[liberationtech] Recent Malware in Syria

Rafal Rohozinski r.rohozinski at psiphon.ca
Thu Mar 15 13:44:06 PDT 2012 

Collin,

It was only done in isolation because of the time no one else seem to be working on it and we received the binaries from a source that asked us to remain in confidence. Since then we joined the working group that I know you're also a part of and everything that we know has been shared. 

Disappointingly this working group seems not to be very effective or active. Perhaps your involvement and that of TCX can shed more light on this issue as i do think it needs wider scrutiny.

There is also another issue here. Rather than investigating the malware and trying to get at the  question of providence, it was made public very quickly on CNN. This took the C&C domain down, and basically left the investigation chasing an empty rabbit hole. Not terribly good practice, I fear.

I think we need good collaboration and cooperation around investigating these kinds of malware attacks as  they are likely to become more common going forward. Finding the right balance between the necessary confidence to make investigations effective, and transparency is,I think, essential. Your work this regard is very helpful, and I encourage you to keep playing this positive role.

Rafal



Sent from my PsiPhone

On 2012-03-15, at 4:33 PM, Collin Anderson <collin at averysmallbird.com> wrote:

> Rafal,
> 
> I appreciate the information on SecDev's involvement; immediately after the CNN article Telecomix was able to coordinate a number of resources, binaries, document and contacts. While I understand this was a matter SecDev has began an investigation into prior to the report, disappointingly, it seemed to have been done in isolation. 
> 
> Telecomix only became aware of its effort after a registrar they were coordinating with began to work with SecDev. For the past month, TCX has continued its research in a professional capacity and has resources that SecDev may not. I hope you pass along a message to all that you know who are working on Syria, that they are welcome to everything that has been collected by TCX in this process.
> 
> Cordially,
> Collin
> 
> On Thu, Mar 15, 2012 at 10:34 AM, Rafal Rohozinski <r.rohozinski at psiphon.ca> wrote:
> There is a CS  malware working group that's been established. Secdev is involved (via  freedom house supported project) and membership in the working group overlaps with several other groups working in this area including those you listed. The Citizen Lab also has a malware research project that is working on targeted malware attacks that includes Syria.
> 
> Rafal
> 
> 
> Sent from my PsiPhone
> 
> On 2012-03-15, at 10:21 AM, Andrew Lewis <lta893 at gmail.com> wrote:
> 
> > It looks like at least Telecomix, Torproject and EFF are working on the recent threats to come out of Syria, is there anyone else looking into it besides them? It may also make sense to combine efforts in some way.
> >
> > -Andrew
> > _______________________________________________
> > liberationtech mailing list
> > liberationtech at lists.stanford.edu
> >
> > Should you need to change your subscription options, please go to:
> >
> > https://mailman.stanford.edu/mailman/listinfo/liberationtech
> >
> > If you would like to receive a daily digest, click "yes" (once you click above) next to "would you like to receive list mail batched in a daily digest?"
> >
> > You will need the user name and password you receive from the list moderator in monthly reminders. You may ask for a reminder here: https://mailman.stanford.edu/mailman/listinfo/liberationtech
> >
> > Should you need immediate assistance, please contact the list moderator.
> >
> > Please don't forget to follow us on http://twitter.com/#!/Liberationtech
> _______________________________________________
> liberationtech mailing list
> liberationtech at lists.stanford.edu
> 
> Should you need to change your subscription options, please go to:
> 
> https://mailman.stanford.edu/mailman/listinfo/liberationtech
> 
> If you would like to receive a daily digest, click "yes" (once you click above) next to "would you like to receive list mail batched in a daily digest?"
> 
> You will need the user name and password you receive from the list moderator in monthly reminders. You may ask for a reminder here: https://mailman.stanford.edu/mailman/listinfo/liberationtech
> 
> Should you need immediate assistance, please contact the list moderator.
> 
> Please don't forget to follow us on http://twitter.com/#!/Liberationtech
> 
> 
> 
> -- 
> Collin David Anderson
> averysmallbird.com | @cda | Washington, D.C.
> 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.stanford.edu/pipermail/liberationtech/attachments/20120315/5f63375d/attachment.html>

More information about the liberationtech mailing list