a plaintext username and password in a web
> page as part of an illegal identity theft virus, and I have the virus
> executable, they've pretty much invited me in, right, and not just to
> meekly update their virus client to the current rev level...?)

I'm no lawyer, but I believe deleting or modifying the files in any way is 
illegal. Report it to your law enforcement and ask for direction (maybe they 
will tell you to delete them) Or contact the US FBI. 

> The identity theft is hosted by a backend database at a company which from
> scanning google and google groups seems at best to have a very laissez
> faire attitude toward those it hosts, and at worst could be the American
> front end for some sect of the Russian mafia.
> So, what's the next step?  Just getting the database site shut down does
> not solve the real problem right?  There some bad folks who made a big
> mistake and need their ass kicked by proper authorities.  Preferably
> without mine being kicked by anyone.

I've been watching networks like this for sometime. If the hosting company is 
unwilling to remove the site, there isn't much legally you can do other than 
pester law enforcement, or contact the DNS host to get the domain hosting the 
virus shut down. Chances are they are mirroring their dumpsite somewhere 
else, so what you're seeing they are also seeing. They might even be logging 
the traffic, so you might be exposing yourself if your checking the dumpsite. 

Nicholas Albright
Shadowserver Systems Security Division
Website: HTTP://www.shadowserver.org
Email: wiretapp at shadowserver.org
BOFH Tagline: Mail server hit by UniSpammer. 

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 827 bytes
Desc: not available
Url : http://www.dshield.org/pipermail/list/attachments/20051124/249b23e4/attachment.bin

More information about the list mailing list