[Dshield] my dilemma

Jim McCullough jim.mccullough at gmail.com
Thu Nov 24 15:31:09 GMT 2005


US FBI wont touch this, initially anyways.  Your best bet is to try US
Customs.  Anything originating outside the US and any US territories
falls under the jurisdiction of the US customs.  Customs processes the
information and passes it along to the appropriate agencies, including
groups such as Interpol, US FBI, and some forgein Police agencies.  I am
not upto date on the current process though.  Hopefully that bit of
information will be of assistance.

Jim McCullough

On Thu, 2005-11-24 at 08:10 -0700, Nicholas Albright wrote:
> On Wednesday 23 November 2005 20:44, P Thompson wrote:
> > OK, I had posted a link a while back about a virus tracking page that the
> > author of a virus had created.
> > http://xxx.xxxxxxxx.xxx/~rolema/source/bin/installs.php /* obscured for 
> safety */
> >
> > I did a little more investigation, and it is apparent this virus is
> > committing some serious identity theft, and most of the proof is evident
> > using login information ironically which the virus authors themselves
> 
> I'd be careful where you pose the information. Posting to the public just 
> increased the chance of identity theft by everyone who reads the forums 
> (blackhats do that too)
> 
> Perhaps we need to setup a "secret" mailing list for verified members of 
> dshield. A mailing list that isn't crawled by index bots. 
> 
> >
> > (This is an ethical grey area that I don't pretend to have thought
> > through: if someone exposes a plaintext username and password in a web
> > page as part of an illegal identity theft virus, and I have the virus
> > executable, they've pretty much invited me in, right, and not just to
> > meekly update their virus client to the current rev level...?)
> 
> I'm no lawyer, but I believe deleting or modifying the files in any way is 
> illegal. Report it to your law enforcement and ask for direction (maybe they 
> will tell you to delete them) Or contact the US FBI. 
> 
> > The identity theft is hosted by a backend database at a company which from
> > scanning google and google groups seems at best to have a very laissez
> > faire attitude toward those it hosts, and at worst could be the American
> > front end for some sect of the Russian mafia.
> >
> > So, what's the next step?  Just getting the database site shut down does
> > not solve the real problem right?  There some bad folks who made a big
> > mistake and need their ass kicked by proper authorities.  Preferably
> > without mine being kicked by anyone.
> 
> I've been watching networks like this for sometime. If the hosting company is 
> unwilling to remove the site, there isn't much legally you can do other than 
> pester law enforcement, or contact the DNS host to get the domain hosting the 
> virus shut down. Chances are they are mirroring their dumpsite somewhere 
> else, so what you're seeing they are also seeing. They might even be logging 
> the traffic, so you might be exposing yourself if your checking the dumpsite. 
> 
> _________________________________________
> Using .Net? Need to know more about .Net Security?
> http://isc.sans.org/banner_count.php?dest=dotnet
> 
> _______________________________________________
> send all posts to list at lists.dshield.org
> To change your subscription options (or unsubscribe), see: http://www.dshield.org/mailman/listinfo/list



More information about the list mailing list