Why is Netsky still around?

[John Coutts]

Why is it that the many variants of Netsky are hanging around so long? I have
my own theory, but I don't have any direct experience with the virus.

My first observation is that the some people are infected with the Virus for
extended periods of time. Our virus block list entries are set to timeout after
10 days, and I find the same IP addresses being relisted again and again. This
leads me to believe that the Virus is fairly well behaved, and people just
don't notice that they are infected.

That leads to the question as to why their upstream providers are not forcing
them to cleanse their computers? The anti-virus people list the damage from all
the Netsky variants medium to low, and they are fairly easy to detect. It seems
like there is no real incentive for the manpower limited ISP's to do anything
about their customers who are still spewing out this garbage.

Comments anyone?

J.A. Coutts

 

[Frederic Bonroy]

Why is it that the many variants of Netsky are hanging around so long?

Many viruses do. If you look at the wild list at
http://www.wildlist.org/WildList/RTWL.htm you will see that it lists
many viruses that are several years old. The oldest one seems to be
Form.A from 1994.

 

[Ionizer]

Why is it that the many variants of Netsky are hanging around so long? I have
my own theory, but I don't have any direct experience with the virus.

My first observation is that the some people are infected with the Virus for
extended periods of time. Our virus block list entries are set to timeout after
10 days, and I find the same IP addresses being relisted again and again. This
leads me to believe that the Virus is fairly well behaved, and people just
don't notice that they are infected.

That leads to the question as to why their upstream providers are not forcing
them to cleanse their computers? The anti-virus people list the damage from all
the Netsky variants medium to low, and they are fairly easy to detect. It seems
like there is no real incentive for the manpower limited ISP's to do anything
about their customers who are still spewing out this garbage.

Comments anyone?

Our ISP, Rogers, assured me not too long ago that their "security team" is
"monitoring" virus activity on their network. Apparently, that's all they
are doing- just monitoring. I still receive several copies of the
"W32Dumaru @ mm" virus every week, despite the fact that this one has been
around for almost a year now:
http://securityresponse.symantec.com/avcenter/venc/data/[email protected]
In my opinion, ISPs such as mine just don't give a shit.

Regards,
Ian.

 

[John Coutts]

Many viruses do. If you look at the wild list at
http://www.wildlist.org/WildList/RTWL.htm you will see that it lists
many viruses that are several years old. The oldest one seems to be
Form.A from 1994.

******************** REPLY SEPARATER *********************
But we are still receiving about 300 a day. 95 out of 100 are Netsky and most
of the rest are the Bagle virus. The volume does not seem to have decreased to
any degree since it started, and this is abnormal.

 

[Fik]

That leads to the question as to why their upstream providers are not forcing
them to cleanse their computers? The anti-virus people list the damage from all
the Netsky variants medium to low, and they are fairly easy to detect. It seems
like there is no real incentive for the manpower limited ISP's to do anything
about their customers who are still spewing out this garbage.

While this would be perfectly feasible to do, the "incentive" for the ISPs
is negligible.

Rightly or wrongly, any ISP that intercepts and/or scans a customers traffic
"automatically" without the consent of either sender or receiver would set
themselves up for a rather large fall.

Many private individuals would scream about their "civil liberties" and
their "right" to be able to send what they like to whoever they like without
"big brother" scanning and checking it first. These users would likely leave
whichever ISP was brave enough to try it and the ISP would end up with a
clean service but no customers.

There are also the legal implications - If a company loses a $50million
contract because an ISP has blocked their mail due to a virus (or worse
still a false alarm) they could probably sue the ISP for the value of the
loss of business.

If you are worried about virus infected E-mails then its really not
difficult to set up your own level of protection depending on your
needs/budget. We have several layers of protection here and tend to be free
from incoming nasties, despite and average of 1500+ being "aimed" at our
domain. We simply pick them off before they get here.

Expecting "someone else" to deal with the problem is, in my opinion, the
wrong way to address it.

 

[null]

While this would be perfectly feasible to do, the "incentive" for the ISPs
is negligible.

Rightly or wrongly, any ISP that intercepts and/or scans a customers traffic
"automatically" without the consent of either sender or receiver would set
themselves up for a rather large fall.

Many private individuals would scream about their "civil liberties" and
their "right" to be able to send what they like to whoever they like without
"big brother" scanning and checking it first. These users would likely leave
whichever ISP was brave enough to try it and the ISP would end up with a
clean service but no customers.

There are also the legal implications - If a company loses a $50million
contract because an ISP has blocked their mail due to a virus (or worse
still a false alarm) they could probably sue the ISP for the value of the
loss of business.

If you are worried about virus infected E-mails then its really not
difficult to set up your own level of protection depending on your
needs/budget. We have several layers of protection here and tend to be free
from incoming nasties, despite and average of 1500+ being "aimed" at our
domain. We simply pick them off before they get here.

Expecting "someone else" to deal with the problem is, in my opinion, the
wrong way to address it.

However, people sometimes suffer from server mailbox overloads during
"day zero and after" periods when some new I-worm proliferates, The
only place this can be stopped is at the ISP. I recall one attackment
that was about 300K. A little over thirty of these and your 10 meg
server mailbox limit is exceeded. If ISPs are to be held legally
responsible for not delevering email because it's been squeezed out by
over thirty redundant and identical malware attackments, I think
they'd start zapping the redundant attackments regardless of whether
or not you've signed on for their virus blocking service. And, in
fact, I have a suspicion that my ISP is blocking some such widespread
and redundant malware even though I cancelled their combo spam and
virus blocking option. If so, I'm not complaining. I can find better
ways to collect sample malwares for my collection


Art
http://www.epix.net/~artnpeg