Re: FW: SANS FLASH: New Trojan Sending Data To Russia

[Pierre Vandevenne <pierre () datarescue com>]

On Tue, 1 Aug 2000 11:41:28 +0700, Yury Bokhoncovich wrote:

> > amounts of data being sent, illegitimately, from Windows 98
> > machines to a Russian IP address (194.87.6.X).  The cause is most
> > probably a Trojan, but whatever it is, it is moving fast.
> >
> > What you should do?
> >
> > 1. All sites should block network traffic from or to 194.87.6.X
>
> Listen, you're wrong here. You gave wrong recipe 'cos one should first
> contact hostmaster of the certain network (demos.su in this case) to
> disable the intruder.

I wasn't the original poster but you have to realize that

1) sometimes contacting the admin doesn't work. Russia, in that respect
isn't worse than most other countries but it does help to have someone
speaking/writing russian in the company to get things moving. Maybe he
tried and it did not work.

2) if a trojan or a virus is actually spreading, the downloads or
uploads it attempts are very likely to bring the target site down or
consume all its bandwidth. Hackers tend to think small... Think about
it for a second - imagine that 1000000 copies of a trojan are sending 1
kb / day to the target site, or downloading a 30 kb payload. If I was
that site, I would rather be blocked and temporarily loose visitors
from say 1% of the net than be down or incredibly slow for 100% of
them. Besides, consider that other sites on the same subnet would
suffer from the trafic...

3) the author of the post was Mr Northcutt, author of the following
book

http://www.amazon.com/exec/obidos/ASIN/0735708681/

an entertaining read btw - in that book, he confesses that he has, by
default, a rather heavy handed attitude. He has a reputation to
uphold<G>

4) in an advisory, I don't think it is useful to say "e-mail the admin
for the site" - if several thousands users follow the suggestion, his
mailbox will probably explode...


Now, the fact is that there doesn't seem to be a new fast-moving trojan
on the loose. It could be that there was one and that it was caught
early and that it is precisely why it isn't fast moving... but we will
probably never know and false alerts or overblown alerts are a risk we
have to be aware of, at least, unlike some anti-virus vendors, Mr
Northcutt doesn't have a direct commercial interest in this particular
alert... ( my own reading of the initial announcement was that some
clever russian hacker had found a way to abuse Commission Junction
referral counters without users being aware of that, but that is hard
to tell without any files to analyze )

> BTW, what does mean "illegitimately" here? Since you've connected to
> Internet, everyone can and may to access your machine if you have made special
> efforts to disable or to limit such the access before.

Come on, come on. This sentence, as written is outrageous. And even if
we read it as "if you have not made", it still remains unacceptable. My
garden isn't protected by barbed wire but that is not an invitation to
piss on the roses.


---
Pierre Vandevenne - DataRescue sa/nv
Home of the IDA Pro Disassembler
http://www.datarescue.com/idabase/ida.htm