More MyDoom Gloom 730
fudgefactor7 writes "Hot on the heels of the last virus, Mydoom.b is on the loose. According to Computerworld, this variant has a larger payload and targets Microsoft's Web site for a distributed denial-of-service attack on Feb. 1, instead of The SCO Group Inc. Patch those systems and keep your A-V up to date. Definitions are available currently."
decaying writes "With the amount of virus-laden emails flying about due to the latest virus, Australian ISP Optus have started selectively blocking port 25 outbound. Optus say they are acting in accordance with their "Terms of use", quoting that they reserve the right to restrict access to any TCP/IP port. The only option is to use Optus' SMTP server and nothing else. Community site Whirlpool has an on-going discussion about the issue."
carnun writes "Just another link on MyDoom. Apparently the FBI are also getting in on the act. Interesting to see such a fast response." And to me, the most interesting one: Zeriel writes "After much discussion on a mailing list discussing trojan horses, some people have reached the conclusion that MyDoom doesn't accomplish its stated goal of DDOSing SCO at all! Choice quote from the analysis: "I have the new critter in a test environment where we conducted a preliminary and rudimentary functionality and threat analysis...I have played with the date, etc, but still no activity directed toward www.sco.com." The link also includes disassembly and analysis of the worm code."
It's another case against OS monoculture (Score:5, Informative)
Basically, to limit the spread of a worm on a network such as the internet, we can only diversify to make sure not all machines go down.
Here's a presentation [defcon.org] (sorry I could only find a PowerPoint version) that was made by Jonathan Wignall [defcon.org] at DefCon last year about this topic. Same conclusion, diversifying is the necessary to combat worms.
In addition, not instead of (Score:5, Informative)
I don't find the fast reactions unbelievable... (Score:5, Informative)
If I've said it once . . . (Score:5, Informative)
I've said it a thousand times.
If it weren't for /., I'd have never noticed.
How to filter the worm: (Score:3, Informative)
Re:McBride interview (Score:5, Informative)
I use mailscanner [sendmail wrapper] with clamav [opensource antivirus engine]. Clamav was one of the first engines that had definitions for the first mydoom worm. We started catching mydoom around 4:00PM EST, and none have gotten through to our windows workstations.
Thanks to open source, we were able to prevent from contributing to the spread of this worm. So to sum it up: thanks to the clamav folks, and thanks to open source.
Re:I wish all mail admins.. (Score:2, Informative)
Re:MyDoom victim (Score:3, Informative)
The SCO DDOS is nothing compared to the fact that the worm opens up a back door which allows other people complete control over his computer.
Re:McBride interview (Score:2, Informative)
Stawin-A Trojan (Score:5, Informative)
A million zombied machines for anyones use (Score:5, Informative)
Listens on port 3127; accepts a maximum of 3 connections
at a time. If the first byte of the recieved data is
0x85, the DLL skips the next byte, then compares the next
dword read to 133C9EA2h; if this is true, it accepts
the executable from the sender, downloads it to a temp
file/directory and runs it.
Re:Stawin-A Trojan (Score:5, Informative)
There was a typo in the URL
Re:Block port 25? (Score:2, Informative)
Operating a mail server carries special responsibilities with it. You have to make sure that you're not operating an open relay (even inadvertantly), you must monitor your outgoing mail(logs), to make sure that your server is not being abused as a spam source, and you should react to problems such as mail-loops etc., e.g. by assuming the role of postmaster.
While most of us /.-ers are technically savvy enough to do this, a whole lot of Windows-PC owners are not.
Their machines are constantly being hijacked by viruses, and then they become spam zombies from hell. I can
understand why ISPs are reluctant to keep port 25 open to such people. OTOH, I don't like this collective
punishment meted out by some ISPs who don't discriminate between responsible and irresponsible users.
It is quite common for ISPs to block port 25 for dial-up users, but they won't do so if they assign to you a static IP. In most cases, people with static IPs are more responsible (and technically savvy) than Joe Sixpack, and there's often no need to block them. Of course, in an ideal world, the ACLs on ISPs routers would be configured dynamically for every user who logs in. It is easy to implement a whitelist/ blacklist of users and block only those who don't act responsibly, open everything for users who have a good history of fixing bugs or keeping a tight ship, and giving everyone else the benefit of the doubt.
Re:How to filter the worm: (Score:2, Informative)
* ^UEsDBAoAAAAAA...OzDKJx\+eAFgAAABYAA
Watch MyDoom in Action! (Score:2, Informative)
Procmail recipie with antivirus signatures (Score:1, Informative)
http://freshmeat.net/projects/yavr [freshmeat.net]
Works like a charm
SCO connection is a red herring (Score:5, Informative)
Let me guess.... (Score:3, Informative)
That'll be the day the temperature in hell goes sub-zero - on the Kelvin scale.
Kjella
Re:Way OT (Score:5, Informative)
Then why spell it with two 'i's? "Viri" would be correct by your example.
However, in the original latin, "virus" is a collective rather than singular noun (eg "snow" vs "snowflake", although the original meaning is more like "slime".) Perhaps whoever first applied the word to the infectious microscopic critters should have used "virum" as the singular (like "bacterium") in which case the plural would be "vira", but s/he didn't, so we're stuck with "virus" as the singular and an argument over "viri[i]"/"viruses" as the plural.
Personally I think it should be "viruses". You wouldn't say "many doofii", would you? It's "one doofus, many doofuses".
Re:Who Said It'll Attack SCO? & A FUDworm? (Score:3, Informative)
Quick Poll: (Score:5, Informative)
*raises hand*
Oh yes, and Hotmail over there.
These viruses can't infect Linux (yet) but that's no excuse not to run anti-virus software that kills off virus infected e-mails on your Linux servers so that they're not getting to "clueless Windows users" in the first place.
Ben
Re:Ingenious my arse (Score:5, Informative)
nimda was supposed to attack whitehouse.gov, but used a hard-coded IP address and tested it first. The admins changed the address from (iirc 198.137.240.91 to 198.137.240.92, trivially avoiding the DDoS.
sobig attacked www.windowsupdate.com, an almost totally useless 'typo redirect' on a completely unrelated subnet, not windowsupdate.microsoft.com, the site where everyone gets their windows updates from. To avoid the 'attack' Microsoft just switched the DNS for windowsupdate.com off, and nobody even noticed. They also akamai-cached all of microsoft.com at the same time, although this was likely planned a month or so beforehand and completely coincidental. It certinly wasn't necessary, since the DDoS attack was never aimed anywhere near microsoft.com. And it totally confused most of the press who had no idea that "windowsupdate.com" was NEVER the actual windows update site.
Early analysis of MyDoom suggests that it resolves www.sco.com but doesn't try to connect, even when the machine clock is set forward. Not even once. That makes for a fairly unimpressive DDoS.
Re:Off Track (Score:4, Informative)
Back during the summer there was a Wired article on a spam operation which claimed to be running a network of over 450,000 computers - on trojaned systems. They are/were used to send spam. They are/were used to host the spamvertized sites (most likely proxies fetching the pages from a central location). They are/were used to host the nameservers for the operation's domain names. They are/were used to run DDoS attacks against anti-spam groups (SPEWS, abuse.net, spamhaus, etc.).
At least one (Russian) operation is still doing this. Check where the nameservers for oem-sale.biz are. Check where the host www.oem-sale.biz is. All on home user machines.
Why do I say Russian? It used to be they hosted the spamvertized websites on trojaned home user machines, but used hacked commercial (not home user) systems for the nameservers. Usually only two (commercial systems are less easily taken over) and sometimes they went down and they were left with using their own nameservers (from which the others fetch the data) in Russia.
And
http://www.oem-sale.biz/cgi-bin/order.pl?ii
and watch carefully what happens.
HTTP/1.1 302 Found
Location: http://82.196.65.37/cgi-bin/c/check.pl?iid=12&aid
And that gets a new redirection:
HTTP/1.1 302 Found
Location: http://oem-sale.biz/cgi-bin/order.pl?iid=12&aid=[
One bounces off, for a moment, a Russian site which logs the victim's IP address and changes the URL for the purchase to include that and their tracking tag.
Now, of course, if the registrars knew they were inserting the addresses of hacked systems in the root servers as nameservers for domains running on hacked machines they would
Continue to do so, as long as they get paid.
domaindiscover and directi.com are the registrars and complaints about their assisting on this attack on the internet, and complaints to ICANN about their registrars claiming that this support of hackers is "accredited" (by ICANN) activity since they are "accredited" registrars
(nameservers running on hacked systems in the domain morozreg.biz: registrar domaindiscover
oem-sale.biz, registrar directi.com
and they know, have been informed over and over and over and over
If this is a professional spam operation which created MYDOOM, I would guess the goal is not so simple as key-stroke loggers but to have a bullet-proof network of their own, running on trojaned machines, which could only be stopped by actions by registrars who would block it along with ISPs who would be proactive in helping keep secure their users so those machines are not used to send spam, host spamvertized web sites, run nameservers for spam operations, assist in DDoS attacks, etc.
Once they have such a network, I doubt they will be satisfied only to use it to send spam or grab data with key-stroke loggers.
Folks over in news.admin.net-abuse.email are fed up with directi.com and domaindiscover knowingly assisting in this abuse of, and attack on, users and hiding behind their "accredited" status.
Re:How to filter the worm: (Score:3, Informative)
"TVqQAAMAAA" = 4D 5A 90 00 03 00 00 0x
The first two bytes are "MZ", which will be the same on every dos and windows executable (except
The rest are just bits of the header, which are hardly specific to this program. It would be better to check against part of the file that was actually code.
"UEsDBAoAAA" = 50 4B 03 04 0A 00 00 0x
Again, the first two bytes are a signature, in this case "PK", which identifies it as a zip file. The 03 04 is then a marker to tell it what sort of record follows, best case you're only matching against 3.5 bytes that are actually relevant.