[Dshield] my dilemma
wiretapp at shadowserver.org
Thu Nov 24 15:10:30 GMT 2005
On Wednesday 23 November 2005 20:44, P Thompson wrote:
> OK, I had posted a link a while back about a virus tracking page that the
> author of a virus had created.
> http://xxx.xxxxxxxx.xxx/~rolema/source/bin/installs.php /* obscured for
> I did a little more investigation, and it is apparent this virus is
> committing some serious identity theft, and most of the proof is evident
> using login information ironically which the virus authors themselves
I'd be careful where you pose the information. Posting to the public just
increased the chance of identity theft by everyone who reads the forums
(blackhats do that too)
Perhaps we need to setup a "secret" mailing list for verified members of
dshield. A mailing list that isn't crawled by index bots.
> (This is an ethical grey area that I don't pretend to have thought
> through: if someone exposes a plaintext username and password in a web
> page as part of an illegal identity theft virus, and I have the virus
> executable, they've pretty much invited me in, right, and not just to
> meekly update their virus client to the current rev level...?)
I'm no lawyer, but I believe deleting or modifying the files in any way is
illegal. Report it to your law enforcement and ask for direction (maybe they
will tell you to delete them) Or contact the US FBI.
> The identity theft is hosted by a backend database at a company which from
> scanning google and google groups seems at best to have a very laissez
> faire attitude toward those it hosts, and at worst could be the American
> front end for some sect of the Russian mafia.
> So, what's the next step? Just getting the database site shut down does
> not solve the real problem right? There some bad folks who made a big
> mistake and need their ass kicked by proper authorities. Preferably
> without mine being kicked by anyone.
I've been watching networks like this for sometime. If the hosting company is
unwilling to remove the site, there isn't much legally you can do other than
pester law enforcement, or contact the DNS host to get the domain hosting the
virus shut down. Chances are they are mirroring their dumpsite somewhere
else, so what you're seeing they are also seeing. They might even be logging
the traffic, so you might be exposing yourself if your checking the dumpsite.
Shadowserver Systems Security Division
Email: wiretapp at shadowserver.org
BOFH Tagline: Mail server hit by UniSpammer.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Size: 827 bytes
Desc: not available
Url : http://www.dshield.org/pipermail/list/attachments/20051124/249b23e4/attachment.bin
More information about the list