[ale] email virus? rehash.... with onions
Michael D. Hirsch
mdhirsch at mail.com
Wed May 8 10:04:59 EDT 2002
Even worse is that KLEZ would infect some AV programs, so not only
would they not detect it, they would reinfect whenever run. I don't
know if KLEZ did, but I could imagine a virus breaking the automatic
update system, too, leading to a very long time before detection.
--Michael
James P. Kinney III writes:
> A true scenario, but Mallory's AV scan was still showing clear for
> several weeks until the updates caught up with reality.
>
> Many people I have dealt with have AV software. Some even have it setup
> to automatically check for updates on a periodic basis. The default
> upgrade time seems to be about a week.
>
> So, worst case is 7 days from infect to upgrade. On a corporate machine
> in use by the VP of finance, this could be a serious disaster.
>
> On Tue, 2002-05-07 at 20:04, Kevin Krumwiede wrote:
> > No. What was happening was that Mallory would send a virus-laden email
> > to Bob, using Alice's name in the "from" field. Bob would warn Alice
> > that her computer was infected, but of course her AV scanner wouldn't
> > find anything. Meanwhile, Mallory would remain oblivious.
> >
> > Krum
> >
> > On Tue, 2002-05-07 at 19:48, Jeff Hubbs wrote:
> > > Just so I understand the implications fully...
> > >
> > > When Klez first spread in the wild, was it going undetected by the usual
> > > Windows anti-virus software, even if said software was using current
> > > updates of their signature files?
> > >
> > > If so, then I find this VERY damning.
> > >
> > > - Jeff
> > >
> > > James P. Kinney III wrote:
> > >
> > > > That brings up an interesting argument for the eradication of M$ on the
> > > > corporate desktop. The viral spreading of confidential information could
> > > > be viewed as a bigger security threat than just the headache and hassle
> > > > of a network getting trashed by a bug going haywire.
> > > >
> > > > On Tue, 2002-05-07 at 17:55, Irv Mullins wrote:
> > > >
> > > >>On Tuesday 07 May 2002 05:29 pm, you wrote:
> > > >>
> > > >>>On Tue, 2002-05-07 at 17:07, Cade Thacker wrote:
> > > >>>
> > > >>>>I cleaned out my mail box the other day, so I don't have the discusion
> > > >>>>that you all had the other day, but I just go a bounce back of an email I
> > > >>>>did not send. Attached is a small file that "file" returns the following:
> > > >>>>
> > > >>>>border.bat: MS-DOS executable (EXE), OS/2 or MS Windows
> > > >>>>
> > > >>>>What was the summary of this puppy? something to do with W32/Klez?
> > > >>>>
> > > >>>http://securityresponse.symantec.com/avcenter/venc/data/w32.klez.gen@mm.htm
> > > >>>
> > > >>Thanks for the confirmation.
> > > >>It's interesting to take a look at the third (random, I guess)
> > > >>file that is attached to those worms. Using khexedit or similar,
> > > >>I have found html, jpg's, and a "confidential" business report
> > > >>so far.
> > > >>
> > > >>We need smarter worms, which can look for pictures of "girlfriends"
> > > >>to send out :p
> > > >>
> > > >>Regards,
> > > >>Irv
> > > >>
> > > >>---
> > > >>This message has been sent through the ALE general discussion list.
> > > >>See http://www.ale.org/mailing-lists.shtml for more info. Problems should be
> > > >>sent to listmaster at ale dot org.
> > > >>
> > >
> > >
> > >
> > >
> > > ---
> > > This message has been sent through the ALE general discussion list.
> > > See http://www.ale.org/mailing-lists.shtml for more info. Problems should be
> > > sent to listmaster at ale dot org.
> > >
> >
> >
> >
> > ---
> > This message has been sent through the ALE general discussion list.
> > See http://www.ale.org/mailing-lists.shtml for more info. Problems should be
> > sent to listmaster at ale dot org.
> --
> James P. Kinney III \Changing the mobile computing world/
> President and CEO \ one Linux user /
> Local Net Solutions,LLC \ at a time. /
> 770-493-8244 \.___________________________./
>
> GPG ID: 829C6CA7 James P. Kinney III (M.S. Physics)
> <jkinney at localnetsolutions.com>
> Fingerprint = 3C9E 6366 54FC A3FE BA4D 0659 6190 ADC3 829C 6CA7
>
>
>
>
> ---
> This message has been sent through the ALE general discussion list.
> See http://www.ale.org/mailing-lists.shtml for more info. Problems should be
> sent to listmaster at ale dot org.
---
This message has been sent through the ALE general discussion list.
See http://www.ale.org/mailing-lists.shtml for more info. Problems should be
sent to listmaster at ale dot org.
More information about the Ale
mailing list