From: Ralph G Weill (Ralph.G.Weill@aexp.com)
To: root@attrition.org
Date: Mon, 1 Oct 2001 16:32:19 -0700
Subject: Infected

Just thought you ought to know that one of the defacements on your mirror is
playing host to the
SunOS/BoxPoison.defaced virus.  See the attached screen capture.  The infected
link is
the one for Burke E. Porter Machinery.

Ralph Weill
Anti-Virus Specialist

(See attached file: attrition.infected.bmp)


From: security curmudgeon (jericho@attrition.org)
To: Ralph G Weill (Ralph.G.Weill@aexp.com)
Cc: Heathens (staff@attrition.org)
Date: Mon, 1 Oct 2001 23:56:21 -0600 (MDT)
Subject: Re: Infected

: Just thought you ought to know that one of the defacements on your
: mirror is playing host to the SunOS/BoxPoison.defaced virus.  See the
: attached screen capture.  The infected link is the one for Burke E.
: Porter Machinery. 

Actually no, it isn't. Like many others, you are blindly trusting the
anti-virus program warning when it is giving you a false positive. The
page you reference is nothing more than standard HTML tags and ascii text.
There is no 'virus' on that page.

Further, whatever software you are using is calling it "BoxPoison.defaced"
for whatever bullshit reason the company thought having a non standard
name would benefit them. The defacement you point out is a result of the
sadmind/IIS worm and has nothing to do with "Poison Box" which the
"BoxPoison.defaced" name bears a striking resemblance to.

I can only hazard a guess that the minimum wage monkeys hired by the AV
company got confused after reading one too many PoisonBox and sadmind/IIS
defacement. As a result of their low IQ and poor coding practice, they
erroneously labeled it incorectly. Further, their uber virus scanning
engine is doing nothing more than grep(1) matching based on ascii strings
to determine if a 'virus' is present. Geez, that is a joke.

For more information on the *worm* (not virus) you can read one of our
commentary pieces that deals with it. In that, we link to the CERT
advisory regarding this worm etc etc.

http://www.attrition.org/security/commentary/worm01.html

If you have any question as to the validity of this, look at the source
code to the mirror in question.


http://attrition.org/mirror/attrition/2001/05/13/www.bepco.com/

now explain to me how that is a 'virus'?

: Ralph Weill
: Anti-Virus Specialist

heheheh, Anti-Virus Specialist? Because you read the pop up warning of
some gimpy virus software? good one. please, keep sending in this humor =) 


From: /dev/null (null@attrition.org)
To: Ralph G Weill (Ralph.G.Weill@aexp.com)
Cc: root@attrition.org, staff@attrition.org
Date: Tue, 2 Oct 2001 00:12:40 -0600 (MDT)
Subject: Re: Infected

: Just thought you ought to know that one of the defacements on your mirror is
: playing host to the
: SunOS/BoxPoison.defaced virus.  See the attached screen capture.  The infected
: link is
: the one for Burke E. Porter Machinery.
: 
: Ralph Weill
: Anti-Virus Specialist

Hi, Ralph.

I'm afraid you're mistaken -- we are not host to any such virus.  The page
you sent us was defaced as a result of the SunOS/BoxPoison.defaced.  The
alert you received is a product of a ridiculously bad antivirus software;
it picked up on the strings in the web page itself, which appeared on your
hard drive in your browser cache as soon as you viewed the web page.  The
bitmap you sent us (and in the future, please don't send us bitmaps -- few
of us use Windows at all, thus viewing them becomes difficult; I had to go
into another room and use another computer to see this) does not display
the full path to the file that set off the antivirus software, but I will
bet that if you go look at it, the path pointed to your browser's cache.

I'm sure that, as an anti-virus specialist, you know that you can view the
source of the web page in question; you would see it is pure HTML.  No
code, no executable, no scripting.  Therefore, as I'm sure you know, it
could have no malicious payload.  It is only HTML.  

Your antivirus software triggered on this page, which is the calling card
of infection by that particular virus; infected web pages were defaced
with that page, and apparently the antivirus program is poorly-written
enough that it assumes that if that defaced web page is on your hard
drive, it means you have also been infected.  Of course, as any anti-virus
specialist knows, this is not the case -- the page appeared on your hard
drive through your browser's cache, when you viewed a mirror of a web page
defaced through the work of the virus.

I suggest you strongly consider purchasing an antivirus program that does
not give such false positives based on web pages in your cache.  I also
suggest you try clearing your cache and then running the antivirus program
again...I bet it'll fix the problem right up.

/dev/null
Attrition staff

			"-Never- mock the cookie."  



main page ATTRITION feedback