September 02, 2003
Blaster: Question, Joke, Comment

The FBI report on Jeffrey Lee Parson (t33kid, who tweaked the Blaster virus) is a really good read, as noted on MeFi. For me, there were three very interesting things in there.

1. IANAL, but it's the FBI, so doesn't that mean it's a crime against the United States? I ask only because the crime is not to users -- that is, US citizens -- but rather, as stated in the document, the Microsoft corporation. Well, ok, "aggregate loss to Microsoft and other persons," but since when was Microsoft a person? With the FBI fighting for it? This is not a rhetorical question. I'm really curious how it works.

2. The name of the back door that the Blaster Virus installs is called "Lithium." Lithium, notes Special Agent Farquhar, allows remote control of the system.

3. The original Blaster was ingeniously conceived and produced. White-hat (?) hackers at LSD contacted Microsoft about the vulnerability. Microsoft responded by issuing a patch. It was the China-based XFocus, (whose hats seem to be darker) that then reverse-engineered the patch to find out what it was patching. And then exploited that vulnerability.

Essentially, their distribution system was racing Microsoft's. So the lessons may not simply be about security, but also about distribution systems. Because also, what Blaster was doing as it was racing Microsoft, was specifically trying to shut Microsoft's distribution system down through a DDOS attack on windowsupdate.com. It was an interesting race and I'd say -- if we're using binary -- it's China 1, Microsoft 0.

Posted by kevin slavin at September 02, 2003 07:33 PM
Comments

Nice Site!

Posted by: Lolita on October 10, 2003 05:13 AM

This spam was posted by:

Leonid Sagalovsky
320 W Oakdale Ave
Chicago, IL 60657
773-244-1730

it's his home; I didn't leave a message. Maybe someone else wants to.

Posted by: dbrown on October 10, 2003 10:28 AM

slight amendation: the email associated with the lolita spam leads to this guy. "posted by" is more than I actually know.

Posted by: dbrown on October 10, 2003 01:00 PM

db, you might check to see if someone spoofed him before I call and ruin his life -- the data I come up with for that name in chicago suggests someone with better things to do.

Posted by: Danky Hung on October 10, 2003 01:36 PM

yes, but the data also point toward him using the same slavic-based ISP as the lolita site, and his email (leonid@yahoo.com) shows up in the "from" part on saturation... which is not diagnostic, but maybe he'd like to know, anyway. I'd like to know if, say, you were spamming your lolita site with me email.

Posted by: dbrown on October 10, 2003 01:44 PM

also: I'm not sure if he still works at the Argonne National Lab.

Posted by: dbrown on October 10, 2003 01:45 PM

I'm just not sure I want to anger anyone at the Argonne National Lab.

Posted by: Danky Hung on October 10, 2003 02:40 PM

better than the Orgone National Lab, is all I'll say.

Posted by: dbrown on October 10, 2003 06:11 PM
Post a comment
Name:


Email Address:


Comments:


Remember info?