Home page logo

nanog logo nanog mailing list archives

Re: Sobig.f surprise attack today
From: steve uurtamo <uurtamo () arttoday com>
Date: Fri, 22 Aug 2003 11:58:44 -0700

OK... Maybe I'm smoking crack here, but, if they have the list of 20 machines,wouldn't it make more sense to replace them with honey-pots that download
code to remove SOBIG instead of just disabling them?

Only if we make assumptions that what they state is 100% fact and the whole truth of the matter. They know of 20 but, who is 
to say a variant in the wild doesn't know of 20 more ? Or 100 more ? Too late anyway. My other list subscriptions show 
it active now ...

symantec sez that it listens for properly-signed announcements
about new and improved servers from which to receive said payload.
so it can change the source list at any time.


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]