Current Blackworm numbers
Given all the noise that this issue has caused on the list, I thought I'd take a moment this afternoon and forward a URL that good folks over at LURHQ have made available with more realistic, and current, statistics on the BlackWorm cruft: http://www.lurhq.com/blackworm-stats.html Thanks to Joe Stewart at LURHQ. Cheers, - ferg -- Martin Hannigan <hannigan@world.std.com> wrote: [snip] The point I was trying to make before the thread went, East?, was that there is a perceived problem in the security community with approrpriate response. I'd tell you how I think that could have been avoided, but then my name would go up in the subject again. *cough full disclosure* [snip] -- "Fergie", a.k.a. Paul Ferguson Engineering Architecture for the Internet fergdawg@netzero.net or fergdawg@sbcglobal.net ferg's tech blog: http://fergdawg.blogspot.com/
Fergie wrote:
Given all the noise that this issue has caused on the list, I thought I'd take a moment this afternoon and forward a URL that good folks over at LURHQ have made available with more realistic, and current, statistics on the BlackWorm cruft:
http://www.lurhq.com/blackworm-stats.html
Thanks to Joe Stewart at LURHQ.
Indeed! Joe Stewart (at LURHQ) and his work are both amazing. He took the information we at the TISF BlackWorm task force got from RCN (.com/.net - I have never seen a more whitehat ISP in my life) with the FBI's help, and spent days working on the worm and the data, de-duping, removing the hosts trying to poison the logs data or DDoS, etc. He deserves the credit! There are so many other people working day and night on this: The incredible Johannes Ullrich at SANS ISC and tireless Prof. Randy Vaughn at Baylor EDU, as well as many others... Many from the net-ops community. The SANS handlers (ALL OF THEM), who are always there when called. The FBI, US-CERT, DoD-CERT, REN-ISAC, KrCERT, FortiNet, MessageLabs... ... .. and many many others around the globe who still work on this and invest a ton of effort. They deserve the credit. Like Joe wrote: "Even so, 300,000 infected users worldwide is not a terribly large amount when compared to previous worms like Sober or Mydoom. However, with this worm it isn't the quantity of infected users, it is the destructive payload which is most concerning." Gadi.
On Fri, 27 Jan 2006, Gadi Evron wrote:
"Even so, 300,000 infected users worldwide is not a terribly large amount when compared to previous worms like Sober or Mydoom. However, with this worm it isn't the quantity of infected users, it is the destructive payload which is most concerning."
Vmyths used to be a great source for debunking a lot of the virus hype. Everything old seems to be new again. In 1999, the Chernobyl virus was the end of the world. It erased disks and BIOS of computers. http://news.bbc.co.uk/2/hi/science/nature/329688.stm
On Fri, 27 Jan 2006, Gadi Evron wrote:
"Even so, 300,000 infected users worldwide is not a terribly large amount when compared to previous worms like Sober or Mydoom. However, with this worm it isn't the quantity of infected users, it is the destructive payload which is most concerning."
Vmyths used to be a great source for debunking a lot of the virus hype. Everything old seems to be new again. In 1999, the Chernobyl virus was the end of the world. It erased disks and BIOS of computers.
Fast forward 2005. What is the proper response for a global impact of ~200K machines that may suffer data loss? I don't think that inter-continental mobilization is the answer. Wall Street may agree as well. AV and security companies gained nothing from this outbreak other than incurred operational expense - a data point to add to the "is the customer paying their fair share" argument. -M<
Sean Donelan wrote:
On Fri, 27 Jan 2006, Gadi Evron wrote:
"Even so, 300,000 infected users worldwide is not a terribly large amount when compared to previous worms like Sober or Mydoom. However, with this worm it isn't the quantity of infected users, it is the destructive payload which is most concerning."
Vmyths used to be a great source for debunking a lot of the virus hype. Everything old seems to be new again. In 1999, the Chernobyl virus was the end of the world. It erased disks and BIOS of computers.
I would quote Dr. Alan Solomon here, but I have to ask for his permission. You have the right of it. Back then though, they had no way of knowing how many got infected, further -- this was down-played by AV vendors until they had no other choice, for it shows once again how the AV is not an all-powerful solution for everything anymore. Gadi.
participants (4)
-
Fergie
-
Gadi Evron
-
Martin Hannigan
-
Sean Donelan