<<< Date Index >>>     <<< Thread Index >>>

Re: Hysterical first technical alert from US-CERT



On Tue, 03 Feb 2004 07:11:49 EST, Larry Seltzer <larry@xxxxxxxxxxxxxxxx>  said:

> First, it's dated 1/28, the day MyDoom.B was discovered, and the message sent
 field says
> that too; other dates in the headers disagree.

Oh, like the fact that a lot of mail servers were getting pounded by MyDoom.*A*
doesn't mean that there could be delays along the line? (Remember to add in the
timezones - at least some of the boxes are running in GMT not EST5EDT).

> Second, and more to the point, it takes an extreme view of MyDoom.B that 
> nobody else is
> supporting, including the sources they cite. MyDoom.B is a flop.

OK. So let's see.  We've got one highly successful virus (MyDoom.A) on the
loose at the time of writing, another variant that's essentially identical
except for the target, and no clear indication why this one *shouldn't*
take off as well.

Yes, it took an extreme view that nobody is supporting *NOW*.  Now isn't
last Wednesday night, when there wasn't a week's worth of hindsight.

Yes, it fizzled.  Please point us at the information available to the CERT
guys *at the time* that proves there was *no* way that MyDoom.B could
possibly ever be a real threat.  What would you have the CERT guys do,
*not* send the advisory just because they aren't 100% sure at the time?

I suppose you also understand why MyDoom-A was huge and Dumaru-whatever that
showed up 2 days before was a yawner.  Also, note that I got more copies of
Dumary in the first 2 hours of THAT one than I got *total* of MyDoom-A - so
based on the first 2 hours from where *I* am, Dumaru was looking like a much
bigger event.

> Am I misreading something? Did anyone else get this on 1/28?

Received: from lists2.securityfocus.com  (lists2.securityfocus.com 
[205.206.231.20])    by outgoing2.securityfocus.com  (Postfix) with QMQP     id 
B5ECF8F5D0; Mon, 02 Feb 2004 12:27:56 -0700 (MST)
Received: (qmail 11614 invoked from network); Thu, 29 Jan 2004 00:11:38 +0000
Date: Wed, 28 Jan 2004 19:12:09 -0500

Looks like some delay there.  But it was already at SecurityFocus's qmail
within seconds (the Date: is actually 31 seconds ahead of the Received: once
you allow for timezones - somebody isn't using NTP ;)

Attachment: pgphYnXbIYAWv.pgp
Description: PGP signature