North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: Sobig.f surprise attack today

  • From: steve uurtamo
  • Date: Fri Aug 22 15:17:46 2003


OK... Maybe I'm smoking crack here, but, if they have the list of 20 machines,wouldn't it make more sense to replace them with honey-pots that download
code to remove SOBIG instead of just disabling them?

Only if we make assumptions that what they state is 100% fact and the whole truth of the matter. They know of 20 but, who is to say a variant in the wild doesn't know of 20 more ? Or 100 more ? Too late anyway. My other list subscriptions show it active now ...

symantec sez that it listens for properly-signed announcements
about new and improved servers from which to receive said payload.
so it can change the source list at any time.

s.