[61097] in North American Network Operators' Group
Re: Sobig.f surprise attack today
daemon@ATHENA.MIT.EDU (steve uurtamo)
Fri Aug 22 15:16:17 2003
Date: Fri, 22 Aug 2003 11:58:44 -0700
From: steve uurtamo <uurtamo@arttoday.com>
To: "Vachon, Scott" <Scott.Vachon@paymentech.com>
Cc: nanog@merit.edu
In-Reply-To: <F4EEA1915394B5479DD1668644B06342D6674F@sslmexchange1.paymentech.us>
Errors-To: owner-nanog-outgoing@merit.edu
>>OK... Maybe I'm smoking crack here, but, if they have the list of 20
>>machines,wouldn't it make more sense to replace them with honey-pots that download
>>code to remove SOBIG instead of just disabling them?
>>
>>
>
>Only if we make assumptions that what they state is 100% fact and the whole truth of the matter. They know of 20 but, who is to say a variant in the wild doesn't know of 20 more ? Or 100 more ? Too late anyway. My other list subscriptions show it active now ...
>
symantec sez that it listens for properly-signed announcements
about new and improved servers from which to receive said payload.
so it can change the source list at any time.
s.
