From: Ralph G Weill (Ralph.G.Weill@aexp.com) To: firstname.lastname@example.org Date: Mon, 1 Oct 2001 16:32:19 -0700 Subject: Infected Just thought you ought to know that one of the defacements on your mirror is playing host to the SunOS/BoxPoison.defaced virus. See the attached screen capture. The infected link is the one for Burke E. Porter Machinery. Ralph Weill Anti-Virus Specialist (See attached file: attrition.infected.bmp)
From: security curmudgeon (email@example.com) To: Ralph G Weill (Ralph.G.Weill@aexp.com) Cc: Heathens (firstname.lastname@example.org) Date: Mon, 1 Oct 2001 23:56:21 -0600 (MDT) Subject: Re: Infected : Just thought you ought to know that one of the defacements on your : mirror is playing host to the SunOS/BoxPoison.defaced virus. See the : attached screen capture. The infected link is the one for Burke E. : Porter Machinery. Actually no, it isn't. Like many others, you are blindly trusting the anti-virus program warning when it is giving you a false positive. The page you reference is nothing more than standard HTML tags and ascii text. There is no 'virus' on that page. Further, whatever software you are using is calling it "BoxPoison.defaced" for whatever bullshit reason the company thought having a non standard name would benefit them. The defacement you point out is a result of the sadmind/IIS worm and has nothing to do with "Poison Box" which the "BoxPoison.defaced" name bears a striking resemblance to. I can only hazard a guess that the minimum wage monkeys hired by the AV company got confused after reading one too many PoisonBox and sadmind/IIS defacement. As a result of their low IQ and poor coding practice, they erroneously labeled it incorectly. Further, their uber virus scanning engine is doing nothing more than grep(1) matching based on ascii strings to determine if a 'virus' is present. Geez, that is a joke. For more information on the *worm* (not virus) you can read one of our commentary pieces that deals with it. In that, we link to the CERT advisory regarding this worm etc etc. http://www.attrition.org/security/commentary/worm01.html If you have any question as to the validity of this, look at the source code to the mirror in question. http://attrition.org/mirror/attrition/2001/05/13/www.bepco.com/ now explain to me how that is a 'virus'? : Ralph Weill : Anti-Virus Specialist heheheh, Anti-Virus Specialist? Because you read the pop up warning of some gimpy virus software? good one. please, keep sending in this humor =)
From: /dev/null (email@example.com) To: Ralph G Weill (Ralph.G.Weill@aexp.com) Cc: firstname.lastname@example.org, email@example.com Date: Tue, 2 Oct 2001 00:12:40 -0600 (MDT) Subject: Re: Infected : Just thought you ought to know that one of the defacements on your mirror is : playing host to the : SunOS/BoxPoison.defaced virus. See the attached screen capture. The infected : link is : the one for Burke E. Porter Machinery. : : Ralph Weill : Anti-Virus Specialist Hi, Ralph. I'm afraid you're mistaken -- we are not host to any such virus. The page you sent us was defaced as a result of the SunOS/BoxPoison.defaced. The alert you received is a product of a ridiculously bad antivirus software; it picked up on the strings in the web page itself, which appeared on your hard drive in your browser cache as soon as you viewed the web page. The bitmap you sent us (and in the future, please don't send us bitmaps -- few of us use Windows at all, thus viewing them becomes difficult; I had to go into another room and use another computer to see this) does not display the full path to the file that set off the antivirus software, but I will bet that if you go look at it, the path pointed to your browser's cache. I'm sure that, as an anti-virus specialist, you know that you can view the source of the web page in question; you would see it is pure HTML. No code, no executable, no scripting. Therefore, as I'm sure you know, it could have no malicious payload. It is only HTML. Your antivirus software triggered on this page, which is the calling card of infection by that particular virus; infected web pages were defaced with that page, and apparently the antivirus program is poorly-written enough that it assumes that if that defaced web page is on your hard drive, it means you have also been infected. Of course, as any anti-virus specialist knows, this is not the case -- the page appeared on your hard drive through your browser's cache, when you viewed a mirror of a web page defaced through the work of the virus. I suggest you strongly consider purchasing an antivirus program that does not give such false positives based on web pages in your cache. I also suggest you try clearing your cache and then running the antivirus program again...I bet it'll fix the problem right up. /dev/null Attrition staff "-Never- mock the cookie."