[virus] your host (69.50.191.68)

P

P. Thompson

i'm sorry but that is not how you've been presenting things...

you've been posting articles that ask for the removal of content in a
group where no one has the authority or ability to remove that content...
Click to expand...

It is more copies of email sent.
even now i still don't know what topic you wish to be addressed - you
may want to provoke thought, but so far you've done a poor job of doing
so...
Click to expand...

Considering that several of the posts were from two separate folks who
appear to be professional Usenet trolls (not you, really, but do a search
"Conor" and "Unhelpful ****wit") I think it was reasonably thought
provoking. Yes, no easy answers, yes could have been initiated better by
me.
when then come in here and say things like "you all suck! you virus
writers should be put in jail"... and the reason it's the same is
because, like them, you're addressing the wrong people...
Click to expand...

Hmm, but mine contained both facts and content.

But I agree, no helpful step by step process yet for end users tracking
where they get their viruses from. I won't advocate any end luser get
Ethereal and try to track it that way. But at least it was a
demonstration that viruses do not come out of the blue and their source
can be determined and hopefully convinced to correct the situation.
However poorly executed by me, I think that was accomplished.

Fewer viruses ultimately means less spam because the source of zombied
machines begins to dry up or at least become manageably smaller.
 
P

P. Thompson

On that special day, P. Thompson, ([email protected]) said...
Click to expand...
How did you get the idea, that someone who is unaware that his machine
is compromised, will be a regular reader of a SECURITY newsgroup? If he
knew about security and how to keep it, he wouldn't run a trojanized
computer firsthand.
Click to expand...

As I've stated earlier, that was not the point. The point was as a
multi-year reader of alt.comp.anti-virus I've noted it to be largely
devoid of SECURITY issues and found it instead to be dedicated to a subset
of Windows troubleshooting and delousing.
This is like shouting into the hospital: "stop spraying flu to me".
Click to expand...

A hospital like alt.comp.anti-virus might actually need that.
Then report them to rfc-ignorant.org, or look them up; they might
already have an entry in there. And if you use the command tracert on
the IP number, you'll get this result:

69.50.191.68 69-50-191-68.esthost.com

So esthost.com is the host who has to be contacted.
Click to expand...

Do a whois -h whois.arin.net 69.50.191.68
and you'll get

OrgAbuseHandle: ABUSE658-ARIN
OrgAbuseName: Abuse Department
OrgAbusePhone: +1-925-550-3947
OrgAbuseEmail: (e-mail address removed)

So I was hardly off base, as you've tried to imply.
Use http://www.esthost.com/contact.php for your complaint, please.
Click to expand...

Thank you for a helpful suggestion.
 
B

Bart Bailey

even now i still don't know what topic you wish to be addressed - you
may want to provoke thought, but so far you've done a poor job of doing
so...
Click to expand...

Maybe that provoked thought consists of no more than "what can I say
to express my frustration over not getting to stroke my ego with a
helpful reply", in any case he's got you going. <g>
 
N

Nick FitzGerald

P. Thompson said:
Okay but why? Why does it bother you so? I am not asking for help, I am
trying to stir thought: is the status quo in anti-virus really acceptable?
Click to expand...

Perhaps it is not, but your post is a very poor way to stir thought and/or
discussion of that issue...
I realize this is a little outside of the status quo of this group which
consists of treating virus infections like acts of god and cutting and
pasting the same dozen lines of Windows delousing techniques over and over
ad nauseum...

Why do you feel so oddly proprietary about this newsgroup that my
anti-virus topical postings are too off topic for this unmoderated
anti-virus newsgroup?
Click to expand...

Your post _is_ irrelevant.

And worse, really, really stupid.

If even just ten percent of folk with the kind of "problem" you seem to be
wrestling with posted such "just for your information" messages to this
newsgroup, the increased traffic level would render the group entirely
useless overnight.

That is certainly not an improvement...
 
P

P. Thompson

Your post _is_ irrelevant.
Click to expand...

How? It's discussing an anti-virus strategy...
If even just ten percent of folk with the kind of "problem" you seem to be
wrestling with posted such "just for your information" messages to this
newsgroup, the increased traffic level would render the group entirely
useless overnight.
Click to expand...

They would have the functionally indistinguishable group alt.comp.virus to
post in....

But fine, I suck, point taken. Now to the real issue: what are your
thoughts on the idea of adding functionality to anti-virus software to
track what site the infection came from or optionally send this
information elsewhere for the less stupid to act on? Easy, difficult?
Any thoughts at all?
 
K

kurt wismer

P. Thompson said:
It is more copies of email sent.
Click to expand...

yes, i realize they're copies of email that you sent... that was clear
from the email header information in the article body... without any
additional explanation about why you're copying that stuff in here, the
reasonable interpretation is that you're 'forward'ing it to other
people (this group) you think can do something about the problem...

we've established that that isn't what you're doing, but as i said
before - i still don't know what you are actually trying to do...
Considering that several of the posts were from two separate folks who
appear to be professional Usenet trolls (not you, really, but do a search
"Conor" and "Unhelpful ****wit") I think it was reasonably thought
provoking. Yes, no easy answers, yes could have been initiated better by
me.
Click to expand...

thought provoking? all the responses i've seen were to the effect that
you're talking to the wrong people...

as for people being trolls, i would refer you to the adage about glass
houses...
Hmm, but mine contained both facts and content.
Click to expand...

yours contained urls and a "please remove this" plea... notifications
don't make for a discussion... seemingly inappropriately addressed
notifications do seem to make for a mild flame war, however...
But I agree, no helpful step by step process yet for end users tracking
where they get their viruses from. I won't advocate any end luser get
Ethereal and try to track it that way. But at least it was a
demonstration that viruses do not come out of the blue and their source
can be determined and hopefully convinced to correct the situation.
However poorly executed by me, I think that was accomplished.
Click to expand...

well, that could be part of the problem too - since for most of the
regulars here you just restated the obvious... of course they don't pop
out of thin air... of course they can be tracked back to their source
(given the proper information)...

are you really trying to provoke thought about such obvious things?
Fewer viruses ultimately means less spam because the source of zombied
machines begins to dry up or at least become manageably smaller.
Click to expand...

does not follow... viruses and zombied machines aren't causally
related... further, zombied machines are not the sole source of spam...
 
K

kurt wismer

P. Thompson said:
How? It's discussing an anti-virus strategy...
Click to expand...

a copy of a notification is no such thing...

[snip]
But fine, I suck, point taken. Now to the real issue: what are your
thoughts on the idea of adding functionality to anti-virus software to
track what site the infection came from or optionally send this
information elsewhere for the less stupid to act on? Easy, difficult?
Any thoughts at all?
Click to expand...

finally, an idea we can discuss! hallelujah!

ok, there are pros and cons to this idea... the most notable con is
scalability - if a lot of people used this function the people doing
things with the output would fast become inundated... the pros are
obvious - having intelligent people hunt down and do their best to kill
the source of exposure for various pieces of malware is a good thing,
it would definitely improve the situation if it was workable...

the main difficulty, would be actually matching up malware with the
source... easy enough with most existing web based malware i supposed,
but email based malware is really more the threat du jour, and there
have already been proven techniques (captcha) used to thwart anti-virus
automatons... that means such a system would depend on users making the
connection between the malware instance and the envelope that carries
it's source information and that is probably not going to be very
reliable in practice...

that, combined with the lack of scalability suggests to me that this
wouldn't work... at least not without some clever redefinition of *some
part* of it...
 
P

P. Thompson

are you really trying to provoke thought about such obvious things?
Click to expand...

I thought of it from this perspective.

Much of what goes on here already duplicates what goes on every day in
various Microsoft os/ie/mail groups which discuss techniques to remove
malware. Really a value considering the degree of duplication? Maybe.
does not follow... viruses and zombied machines aren't causally
related... further, zombied machines are not the sole source of spam...
Click to expand...

Are you being making a distinction here between a self replicating virus
and malware (of the sort detected by "anti virus" software) when you say
that?

Is that the core of your complaint about the noise level of this group?
That it is that it is inundated with "malware" related topics when all
that should be covered is self replicating code?

Maybe the light is coming on in my head...
 
P

P. Thompson

finally, an idea we can discuss! hallelujah!
Click to expand...

First introduced here
"(e-mail address removed)" but everyone was
too mad at me to think about it.
ok, there are pros and cons to this idea... the most notable con is
scalability - if a lot of people used this function
Click to expand...

OK, so you are willing to talk about malware. Scratch the thing in my
other message about the light coming on in my head. It's still dark in
there.
the main difficulty, would be actually matching up malware with the
source... easy enough with most existing web based malware i supposed,
but email based malware is really more the threat du jour, and there
have already been proven techniques (captcha) used to thwart anti-virus
automatons... that means such a system would depend on users making the
connection between the malware instance and the envelope that carries
it's source information and that is probably not going to be very
reliable in practice...
Click to expand...

OK, I was focused on web based malware distribution because I assume
following the money will be easier to find culprits.

Today does anyone really follow the money when a run of the mill piece of
email distributed malware phones home to a web site? Perhaps no one here
would know for sure. It seems they do for the big malware, for one hears
about various malcontents getting arrested periodically.
that, combined with the lack of scalability suggests to me that this
wouldn't work... at least not without some clever redefinition of *some
part* of it...
Click to expand...

Agreed.

Another weak point might be a breed of malware which could fake
information which software might try to use to locate the malware source.
Phoney packets, fake entries in index.dat files.
 
P

P. Thompson

On that special day, P. Thompson, ([email protected]) said...


If it were that easy, the originators of the BOFRA attack would already
have been arrested.

http://www.theregister.co.uk/2004/11/21/register_adserver_attack/
Click to expand...

Easier != easy. In this example surely not easy, but some cases it might
still be easier.

In general, I'd guess email based problems can be tracked easily only to
the previously infected individual beyond that I would guess it scales
very poorly.

In general, I'd also guess web servers might have a combination of more
robust logging and more proactive administration than a generic PC running
MS lookout.
 
K

kurt wismer

P. Thompson said:
First introduced here
"(e-mail address removed)" but everyone was
too mad at me to think about it.
Click to expand...

?? that article does not actually introduce the idea of a
software-based infection source reporting mechanism...

[snip]
OK, I was focused on web based malware distribution because I assume
following the money will be easier to find culprits.
Click to expand...

"following the money"? i'm just talking about identifying the immediate
source of the exposure - the host computer or ip block... following the
money from there to actual parties responsible is a whole other matter
entirely...

[snip]
Agreed.

Another weak point might be a breed of malware which could fake
information which software might try to use to locate the malware source.
Phoney packets, fake entries in index.dat files.
Click to expand...

that's already the case with most modern email worms - the sender
information is obscured to the point that the best you can expect is to
be able to do is notify the isp that owns the ip the email came from...

then there's the bot nets that take their orders over some ephemeral
medium like usenet or irc instead of a website that someone somewhere
has to own...

and then there's the seeding of malware from internet cafe's or
compromised machines...

malware spreaders already go to some lengths to protect their
identities... some do a better job then others...
 
K

Kim_il_Zoom

P. Thompson said:
As I've stated earlier, that was not the point. The point was as a
multi-year reader of alt.comp.anti-virus I've noted it to be largely
devoid of SECURITY issues and found it instead to be dedicated to a subset
of Windows troubleshooting and delousing.




A hospital like alt.comp.anti-virus might actually need that.




Do a whois -h whois.arin.net 69.50.191.68
and you'll get

OrgAbuseHandle: ABUSE658-ARIN
OrgAbuseName: Abuse Department
OrgAbusePhone: +1-925-550-3947
OrgAbuseEmail: (e-mail address removed)

So I was hardly off base, as you've tried to imply.




Thank you for a helpful suggestion.
Click to expand...

Hello,

I had problems last week with some malware originating from the
IP 69.50.161.11 which I also traced back to the Atrivo source.
To me, it was valuable to find that someone else, i.e. the OP,
has had similar problems. In my case, my AV & Antiwpyware have
obviously taken care of the infection at last.

Regardless of the OP´s possibly "offensive" initial posting,
I am surprised at the vitriolic and little constructive comments
that it triggered. IMHO, those remarks were of no use to
anyone.

Thank you, OP, for a helpful posting.

Rgds,
Kim
 
P

P. Thompson

I had problems last week with some malware originating from the
IP 69.50.161.11 which I also traced back to the Atrivo source.
To me, it was valuable to find that someone else, i.e. the OP,
has had similar problems. In my case, my AV & Antiwpyware have
obviously taken care of the infection at last.
Click to expand...

Thank you.

Incidentally to gain some perpective on the atrivo problem, in the last
week or so:

hxxp://69.50.166.212/counter/new/x.chm
was reponsible for distributing the Win32/Sillydl.EM!Trojan

hxxp://69.50.166.212/nv/test.exe
was reponsible for distributing the Win32.SillyDl.CJ

hxxp://69.50.166.212//counter//winxp//exploit.exe
was reponsible for distributing the Win32.SillyDl.CJ virus.

hxxp://69.50.161.11/nd/tcpsvcss.exe was reponsible for
distributing the Win32.Netmesser.B virus.

hxxp://69.50.161.11/nd/tlntadmnx.exe
was reponsible for distributing the Win32.Secdrop.DC trojan.

hxxp://69.50.161.11/nd/winmsdc.exe
was reponsible for distributing the Win32.Bloon.B virus.

hxxp://69.50.161.11/nv/sp2chk.exe
was reponsible for distributing the Win32.Aluroot.B

hxxp://69.50.166.212/counter/winxp/GetAccess.class was
responsible for distributing the Java/ClassLoader.c!Trojan.

http://69.50.166.212/nv/hta.txt was reponsible for distributing
the VBS.Petch Trojan.
 
S

Shay

Hi there P. Tompson,

I've submitted samples of some of the files listed below to Kaspersky,
H+BDEV, McAfee and Symantec. I also sent your posting with links.

Some of them seem to be really new if undetected!!

Where did you find the links?

If you want... you can email me back at: shayglenn at gmail dot com

Thanks loads
 
P

P. Thompson

Hi there P. Tompson,

I've submitted samples of some of the files listed below to Kaspersky,
H+BDEV, McAfee and Symantec. I also sent your posting with links.

Some of them seem to be really new if undetected!!
Click to expand...

Well, this seems to be another way where posting this information can come
in handy:

1) Shows the scale of a problem.

2) Provides a way to get samples to all major vendors.

In the Real World (tm), a virus detection vendor seems to effectively
treat samples submitted through their sample submission process as a trade
secret, while the actual user community might be well served by getting
this out to as many as possible.

Unless I am unaware of some process that they communicate these samples in
my experience submitting them does not seem to be the case.
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

your host vesbiz.biz[69.50.188.86] (fwd) 1
virus distributor d102547.u28.wwwftp.BIZ 1

Top