[unisog] antivirus that works despite ssl

power less absolutelynopower at gmail.com
Wed Jul 11 14:37:08 GMT 2007

Ok I think I'm starting to get the hint. This is apparently not the list for
this kind of discussion.
But I can't help but point out that actually the fact that the worm switched

from using the flux thing to not using it would appear to imply that there
a problem there for the fluxers. But we weren't in the loop to find out what
it was. And we don't like people to ask those questions. Like we really
didn't like someone asking why
do we make policies telling people to use antivirus programs that we don't
test and they
don't work in real usage scenarios?

On 7/10/07, Brian Eckman <eckman at umn.edu> wrote:
> power less wrote:
> > BTW in my exhausting coverage of the storm worm :-)  I should mention
> > this article:
> > http://www.securityfocus.com/news/11473
> > This explains a few things, I guess. I'm not well-versed in DNS I'm
> afraid.
> >
> > I take it they are not talking about the urls in the storm messages
> > themselves?
> > Because those are are IP numbers not domain names  in most of the ones I
> > got. I
> Storm a/k/a Peacomm switched from using fast flux DNS to IP addresses a
> while back. That would explain the difference in what you read and what
> you saw.
> >
> > Two I just got:
> >
> > Address:  24.93. 201.2
> > Name:     cpe-24-93-201-2.neo.res.rr.com
> >
> > Address:  65.190. 29.151
> > Name:    cpe-065-190-029-151.triad.res.rr.com
> >
> > I'd love to hear more about this dnsflux business. A comment to that
> > article
> > asked?
> > "Why don't ISPs just block the inbound DNS traffic to home machines on
> > dynamic addresses? Do that and the distributed DNS part evaporates."
> >
> > Is that true?
> <snip>
> ISPs will probably tell you that this isn't their job. Regardless,
> hardly anyone has the capability to determine what is a "home machine on
> dynamic addresses" 95% of the time, let alone 100% of the time. Also, I
> bet you there are no less than 1,000 legitimate Internet domain names
> (and likely lots more than that) that have their authoritative DNS
> servers running on "home machines on dynamic addresses", or what would
> appear to most people to be "home machines on dynamic addresses".
> ISPs don't like blocking legitimate traffic. It makes their customers,
> help desk, and shareholders quite unhappy. The solution proposed above
> would certainly do this.
> Put bluntly, there is no patch for stupidity nor ignorance. If you
> approach the entire world's population, hand them a loaded gun, and tell
> them you'll give them dinner if they point it at their head and pull the
> trigger, I guarantee you'd find people that would do it. Not just the
> suicidal folks, but there are surely millions of people in the world
> that have no idea what a gun looks or acts like.
> The same principle applies to computer users. Some percentage of them
> just have no clue that clicking the link in the email, then "clicking
> here" to get their greeting card because the site is "testing new
> functionality", then clicking "Open" or "Run" when prompted what to do
> with ecard.exe is risky behavior. They just want to see their stupid
> greeting card.
> Cheers,
> Brian
> --
> Brian Eckman, Security Analyst
> University of Minnesota
> Office of Information Technology
> Security & Assurance
> _______________________________________________
> unisog mailing list
> unisog at lists.dshield.org
> https://lists.sans.org/mailman/listinfo/unisog
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.sans.org/pipermail/unisog/attachments/20070711/ee230cea/attachment.htm 

More information about the unisog mailing list