[ISN] Sex industry hit by cyber turf war

[InfoSec News]

http://www.vnunet.com/News/1131796

By Nick Farrell [16-05-2002]

Hackers put the screws on Vegas phone lines

Mobsters and super hackers have joined forces to shut out sex industry
rivals, a Nevada public hearing heard this week.

Larry Duke Reubel, 63, told the Public Utilities Commission hearing
how his business had been closed by telephone hackers using lax
security at telecoms company Sprint to redirect calls to rivals.

Reubel publishes a sexual services magazine which is distributed by
hand to thousands of passing tourists up and down Las Vegas Boulevard
every day. If anyone rings one of the services, Reubel gets a
commission.

He told the hearing that the phones suddenly stopped ringing for no
apparent reason. He blamed Sprint for the problem, which told the
hearing that it had run tests on the phone and found nothing wrong.

The telco ran a script at its switching control centre that
periodically checked Reubel's lines for covert call-forwarding, but
did not find any evidence. It also examined his lines and found no
physical taps.

Eddie Munoz, 43, who brought the case, claimed that the Las Vegas
telecoms infrastructure is secretly controlled by super hackers
working for mobsters.

Others at the hearing are expected to tell of similar cases. Munoz
said that he will present evidence of calls diverted or tapped by
competitors.

Reubel's is the most common situation, where calls are blocked and the
caller hears silence or an engaged signal.

Six members of the Gambino crime family were actually caught by an
undercover investigation as they tried to muscle in on the phone
racket in 1998, according to an FBI testimony at the hearing.

Although that criminal case was successful, Sprint denied all
responsibility for the hacks.

But Sprint's security has been compromised before, including more
famously by Kevin Mitnick between 1992 until his February 1995 arrest.  
Mitnick's access gave him the power to monitor or reprogram any phone
line in town.

Munoz also suffered from a similar scam which he claims is still
operating. He said that the 15 to 20 calls a night he received for
each advertisement is now down to just one.

Callers from outside Las Vegas, or from payphones and mobile phones,
are able to get through, he said, but hotel callers frequently get
false busy signals, or silence, driving them to competing services.

His first complaint against Sprint was filed with the Public Utilities
Commission in 1994. It took two more complaints and an abortive
Federal writ before Commission staff launched an investigation.



-
ISN is currently hosted by Attrition.org

To unsubscribe email [EMAIL PROTECTED] with 'unsubscribe isn'
in the BODY of the mail.

Re: [ISN] Fanatics with Laptops: The Coming Cyber War / RFF Reply

[InfoSec News]

Forwarded from: Richard Forno <[EMAIL PROTECTED]>

What is it about Fridays and FUD?

Last week it was that piece out of Australia, and now this article.

A few choice comments enclosed below.

> Fanatics with Laptops: The Coming Cyber War
> By Tim McDonald
> NewsFactor Network
> May 16, 2002

Title alone is sensational enough to tell me this article is a crock.
But I'll read anyway because it's Friday and I need to fight some FUD
today before meeting the g/f for Episode 2 this afternoon.  :)

> That increasing interdependence, however, becomes frightening when
> one considers that a next-generation cyber terrorist will likely not
> represent an aggressive world power.

I'm not sure what the cyberterrorists of 'this generation' are, let
alone the ones of next generation

> In terms of present-day vulnerability, such a terrorist could simply
> be a lone fanatic wielding a laptop. And the damage could be
> staggering.

One guy with a laptop - fanatic or not - does not make a cybeterrorist
that is bent on destroying the world. When will these reporter types
realize this? All such statements to is fan the flames of speculation
and fear, and in most cases, make the reporter look like an idiot.

On a side note - does this mean if someone's an aethiest or agnostic,
they won't be a good 'cyber-threat'??? Oh, wait - it the eyes of the
media, fanatic=terrorist=0911=great imagery for getting readers'
attention.

I agree with those that say one guy with a backhoe is far more
effective at causing wide-spread infrastructure damage than someone
with a laptop. But "backhoe-terrorists" aren't as sensational of a
story as those allegedly waging "cyber-jihads" so we'll just leave it
at that for now

> 'Asymmetric Warfare'

> The military call it "asymmetric warfare," which means that the
> disadvantaged side must use unconventional weapons against the
> wealthier side if it is to have any chance of winning.

Using airplanes as guided missiles is asymmetric warfare, too, and a
far more effective way of wreaking infrastructure havoc than by a
laptop.

> Any country that can scrape together the price of a computer manual
> and that has a basic understanding of information systems
> infrastructure can train and motivate a misguided "patriot."

Reading a 'manual' does not make one an expert. Nor does getting a
diploma or certification, despite the claims to the contrary.
 
> Anonymous Warfare
> 
> Due to recent advances in "attack technology," cyber warfare can be
> waged remotely and anonymously. This approach would make it much
> harder to find an attacker than it is, for example, to root out Al
> Qaeda forces along the border of Pakistan and Afghanistan.

Gee, and it wouldn't be hard for someone to do a truck bombing
anonymously, either.the problem is that folks like Mcveigh (OK
City), Rachman (WTC attack #1), and others, were clumsy terrorists
that left a trail..a dedicated adversary would not be so easy to
track.  Drawing a paralell between cyber-terrorists and al-Qaeda is
threat inflation.

The implication this reporter makes is that folks should be licensed
or easily-tracked onlineif someone's hell-bent on committing
murder or terrorist actions, they WILL circumvent any requirements for
online monitoring/tracking -- that's the least of their concerns!  
Making it illegal to be anonymous won't do anything to impede them.

> "As the automation of deployment and the sophistication of attack
> tool management both increase, the asymmetric nature of the threat
> will continue to grow," the report said.

This has nothing to do with increasing the asymmetric nature of the
threat. It simply means that future such attacks might be more harder
to recover from quickly.

> New Tactics: Poison and Hijacking

> Attackers are finding more ways to bypass firewalls and other
> security roadblocks. Some of the newer -- and nastier -- tactics
> involve attacks on the Internet domain name system (DNS), including
> cache poisoning and domain hijacking.

DNS poisoning is an old tactic - security folks have known about it
for years. And Domain Hijacking - well, during my time @ NSI, I had to
deal with that technical problem far too many times. The problem was a
system vulnerability that the company refused to address, and instead
chose to deal with recurring negative publicity, giving me and my team
major stress headaches on a regular basis. Besides, it's been proven
that one can hijack a domain name w/o being a 'hacker' -- using the
legal system and WIPO is pretty effective, too, I've heard.  DNS cache
poisoning was done in 1998 by Eugene Kashpuroff -- it's not a new
attack methodology, either -- and that really screwed the net over for
a few hours.

> Businesses, especially large corporations, are becoming targets with
> increasing frequency. In the right hands, cyber attacks could wreak
> untold damage.

Again, that wonderful word "could" -- most of the folks on this list
COULD wreak untold damage, but it's yet to

[ISN] Couple little things

[InfoSec News]

I'd like to thank everyone that has replied so far! The response has
been great, and honestly I haven't had the time to look them all over,
so there won't be any rash instant decisions on where things are 
going.

The feedback I have read is incredible, I normally only get this kind
of insight as I said earlier is from subscribers leaving the list, and
various security conferences I attend.

Over this past weekend I strolled over to the local Barnes & Noble 
looking for one book, and ended up buying another. Actually I bought 
the paperback version of Body of Secrets, its my third copy, not that 
I have lost or lent the other two copies. 

The first one I got was a first edition signed at Blackhat 2001 by
James Bamford, and the second one I bought at Lindbergh Field in the
weeks after September 11th after tiring of sitting around the airport
for many hours waiting for my flight. I slowly read about a quarter of
the book at various other airports around the U.S., but it was at
times too much of a pain to lug it and my laptop in the same backpack, 
especially at the security checkpoints.

In case you are interested, Amazon has Bamford's Body of Secrets 
in paperback.

http://www.amazon.com/exec/obidos/ASIN/0385499086/c4iorg

Which includs a new afterword on the events of September 11th, which
when I was reading it brought on a swell of emotions I was feeling on
that day.

For $10.47 beats the $14.95 plus tax I spent on the impulse buy at
Barnes and Noble.

Cheers!

William Knowles
[EMAIL PROTECTED]



-
ISN is currently hosted by Attrition.org

To unsubscribe email [EMAIL PROTECTED] with 'unsubscribe isn'
in the BODY of the mail.

[ISN] "Nessus phones home": the final report.

[InfoSec News]

Forwarded from: Jay D. Dyson <[EMAIL PROTECTED]>

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Forwarded with permission of Renaud Deraison.

- -- Forwarded message --
Date: Fri, 17 May 2002 19:57:22 +0200
From: Renaud Deraison <[EMAIL PROTECTED]>
To: [EMAIL PROTECTED]
Subject: Re: "Nessus calls home"

On Wed, May 08, 2002 at 04:50:09PM +0200, Renaud Deraison wrote:
> I attended CanSecWest last week and I was told there were rumors of
> people complaining about Nessus "calling home" when doing a scan.

Thanks to everyone who replied to me on this issue. I was surprisingly
overwhelmed with answers, so please forgive me if I did not reply to you
personnaly. 

So sum up the replies : a vast majority of people don't care, but everyone
agreed that a user-defineable third party domain was the way to go.

In Nessus 1.2.1 (or the current CVS snapshot), a new option now appears in
the 'plugin prefs' tab, and is set to "nessus.org" by default. Users can
change it to something else, so privacy issues should be somewhat
resolved. 

I modified more plugins than what I thought would be necessary - I'd like
to thanks Thomas Reinke for sending me a list of plugins that used
"nessus.org" in one way or another (there were more than what I thought,
mostly because of lazyness on my part). People interested in the full list
can go to cvs.nessus.org and look for the plugins whose commit log is
"privacy". 

While I apologize to those who have felt threatened by this issue, I
sincerely regret the fact that they did not voice their concerns directly
to me (even though I was attending CanSecWest, and the person who spread
the rumor too), and prefered to go the sneaky way about this. 

Hopefully, the incident is over in CVS, and will be in Nessus 1.2.1. 

-- Renaud

-BEGIN PGP SIGNATURE-
Version: GnuPG v1.0.7 (TreacherOS)
Comment: See http://www.treachery.net/~jdyson/ for current keys.

iD8DBQE85p/5GI2IHblM+8ERAjRDAJ9vMkip1mnHTHLtuzHkNAi0swb+bACfZjpK
Tqb+X88SSFdYy0iV/wJt5pY=
=cMBR
-END PGP SIGNATURE-



-
ISN is currently hosted by Attrition.org

To unsubscribe email [EMAIL PROTECTED] with 'unsubscribe isn'
in the BODY of the mail.

[ISN] Linux Advisory Watch - May 17th 2002

[InfoSec News]

++
|  LinuxSecurity.comLinux Advisory Watch |
|  May 17th, 2002   Volume 3, Number 20a |
++
 
  Editors: Dave WreskiBenjamin Thomas
   [EMAIL PROTECTED] [EMAIL PROTECTED]
 
Linux Advisory Watch is a comprehensive newsletter that outlines the
security vulnerabilities that have been announced throughout the week.It
includes pointers to updated packages and descriptions of each
vulnerability.

This week, advisories were released for icecast, shareutils, fileutils,
imapd, shadow/pam modules, lukemftp, openssh, tcpdump, and mpg123.  The
Vendors include Caldera, Mandrake, Red Hat, and SuSE.

* SECURE YOUR APACHE SERVERS WITH 128-BIT SSL ENCRYPTION *
Guarantee transmitted data integrity, secure all communication
sessions and more with SSL encryption from Thawte- a leading global
certificate provider for the Open Source community. Learn more in our
FREE GUIDE--click here to get it now: 

http://www.gothawte.com/rd250.html 

FTP Attack Case Study Part I: The Analysis 
This article presents a case study of a company network server compromise.
The attack and other intruder's actions are analyzed. Computer forensics
investigation is undertaken and results are presented. The article
provides an opportunity to follow the trail of incident response for the
real case.
 
http://www.linuxsecurity.com/feature_stories/ftp-analysis-part1.html 
 
 
+-+
|  icecast| //
+-+  

Buffer overflows in the icecast server allow remote attackers to execute
arbitrary code via a long HTTP GET request, as well as allowing denial of
service attacks.

 Caldera:  
 ftp://ftp.caldera.com/pub/updates/OpenLinux/
 3.1.1/Server/current/RPMS 
 icecast-1.3.12-1.i386.rpm 
 83407efa0c40a9ceac02606ae37237f2 

 Caldera Vendor Advisory: 
 http://www.linuxsecurity.com/advisories/caldera_advisory-2067.html


+-+
|  shareutils | //
+-+  

The sharutils package contains a set of tools for encoding and decoding
packages of files in binary or text format. The uudecode utility would
create an output file without checking to see if t was about to write to a
symlink or a pipe.  If a user uses uudecode to extract data into open
shared directories, such as /tmp, this vulnerability could be used by a
local attacker to overwrite files or lead to privilege escalation.

 Red Hat i386: 
 ftp://updates.redhat.com/7.2/en/os/i386/
 sharutils-4.2.1-8.7.x.i386.rpm 
 38d89d89bb513d216b1a2a954be6d07b 

 Red Hat Vendor Advisory: 
 http://www.linuxsecurity.com/advisories/redhat_advisory-2069.html



+-+
|  fileutils  | //
+-+  

A race condition in various utilities from the GNU fileutils package may
cause a root user to delete the whole filesystem. This updates resolves a
problem in the original fix that would cause an attempt to recursively
remove a directory with trailing slashes to memory fault.

 Caldera: 
 ftp://ftp.caldera.com/pub/updates/OpenLinux/3.1.1/
 Server/current/RPMS/fileutils-4.1-5.i386.rpm 
 d01d42d41800d0b9c1d02c4fec07a79d 

 Caldera Vendor Advisory: 
 http://www.linuxsecurity.com/advisories/caldera_advisory-2070.html 
  

 Mandrake Linux 8.1: 
 http://www.mandrakesecure.net/en/ftp.php 
 8.1/RPMS/fileutils-4.1-4.1mdk.i586.rpm 
 593e200c8b2f2c83e7a6bb90a54cd853 

 Mandrake Vendor Advisory: 
 http://www.linuxsecurity.com/advisories/mandrake_advisory-2075.html

  
  
+-+
|  imapd  | //
+-+  

A malicious user may construct a malformed request that will cause a
buffer overflow, allowing the user to run code on the server with the uid
and gid of the e-mail owner.

 Caldera: 
 ftp://ftp.caldera.com/pub/updates/OpenLinux/3.1.1/
 Server/current/RPMS/imap-2000-14.i386.rpm 
 3d4c39ed407a122f963f9f508f908c92 
 imap-devel-2000-14.i386.rpm 
 5c49edd5001471188ed6da5a20413f42 

 Caldera Vendor Advisory: 
 http://www.linuxsecurity.com/advisories/caldera_advisory-2071.html



+-+
|  shadow/pam modules | //
+-+  

The shadow package contains several useful programs to maintain the
entries in the /etc/passwd and /etc/shadow files.The SuSE Security Team
discovered a vulnerability that allows local attackers to destroy the
contents of these files or to extend the group privileges of certain
users. This is possible by setting evil filesize limits before invoking
one of the programs modifying the system files. Depening on 

[ISN] Computer whiz still faces second lawsuit

[InfoSec News]

http://www.mlive.com/news/bctimes/index.ssf?/xml/story.ssf/html_standard.xsl?/base/news/1021648510270760.xml

Friday, May 17, 2002
By Crystal Harmon
TIMES WRITER

A teen-age computer wizard has won his legal battle to get the label 
"hacker" removed from his school record, but now the label 
"eavesdropper" may be added to his criminal record.

Nicholas J. Suchyta, 19, allegedly recorded his roommate and her 
boyfriend having sex and also beamed live broadcasts of the activities 
on the Internet early this year. The couple told police they had no 
idea that the five computers in the living room were rigged with a Web 
cam. 

Bay County District Judge Scott J. Newcombe arraigned Suchyta on two 
counts of installing eavesdropping devices and two counts of divulging 
information obtained by eavesdropping. Each felony count carries a 
maximum penalty of two years in prison and $2,000 in fines. Suchyta 
was released from the Bay County Jail on May 8 after posting a $5,000 
bond. 

Suchyta had shared an apartment on North Hampton Road with an 
18-year-old woman who said the two had been best friends since grade 
school. But she said she became concerned when acquaintances said 
they'd seen her having sex on the Internet with her 18-year-old 
boyfriend. 

She told police she found the recordings on one of the computers, but 
as she attempted to download the images for evidence, the computer was 
shut down, apparently from one of the two laptop computers she said 
Suchyta carries with him. 

On Feb. 2, police searched the apartment and found a camera hidden on 
top of one of the computers. With the help of a computer crimes 
expert, they also found four files containing images of the two teens 
having sex that apparently had been broadcast on the Internet. 

Bay City Police also found 14 modems that they determined had been 
taken from Charter Communications, where Suchyta had worked as a 
high-speed data technician. 

Suchyta, who now resides on South Euclid Avenue, declined to comment 
to The Times about the cases. 

Meanwhile, Suchyta and Bay City Public Schools have settled a civil 
suit Suchyta brought against school officials who disciplined him for 
downloading a "hacking" program. The program included instructions for 
capturing log-ins and passwords of system users. 

Suchyta was a co-op student who worked in the student records office 
and the computer lab, and helped make the transition from one type of 
system to the other. Staff turned to Suchyta for help with many 
computer glitches, and, Suchyta said, a secretary gave him the 
password to the student-record program so he could help her update 
vaccination records. 

Later a teacher reported seeing Suchyta browsing student records in 
class, according to testimony given during depositions for the 
lawsuit. Co-op supervisor Michael Kehrier said school officials warned 
Suchyta to stay away from sensitive material, but they allowed him to 
continue his work in the school computer lab. 

The district's technology director said he's reviewed security and 
made some changes. 

"No data is ever going to be 100-percent secure," John Strycker said 
this morning. "But a system is only going to be as secure as the user. 
People that are new to using technology - and in this district it's 
relatively new - might not understand that passwords are like keys and 
you don't just hand them out." 

In November 2000, according to depositions, a Central teacher was 
having trouble with his computer and school technicians ran a virus 
program, which found several files saved on Suchyta's hard drive. 
Suchyta claimed he was simply collecting such information to evaluate 
possible threats to the network, he said. 

Assistant Principal Jonathan Whan suspended Suchyta for five days in 
November 2000, fired him from his co-op job and kicked him out of 
advanced computer classes. In written memos, Whan classified Suchyta's 
actions as "hacking" the computer system. 

Suchyta and his parents, Richard and Shannan, sued the school and Whan 
for defamation of character, invasion of privacy, intentional 
infliction of emotional distress and gross negligence. They also 
accuse school officials of failing to provide copies of computer data 
they requested under Michigan's Freedom of Information Act. 

The Suchytas asked for more than $25,000 each. Their attorney, David 
Skinner, said Thursday that the settlement - forged with help of a 
mediator and yet to be approved by a judge - was amicable. He wouldn't 
comment on a monetary settlement, but acknowledged that the schools 
removed all records of the alleged "hacking" incident from Suchyta's 
permanent record. 

In the suit, Skinner described school officials' handling of the 
incident as "open and hostile." 

"The school district's agents accused a teen-age high school student 
of being a hacker, removed him from the classes found most 
interesting," the complaint reads. "The allegation that Nicholas is a 
hacker creates the presu

[ISN] 13,000 Credit Reports Stolen by Hackers

[InfoSec News]

http://www.nytimes.com/2002/05/17/technology/17IDEN.htm

By JOHN SCHWARTZ
May 17, 2002

Hackers posing as employees of the Ford Motor Credit Company have in 
recent months harvested a trove of 13,000 credit reports - a virtual 
one-stop shop for fraud and identity theft - with data on consumers in 
affluent neighborhoods across the country.

The company said in a letter to the victims that computer intruders 
used an authorization code from Ford Credit to get the credit reports 
from Experian, one of three major reporting agencies.

"I've never seen anything of this size," a spokesman for Experian, 
Donald Girard, said. "Privacy is the hallmark of our business. We're 
extraordinarily concerned about the privacy issue here, and the trust 
factor."

The inquiries gave the intruders access to each victim's personal and 
financial information, including address, Social Security number, bank 
and credit card accounts and ratings of creditworthiness, which can be 
used to identify the best targets.

"This is not just a credit card number; this is the whole kazoo," said 
Richard Power, the editorial director for the Computer Security 
Institute, an industry trade group. A criminal could use the data to 
make credit card charges or even open bank and credit card accounts in 
the victim's name. 

Thefts of credit records, Mr. Power said, are far more common than is 
reported. "The unique thing about this one," he said, "is that it has 
surfaced." The theft was first reported yesterday by The Boston Globe 
and The Detroit News.

Statistics on identity theft are hard to come by, with estimates 
ranging as high as 700,000 cases a year. Betsy Broder, the assistant 
director for planning and information of the Federal Trade Commission, 
said the commission received 86,000 complaints of identity theft last 
year.

Representatives of Ford Credit said they did not know how the hackers 
acquired the code, which was used by the company's office in Grand 
Rapids, Mich. The intruders focused on addresses in affluent 
neighborhoods, often in numeric sequence, said Rich Van Leeuwen, 
executive vice president at Ford Credit.

The company said it had sent letters via certified mail to all 13,000 
people, urging them to contact Experian and the two other credit 
reporting giants, Equifax and TransUnion, and to report any evidence 
of abuse to the F.B.I. 

The company has also worked with Experian to set up a phone line to 
let victims get their credit reports and help them resolve 
discrepancies.

Neither Ford Credit nor Experian has determined how many people have 
reported fraudulent charges or other problems. Mr. Girard said that 
Experian had received 2,700 calls since the letters started going out 
this month. Although the unauthorized inquiries began in April 2001, 
Ford first heard about the problem in February, Mr. Van Leeuwen said. 
Only 400 of the 13,000 victims were customers of Ford Credit, he said.

Dawn M. Clenney, a special agent at the F.B.I. office in Detroit, said 
that she could not comment, except to say, "We're on the case."

Mr. Girard, the Experian spokesman, said the company would work with 
the F.B.I. to catch and prosecute the intruders. "It just shows that 
today, even big companies can be victimized," he said. "it's a 
never-ending struggle against the bad guys."



-
ISN is currently hosted by Attrition.org

To unsubscribe email [EMAIL PROTECTED] with 'unsubscribe isn'
in the BODY of the mail.

[ISN] Are you the Klez monster?

[InfoSec News]

http://news.com.com/2100-1001-916945.html?tag=fd_top

By Robert Lemos 
Staff Writer, CNET News.com
May 17, 2002, 1:05 PM PT

It may only be a matter of time before you're accused of spreading the 
Klez virus. 

A month after it started spreading, the Klez.h worm isn't slowing 
down, said antivirus experts on Friday. Moreover, the worm's technique 
of forging the address of the sender on each infected e-mail message 
is creating a flood of warnings from gateway antivirus software 
informing the wrong people that they are infected. 

"A lot of traffic is being multiplied by the response mechanisms and 
refusal mechanisms," said Fred Cohen, security practitioner in 
residence at the University of New Haven. 

In many cases, antivirus software protecting a company's e-mail 
gateways is sending out a response to each infected e-mail 
inadvertently sent out by a victim--but that warning is going to the 
wrong person. "So, in effect, you're getting twice the fun you would 
normally get," Cohen said. 

Apart from magnifying the amount of spam produced by the virus, the 
incorrect identification of those who are infected is also responsible 
for hindering efforts to fight the spread of the worm, said Cohen. 

Faked addresses

The Klez.h variant, which appeared in mid-April, infects PCs whose 
users open the attachment to an infected e-mail. Confusing matters, 
the e-mail will have a random "from" address, selected from various 
sources on the original victim's hard drive. And it pairs this bogus 
sender's address with one of more than 120 different subject lines. 

When a user opens the attachment, the virus starts up its own e-mail 
engine and mass mails itself to e-mail addresses found in various 
files on the PC, using a source address culled from those addresses. 
Klez.h can also send out a random file from the PC as an attachment, 
along with the e-mail that carries the worm, potentially passing 
confidential information. 

In some instances, the worm also drops one of several other viruses, 
including the destructive CIH, and tries to remove any active 
antivirus software from the system. 

Overall, the Klez.h variant has been extremely successful. 

"The spread has been really steady," said John Harrington, director of 
U.S. marketing for e-mail service provider MessageLabs. "We've seen 
20,000 again today (Friday), and there's no indication that this is 
dying down." 

While the worm has not spread as quickly as, say, the LoveLetter 
virus - of which MessageLabs received one copy for every 23 legitimate 
e-mails during the virus' peak in May 2000--it does make up one out of 
nearly every 170 e-mails, Harrington said. 

In fact, the steady spread--rather than a firestorm of e-mails—may 
actually be part of the reason for the worm's success, said 
Harrington. The Klez.h variant did manage to top the charts of 
computer viruses in April. 

"It kind of cruises below the radar screen," Harrington said. 
"Everyone had heard of LoveLetter. But if you go into a computer shop 
and ask people if they've heard of Klez, they'll shake their heads." 

Hard to track

The Klez variant's ability to spoof the source of infected e-mail 
makes it nearly impossible to track down the infected users who sent 
the virus. 

"The whole spoofing thing adds a dimension to it that is a little 
different," said Vincent Gullotto, vice president of Network 
Associates' antivirus emergency response team. "It's definitely 
possible that the false addresses are slowing response." 

Network Associates still receives more than 50 reports a day of the 
worm from customers, and some corporate clients are seeing more than 
20,000 messages carrying the virus at their e-mail gateways. 

The response to Klez--that uninfected users are being told they sent a 
virus--shows the holes in the system, added Gullotto. 

In addition, some out-of-the-office auto-reply mechanisms may be going 
haywire as a result of an infected user sending an e-mail with a 
random source and receiver who are both away. 

"I am sure there are some auto-reply wars that have been going on," 
Gullotto said. "There has been a lot of mail that is going around that 
is caused by this." 

Until system administrators disable antivirus notification on the 
e-mail gateway servers, the confusion will only continue. 



-
ISN is currently hosted by Attrition.org

To unsubscribe email [EMAIL PROTECTED] with 'unsubscribe isn'
in the BODY of the mail.