[33433] in bugtraq
Re: Hysterical first technical alert from US-CERT
daemon@ATHENA.MIT.EDU (Valdis.Kletnieks@vt.edu)
Thu Feb 5 02:38:22 2004
Message-Id: <200402041431.i14EVFsc030677@turing-police.cc.vt.edu>
To: Larry Seltzer <larry@larryseltzer.com>
Cc: bugtraq@securityfocus.com
In-Reply-To: Your message of "Tue, 03 Feb 2004 07:11:49 EST."
<028f01c3ea4e$f75928b0$5b00005a@moregarlic.com>
From: Valdis.Kletnieks@vt.edu
Mime-Version: 1.0
Content-Type: multipart/signed; boundary="==_Exmh_1332279563P";
micalg=pgp-sha1; protocol="application/pgp-signature"
Content-Transfer-Encoding: 7bit
Date: Wed, 04 Feb 2004 09:31:15 -0500
--==_Exmh_1332279563P
Content-Type: text/plain; charset=us-ascii
On Tue, 03 Feb 2004 07:11:49 EST, Larry Seltzer <larry@larryseltzer.com> said:
> First, it's dated 1/28, the day MyDoom.B was discovered, and the message sent
field says
> that too; other dates in the headers disagree.
Oh, like the fact that a lot of mail servers were getting pounded by MyDoom.*A*
doesn't mean that there could be delays along the line? (Remember to add in the
timezones - at least some of the boxes are running in GMT not EST5EDT).
> Second, and more to the point, it takes an extreme view of MyDoom.B that nobody else is
> supporting, including the sources they cite. MyDoom.B is a flop.
OK. So let's see. We've got one highly successful virus (MyDoom.A) on the
loose at the time of writing, another variant that's essentially identical
except for the target, and no clear indication why this one *shouldn't*
take off as well.
Yes, it took an extreme view that nobody is supporting *NOW*. Now isn't
last Wednesday night, when there wasn't a week's worth of hindsight.
Yes, it fizzled. Please point us at the information available to the CERT
guys *at the time* that proves there was *no* way that MyDoom.B could
possibly ever be a real threat. What would you have the CERT guys do,
*not* send the advisory just because they aren't 100% sure at the time?
I suppose you also understand why MyDoom-A was huge and Dumaru-whatever that
showed up 2 days before was a yawner. Also, note that I got more copies of
Dumary in the first 2 hours of THAT one than I got *total* of MyDoom-A - so
based on the first 2 hours from where *I* am, Dumaru was looking like a much
bigger event.
> Am I misreading something? Did anyone else get this on 1/28?
Received: from lists2.securityfocus.com (lists2.securityfocus.com [205.206.231.20]) by outgoing2.securityfocus.com (Postfix) with QMQP id B5ECF8F5D0; Mon, 02 Feb 2004 12:27:56 -0700 (MST)
Received: (qmail 11614 invoked from network); Thu, 29 Jan 2004 00:11:38 +0000
Date: Wed, 28 Jan 2004 19:12:09 -0500
Looks like some delay there. But it was already at SecurityFocus's qmail
within seconds (the Date: is actually 31 seconds ahead of the Received: once
you allow for timezones - somebody isn't using NTP ;)
--==_Exmh_1332279563P
Content-Type: application/pgp-signature
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (GNU/Linux)
Comment: Exmh version 2.5 07/13/2001
iD8DBQFAIQIzcC3lWbTT17ARAomlAJwPGC6OqK56sy2sVMAQ72qb2AnfzACg7ziy
qdjyEJW7ywuNuAV99iB8VWw=
=ZAYc
-----END PGP SIGNATURE-----
--==_Exmh_1332279563P--
