[Dshield] my dilemma

Tom dshield at oitc.com
Fri Nov 25 02:49:52 GMT 2005


You know if it was chid porn the authorities 
would be all over it but, in general, they seem 
to be lack luster about dealing with issues like 

I would say if you can't get the authorities to 
notice then use the data you have to you and your 
employers and your clients advantage.  Since the 
data is available via normal http, just 
periodically access it and use it to block the 
botnet from you and your users.  Trying to get 
the feds to do something about this especially in 
Russia is a beau geste but reality is that other 
than kiddie porn and Al Qaeda the priorities from 
the Whitehouse are near zero for this. (I think 
they don't believe or understand cyber threats)

However, please contact me offlist the next time 
you or anyone else finds such a treasure trove of 
data about coopted IPs as I would like to add 
that information to my firewall and monitoring 
rules for preemptive protection.


At 11:55 AM -0500 11/24/05, Ed Truitt wrote:
>Uh, do the Russians still have the KGB around to 
>contact?  I agree, get thee to the authorities 
>(US, Russian, Interpol) ASAP.
>-----Original Message-----
>From: P Thompson <atrivo at nm.ru>
>Date: Thu, 24 Nov 2005 06:44:19
>To:list at lists.dshield.org
>Subject: [Dshield] my dilemma
>OK, I had posted a link a while back about a virus tracking page that the
>author of a virus had created.
>I did a little more investigation, and it is apparent this virus is
>committing some serious identity theft, and most of the proof is evident
>using login information ironically which the 
>virus authors themselves expose through reverse 
>engineering their exploit code at http://
>dimpy.narod.ru/ v9.html which seems to be the 
>exploit upgrade ftp back end for their virus 
>downloader and repository of stolen information.
>(This is an ethical grey area that I don't pretend to have thought
>through: if someone exposes a plaintext username and password in a web
>page as part of an illegal identity theft virus, and I have the virus
>executable, they've pretty much invited me in, right, and not just to
>meekly update their virus client to the current rev level...?)
>The identity theft is hosted by a backend database at a company which from
>scanning google and google groups seems at best to have a very laissez
>faire attitude toward those it hosts, and at worst could be the American
>front end for some sect of the Russian mafia.
>So, what's the next step?  Just getting the database site shut down does
>not solve the real problem right?  There some bad folks who made a big
>mistake and need their ass kicked by proper authorities.  Preferably
>without mine being kicked by anyone.
>So I guess I need to do something, but what?  I really wish I understood
>the implications of the grey area a little better.
>www.newmail.ru -- óçåë ñâîáîäíûõ êîììóíèêàöèé.
>Using .Net? Need to know more about .Net Security?
>send all posts to list at lists.dshield.org
>To change your subscription options (or 
>unsubscribe), see: 
>-E D Truitt
>Sent via my BlackBerry from Cingular Wireless
>Using .Net? Need to know more about .Net Security?
>send all posts to list at lists.dshield.org
>To change your subscription options (or 
>unsubscribe), see: 


Tom Shaw - Chief Engineer, OITC
<tshaw at oitc.com>, http://www.oitc.com/
US Phone Numbers: 321-984-3714, 
321-729-6258(fax), 321-258-2475(cell/voice 
Text Paging: http://www.oitc.com/Pager/sendmessage.html

PGP Public Keys available at:
<A HREF="ldap://keyserver.pgp.com/">PGP's Key Server</A>
<A HREF="http://www.oitc.com/OITC/PGPKeys.html">OITC's Public Key List</A>
14A7 A308 266A 3646 FBA8  9A86 E139 F108 B1BE 37BD

More information about the list mailing list