[Esa-l] Hahaha

Bjarni R. Einarsson bre at klaki.net
Mon Feb 12 10:13:51 PST 2001 

On 2001-02-12, 06:42:11 (-0700), Ken Dunham wrote:
> Hybris is the malware responsible for the emails and attachments.  Read all
> about it in our Hybris center:
> 
> http://www.securityportal.com/articles/hybriscenter20010129.html

Overall, I'm not terribly impressed with that page. The facts
it describes may be partially true, but today they are very
outdated and incomplete.  You can't "read all about it" at the
above URL, and I think Ken is mistaken to suggest otherwise.

An example:

  "Hybris spreads through email systems by sending users an
  email about Snow White with an infected attachment with a
  name like dwarf4you.exe."

This is ONE of the ways Hybris spreads.  Hybris also spreads in
messages lacking a subject line and containing only a single
base64-encoded attachment with a random file name.

Since the worm updates via. the net, it is to be exected that
the author will cause it to mutate mutate (more than once) in
the coming months.  New mutations WILL use new propogation
methods, because people will put up filters to block the old
ones.  The Hybris Center should mention this fact.

(I'm already seeing this happen - the procmail filter rule I
posted a few weeks ago is beginning to fail and I'm seeing new
strains of the worm in my inbox again.)

To the person wondering why the "webmaster" account keeps
getting Hybris messages: the explanation is that Hybris sniffs
network traffic for stuff looking like an email address.  It
doesn't just check the infected machine's address list.  This
is one of many things that makes Hybris "special", and reveals
another error on the securityportal page (the details page this
time):

  "Hybris obtains email addresses from outgoing mail and mails
  a copy of itself, with a .EXE or .SCR extension and random
  filename, to each email address."

It may do this, but that doesn't explain why I'm getting Hybris
from people who have never, ever sent me mail.  This sentance
would have been fine if it had started with the words "One of
the ways...".

Finally, I think the sensationalist remark, "Worse yet - only a
few antivirus products actually detect and remove all strains
of Hybris in the wild." should be changed.  The truth is that
NONE can detect and remove all strains, since new strains can
appear at any time.  But ALL antivirus products worth their
salt can detect and remove the things that have been out there
for more than a few weeks.  The sentance as it is written only
serves to frighten people, without really explaining the scope
of the problem.


Well.  'Nuff said I guess.  I suppose I should make it clear
that I have nothing against securityportal or Ken Dunham - I
just felt compelled to point out some (IMHO) important
omissions from the information on that page.  Hopefully this
qualifies as constructive criticism. :)

Creating a "Hybris Center" is a good idea - assuming it is kept
up to date.  The stuff I'm complaining about here was all
relatively well known sometime last November or December at the
*latest*.  So updating the page is long overdue.

(In fact, judging from the publication date on the page (Jan
29, 2001) the page was completely outdated before it went
online!  Whatever the explanation, that really is very sloppy
work.)


Ken - feel free to use this information on your page, and feel
free to contact me if you have any questions.  I've got lots
and lots of samples of Hybris in my quarantine and a procmail
ruleset which at the moment stops the most common strains out
there.

-- 
Bjarni R. Einarsson                           PGP: 02764305, B7A3AB89
 bre at klaki.net                -><-              http://bre.klaki.net/

Check out my open-source email sanitizer: http://mailtools.anomy.net/

More information about the esd-l mailing list