logo Welcome, Guest. Please Login or Register.
2024-04-28 02:53:30 CoV Wiki
Learn more about the Church of Virus
Home Help Search Login Register
News: Do you want to know where you stand?

  Church of Virus BBS
  Mailing List
  Virus 2003
  The consequences of viral infestations... memetic and computer.		 « previous next »
Pages: [1] Reply Notify of replies Send the topic Print 
   Author  Topic: The consequences of viral infestations... memetic and computer.  (Read 846 times)
Hermit
Archon
*****

Posts: 4287
Reputation: 8.94
Rate Hermit



Prime example of a practically perfect person

View Profile WWW
The consequences of viral infestations... memetic and computer.
« on: 2003-01-27 12:52:47 »		 Reply with quote
Advice to all Virians:

If you receive a message purporting to come from "JoeDees", and you are dumb enough to run a Windows computer without a solid firewall (best recommendation remains ZoneAlarm) then I recommend that you not open it, as it may contain an unpleasant payload.

Advice to Joe Dees:

If this is originating from your computer, then it seems as if the computer is as virally infested as yourself, and so it should be taken off-line until such time as it has been disinfected (I recommend the same strategy for yourself). If this did not originate from your computer, I suggest that you forward this mail to your ISP as well as to abuse@verizon.net, with a request that they attempt to prevent further occurances.

X-Message-Info: dHZMQeBBv44lPE7o4B5bAg==
Received: from out011.verizon.net ([206.46.170.135]) by mc8-f37.law1.hotmail.com with Microsoft SMTPSVC(5.0.2195.5600);
    Mon, 27 Jan 2003 08:14:27 -0800
Received: from Nkkubumj ([216.196.153.43]) by out011.verizon.net
          (InterMail vM.5.01.05.20 201-253-122-126-120-20021101) with SMTP
          id <20030127161424.IUQC12562.out011.verizon.net@Nkkubumj>
          for <<hermit:suppressed>@hotmail.com>; Mon, 27 Jan 2003 10:14:24 -0600
From: joedees <joedees@bellsouth.net>
To: <hermit:suppressed>@hotmail.com
Subject: Darling
MIME-Version: 1.0
Content-Type: multipart/alternative;
   boundary=E6P43C4VgQ6p9pwq7qAmb2CsiUffRNr7
Message-Id: <20030127161424.IUQC12562.out011.verizon.net@Nkkubumj>
Date: Mon, 27 Jan 2003 10:14:27 -0600
Return-Path: joedees@verizon.net
X-OriginalArrivalTime: 27 Jan 2003 16:14:27.0960 (UTC) FILETIME=[2A876F80:01C2C61F]

--E6P43C4VgQ6p9pwq7qAmb2CsiUffRNr7
Content-Type: text/html;
Content-Transfer-Encoding: quoted-printable

<HTML><HEAD></HEAD><BODY>
<iframe src=3Dcid:U11163W6vu62 height=3D0 width=3D0>
</iframe>
<FONT></FONT></BODY></HTML>

--E6P43C4VgQ6p9pwq7qAmb2CsiUffRNr7
Content-Type: audio/x-wav;
   name=HOME.scr
Content-Transfer-Encoding: base64
Content-ID: <U11163W6vu62>

TVqQAAMAAAAEAAAA//8AALgAAAAAAAAA...
<hermit: viral payload snipped>
...A5q//2T==
--E6P43C4VgQ6p9pwq7qAmb2CsiUffRNr7--
Report to moderator   Logged
With or without religion, you would have good people doing good things and evil people doing evil things. But for good people to do evil things, that takes religion. - Steven Weinberg, 1999
Joe Dees
Heretic
*****

Posts: 5428
Reputation: 1.94
Rate Joe Dees



I love YaBB SE!

View Profile WWW
Re: virus: The consequences of viral infestations... memetic and computer.
« Reply #1 on: 2003-01-27 13:09:37 »		 Reply with quote
[[ author reputation (1.94) beneath threshold (3)... display message ]]
Report to moderator   Logged
JD
Adept
****

Gender: Male
Posts: 542
Reputation: 7.37
Rate JD





View Profile
Re: virus: The consequences of viral infestations... memetic and computer.
« Reply #2 on: 2003-01-27 13:31:57 »		 Reply with quote
Welcome back Hermit!

What do you think of this free firewall. I have read rave reviews (it is
based on the tiny firewall)

http://www.kerio.com/uk/kpf_home.html

Regards

Jonathan

P.S. Why are you not replying to off-list content?


----- Original Message -----
From: "Hermit" <hidden@lucifer.com>
To: <virus@lucifer.com>
Sent: Monday, January 27, 2003 5:52 PM
Subject: virus: The consequences of viral infestations... memetic and
computer.


>
> Advice to all Virians:
>
> If you receive a message purporting to come from "JoeDees", and you are
dumb enough to run a Windows computer without a solid firewall (best
recommendation remains ZoneAlarm (http://www.zonealarm.com)) then I
recommend that you not open it, as it may contain an unpleasant payload.
>
> Advice to Joe Dees:
>
> If this is originating from your computer, then it seems as if the
computer is as virally infested as yourself, and so it should be taken
off-line until such time as it has been disinfected (I recommend the same
strategy for yourself). If this did not originate from your computer, I
suggest that you forward this mail to your ISP as well as to
abuse@verizon.net, with a request that they attempt to prevent further
occurances.
>
> X-Message-Info: dHZMQeBBv44lPE7o4B5bAg==
> Received: from out011.verizon.net ([206.46.170.135]) by
mc8-f37.law1.hotmail.com with Microsoft SMTPSVC(5.0.2195.5600);
> Mon, 27 Jan 2003 08:14:27 -0800
> Received: from Nkkubumj ([216.196.153.43]) by out011.verizon.net
>          (InterMail vM.5.01.05.20 201-253-122-126-120-20021101) with SMTP
>          id <20030127161424.IUQC12562.out011.verizon.net@Nkkubumj>
>          for <<hermit:suppressed>@hotmail.com>; Mon, 27 Jan 2003
10:14:24 -0600
> From: joedees <joedees@bellsouth.net>
> To: <hermit:suppressed>@hotmail.com
> Subject: Darling
> MIME-Version: 1.0
> Content-Type: multipart/alternative;
> boundary=E6P43C4VgQ6p9pwq7qAmb2CsiUffRNr7
> Message-Id: <20030127161424.IUQC12562.out011.verizon.net@Nkkubumj>
> Date: Mon, 27 Jan 2003 10:14:27 -0600
> Return-Path: joedees@verizon.net
> X-OriginalArrivalTime: 27 Jan 2003 16:14:27.0960 (UTC)
FILETIME=[2A876F80:01C2C61F]
>
> --E6P43C4VgQ6p9pwq7qAmb2CsiUffRNr7
> Content-Type: text/html;
> Content-Transfer-Encoding: quoted-printable
>
> <HTML><HEAD></HEAD><BODY>
> <iframe src=3Dcid:U11163W6vu62 height=3D0 width=3D0>
> </iframe>
> <FONT></FONT></BODY></HTML>
>
> --E6P43C4VgQ6p9pwq7qAmb2CsiUffRNr7
> Content-Type: audio/x-wav;
> name=HOME.scr
> Content-Transfer-Encoding: base64
> Content-ID: <U11163W6vu62>
>
> TVqQAAMAAAAEAAAA//8AALgAAAAAAAAA...
> <hermit: viral payload snipped>
> ...A5q//2T==
> --E6P43C4VgQ6p9pwq7qAmb2CsiUffRNr7--
>
>
>
> ----
> This message was posted by Hermit to the Virus 2003 board on Church of
Virus BBS.
>
<http://virus.lucifer.com/bbs/index.php?board=54;action=display;threadid=276
84>
> ---
> To unsubscribe from the Virus list go to
<http://www.lucifer.com/cgi-bin/virus-l>

---
To unsubscribe from the Virus list go to <http://www.lucifer.com/cgi-bin/virus-l>
Report to moderator   Logged
Kalkor
Magister
***

Gender: Male
Posts: 109
Reputation: 6.94
Rate Kalkor



Kneading the swollen donkey...
kalkorius kalkorius
View Profile WWW E-Mail
RE: virus: The consequences of viral infestations... memetic and computer.
« Reply #3 on: 2003-01-27 14:10:03 »		 Reply with quote
[Joe]
Whatever it was, it wasn't from me; I've run a current Virusscan and I'm
clean.  The only infestation around here is your infestation of messianic
mother-slandering megalomania, putz.

[Kalkor]
JUST a virus scan eh? You check regularly for adware/scumware? How about
Trojans that only programs like the moosoft cleaner will detect?

I would suggest you do a much more complete system check:
http://housecall.antivirus.com
http://www.lavasoft.de/software/adaware
http://www.moosoft.com

You may not even be infected. While working as a tech support rep for an
ISP, I came across some interesting infections. In one case, a gentleman was
getting infected email from several friends, yet they swore up and down they
were clean. Turns out they weren't, but the emails in question actually
originated from his wife's machine on their private LAN. Her infection was
using headers from previous emails to populate the headers from the
infection-spreading emails it sent out... I can't remember they had.

Better safe than sorry ;-}

And Hermit, firewalls introduce increased overhead and a false sense of
security. IMHO, the best personal firewall is NAT, which btw is the routing
protocol used in most 3rd party broadband routers on the market today. Also,
software firewalls will NOT prevent a viral infection unless the vector of
infection is through something like an open share, much the way
codered/nimda propagates.

Cheers!
Kalkor

---
To unsubscribe from the Virus list go to <http://www.lucifer.com/cgi-bin/virus-l>
Report to moderator   Logged
Kalkor
Magister
***

Gender: Male
Posts: 109
Reputation: 6.94
Rate Kalkor



Kneading the swollen donkey...
kalkorius kalkorius
View Profile WWW E-Mail
RE: virus: The consequences of viral infestations... memetic and computer.
« Reply #4 on: 2003-01-27 14:30:08 »		 Reply with quote
You should have dug a little deeper into those headers you pasted, Hermit.

Observation 1: JoeDees is a Bellsouth.net customer

Observation 2: Received: from out011.verizon.net ([206.46.170.135]) by
mc8-f37.law1.hotmail.com <--- Hotmail's SMTP got the message from Verizon's
SMTP

Observation 3: Received: from Nkkubumj ([216.196.153.43]) by
out011.verizon.net <--- Verizon's SMTP got the message from a host with IP
address 216.196.153.43

Observation 4: Name:    nr4-216-196-153-43.fuse.net
Address:  216.196.153.43  <--- this is just a copy/paste from a command
prompt nslookup command.

So Hermit, maybe you should be pointing the finger at someone from fuse.net
who happens to have you in their address book?

w32.klez.h@mm.html" target=_blank>http://securityresponse.symantec.com/avcenter/venc/data/[url=mailto:w32.klez.h@mm.html]w32.klez.h@mm.html

<snip>
"Random" strings comprise the email message that this worms sends. The
subject can be one of the following: darling
</snip>

<snip>
Email spoofing
This worm often uses a technique called "spoofing." When the worm performs
its email routine, it can use a randomly chosen address it finds on an
infected computer as the "From:" address. Numerous cases have been reported
in which users of uninfected computers received complaints that they sent an
infected message to someone else.
</snip>

Sound like anyone we know?

Kalkor

---
To unsubscribe from the Virus list go to <http://www.lucifer.com/cgi-bin/virus-l>
Report to moderator   Logged
Joe Dees
Heretic
*****

Posts: 5428
Reputation: 1.94
Rate Joe Dees



I love YaBB SE!

View Profile WWW
RE: virus: The consequences of viral infestations... memetic and computer.
« Reply #5 on: 2003-01-27 14:34:02 »		 Reply with quote
[[ author reputation (1.94) beneath threshold (3)... display message ]]
Report to moderator   Logged
Hermit
Archon
*****

Posts: 4287
Reputation: 8.94
Rate Hermit



Prime example of a practically perfect person

View Profile WWW
Re:The consequences of viral infestations... memetic and computer.
« Reply #6 on: 2003-01-27 16:36:04 »		 Reply with quote
Kalkor:
1) I !did! check the headers - and !did! do a great deal more than a simple nslookup :-> Which is why I noted "purporting to come from "JoeDees"" (as opposed to "from Joe Dees"). It should be born in mind that even though Joe Dees appears to be functionally computer illiterate, and even though he usually posts from Bell South and that this might mitigate against his involvement, it does not necessarily preclude his having access to other networks. Further, although the mail purportedly *originated* at a "fuse.net" address, this does not absolutely mean that it really did (anything prior to the verizon server may have been spoofed), and even if it really did come from a "fuse.net" address, whoever responds to their abuse/postmaster/RP address will not necessarily act upon it. The fact that it was forwarded by a verizon (a very respectable broadband Tier 1 ISP who tend to act on complaints, including complaints regarding downstream sources) MTA means that verizon will likely respond appropriately to an suitable  complaint. Such a complaint should be instantiated by Joe Dees, whose identity is being spoofed (far more likely to result in action than yet another "I got a worm/virus/trojan" type complaint), and to do that, he requires a copy of such a mail, including its headers (or why my post in its particular format).

2) While a firewall cannot protect against the consequences of stupidity (nothing can), and undoubtedly use some cpu cycles, most users have a computer which could easily route at least an OC-3 worth of traffic without being severely impacted by the load. Most users also have less than a T1 worth of bandwidth. Thus the impact of running a stateful routing firewall is small in comparison to those imposed by communication latencies (and often other overheads - compare the speed of Galeon to M$ Exploder on the same hardware sometime). Given that most users also run Whinedoze (a much larger cause of bandwidth wastage), and that "invitation to computer rape", M$ Outlook, and additionally, tend to be completely unaware of even the most basic security issues (and the events of this week-end prove that much the same can be said of most so called "professionals"), a firewall such as "ZoneAlarm" (which does perform email innoculation among other things) is an excellent precaution. After all, reinstalling a system to correct an infection which could have been prevented by a few simple scripts wastes far mor CPU and user bandwidth than any firewall ever will.... It should also be noted that NAT will not protect a user from a malicious email - which remains the primary source of infections. ZoneAlarm, with its default settings, most likely will. Or why I advocate its use. Particularly by the technically disadvantaged. Learn more at http://www.grc.com

Jonathan:
Continued thanks for the ongoing stream of "welcome backs". As noted in my other response CA5EY, "Re:virus: Hermitish Firewall Update", Reply #3, 2003-01-27, I am avoiding email. You can reach me via the BBS at http://virus.lucifer.com/bbs/index.php?board=;action=imsend;to=Hermit.

As you know, I look at any program running on Whinedoze (the world's first, and AFAIK only, virus with a GUI) as a security breach waiting to happen. That said, I don't know of any Whinedoze user running ZoneAlarm with default settings and avoiding trojan IRC scripts* who has unwittingly** had a computer contaminated. Which indicates that as these things go, ZoneAlarm is good. I have (and still do) use ZoneAlarm on internal Whinedoze boxes (few and far between that they are these days - and well protected by multiple firewall layers) and at many clients, and have not detected any major disadvantages necessitating the evaluation of alternatives. So I have not tried, don't know, and have no experience with your suggested alternative. The one thing a brief glimpse at it did not reflect is a mail filter for executables - and if it does not have one, I would regard this as a major disadvantage in comparison with ZoneAlarm.

Kind Regards (to the both of you)

Hermit

* The willingness of users to load trojan scripts over IRC is proven by the vast number of "captured" systems in the wild.

** The use of "unwittingly" allows me to avoid consideration of whether loading an M$ OS or application should be classed as contamination.
« Last Edit: 2003-01-27 16:38:17 by Hermit » Report to moderator   Logged
With or without religion, you would have good people doing good things and evil people doing evil things. But for good people to do evil things, that takes religion. - Steven Weinberg, 1999
Pages: [1] Reply Notify of replies Send the topic Print 
Jump to:


Powered by MySQL Powered by PHP Church of Virus BBS | Powered by YaBB SE
© 2001-2002, YaBB SE Dev Team. All Rights Reserved.
Please support the CoV. 		Valid HTML 4.01! Valid CSS! RSS feed