"Cristian Rodríguez"
El 01/09/12 02:00, David Haller escribió:
WTF? ONE specific IP in a virus? That resolves to a polish operated host in the Netherlands attached to a router in the Netherlands? (c.f. 'whois 212.7.208.65' and 'traceroute 212.7.208.65' and a whois on the second to last hop).
And _NOTHING_ about method of attack / propagation??? Via Flash / JS^WECMA Script / Java / browser-specific bugs, or whatever???
Fishy!
I'd stay wary and follow this a bit, watch CERT announcements etc., but it has a more than just a hint of a hoax / scareware ...
Looks like a pretty amateurish thing to use one IP address
Most malware has a series of backup IPs. But modern malware uses internal encryption to hide its internal info such as backup command and control IPs. Static analysis/disassembly can be almost useless in trying to find the backup IPs. Better is to let it run, then get a memory dump. But the bad guys know this, so they only unencrypt functionality and data as they need it. Malware analysts in turn use VMs to fake out the malware (using fake clocks etc.) and try to trigger the malware to use additional functionality/data. The malware writers work hard to detect the malware is being analysed and shutdown. A friend of mine has estimated 80% of malware in 2011 looked to see if it was running in a VM and terminated itself if it was. That only one IP is provided likely just means the virus writer was better than the anlysis tools used to analyse it. As to where the IP is, that means little. Bad guys typically hack systems around the world and then use them as command and control systems. Greg -- Sent from my Android phone with K-9 Mail. Please excuse my brevity. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org