More MyDoom Gloom

StarWreck points out this article in The Atlanta Journal Constitution citing "experts who believe the worm was put out for criminal profit motives by spammers and not by Linux Advocates." Further on that, deadmonk writes "MessageLabs is reporting that the recent Mydoom virus seems to have originated in Russia. A place where nobody gives a wet slap about a court case in the U.S. Personally, I'm looking for a serious apology (or at least a retraction) for the 'alleged' link between this ugly little nasty and Open Source / Linux users." Of course, there could be evil spammers who also like Linux (or don't like SCO), but until someone's caught, or fesses up, it's impossible to say. Read on for some more MyDoom updates, including a new variant (with a new payload), ramifications for Australians, and a forensic analysis of the worm.

fudgefactor7 writes "Hot on the heels of the last virus, Mydoom.b is on the loose. According to Computerworld, this variant has a larger payload and targets Microsoft's Web site for a distributed denial-of-service attack on Feb. 1, instead of The SCO Group Inc. Patch those systems and keep your A-V up to date. Definitions are available currently."

decaying writes "With the amount of virus-laden emails flying about due to the latest virus, Australian ISP Optus have started selectively blocking port 25 outbound. Optus say they are acting in accordance with their "Terms of use", quoting that they reserve the right to restrict access to any TCP/IP port. The only option is to use Optus' SMTP server and nothing else. Community site Whirlpool has an on-going discussion about the issue."

carnun writes "Just another link on MyDoom. Apparently the FBI are also getting in on the act. Interesting to see such a fast response." And to me, the most interesting one: Zeriel writes "After much discussion on a mailing list discussing trojan horses, some people have reached the conclusion that MyDoom doesn't accomplish its stated goal of DDOSing SCO at all! Choice quote from the analysis: "I have the new critter in a test environment where we conducted a preliminary and rudimentary functionality and threat analysis...I have played with the date, etc, but still no activity directed toward www.sco.com." The link also includes disassembly and analysis of the worm code."

It's another case against OS monoculture

[Eyah....TIMMY]

It was covered [slashdot.org] last week.

Basically, to limit the spread of a worm on a network such as the internet, we can only diversify to make sure not all machines go down.

Here's a presentation [defcon.org] (sorry I could only find a PowerPoint version) that was made by Jonathan Wignall [defcon.org] at DefCon last year about this topic. Same conclusion, diversifying is the necessary to combat worms.

In addition, not instead of

[allism]

The B variant [kaspersky.com] targets both Microsoft and SCO.

I don't find the fast reactions unbelievable...

[Coocha]

... here at Virginia Tech, the virus has had our pop/smtp servers down since sometime last night. Apparently it infected our financial aid listserv, which caters to 51,000 email addresses, most of them in the vt.edu domain. Not to mention 8000 of the not-so-savvy on-campus undergrads whose systems have been infected. In the 4+ years I've been here, this is the longest downtime for our email system yet, even considering the downtime a couple routine server rebuilds caused. I'm sure other institutions, agencies, and businesses are experiences unheard-of downtimes as well.

If I've said it once . . .

[Leroy_Brown242]

I've said it a thousand times.

1. Mutt [mutt.org]
2. Spamassassin [spamassassin.org]
3. Greylisting [puremagic.com]
4. Profit!

If it weren't for /., I'd have never noticed.

How to filter the worm:

[Saint Aardvark]

From a posting on the SecurityFocus Incidents mailing list [securityfocus.com]:

------- Forwarded message follows -------
From: lsi <stuart cyberdelix net>
To: focus-virus securityfocus com
Subject: how to filter the Novarg virus
Send reply to: stuart cyberdelix net
Date sent: Wed, 28 Jan 2004 17:35:57 -0000

I have devised a near-bulletproof Novarg filter.

The following regular expressions trap this virus dead, no matter
what subject line, message body, or filename it uses:

If expression body matches "UEsDBAoAAA*" Move [virus folder]

If expression body matches "TVqQAAMAAA*" Move
[virus folder]

This is because the worm is in fact the same program with many
disguises. However the program looks the same when encoded with
MIME. Therefore, the above are basically 'MIME sigs' which work just
like a virus signature in a regular virusscanner.

So to find it we merely filter on the MIME strings above, which are
the first 10 bytes of the MIME content section.

For users without enterprise-class content filters (such as me),
these two regexp's work like a silver bullet.

(That two different sigs are required suggests there are two versions
of the virus in circulation.)

No silver bullet for auto-notification messages, unfortunately :(

Stuart

------- End of forwarded message -------

Re:McBride interview

[ananke]

Ironically, open source seems to be helping to stop that. Here's my story:

I use mailscanner [sendmail wrapper] with clamav [opensource antivirus engine]. Clamav was one of the first engines that had definitions for the first mydoom worm. We started catching mydoom around 4:00PM EST, and none have gotten through to our windows workstations.

Thanks to open source, we were able to prevent from contributing to the spread of this worm. So to sum it up: thanks to the clamav folks, and thanks to open source.

Re:I wish all mail admins..

[Random Guru 42]

Maybe the mail server authors are in league with the spammers! Ohtehnos!

Re:MyDoom victim

[mabu]

Your friend is a moron.

The SCO DDOS is nothing compared to the fact that the worm opens up a back door which allows other people complete control over his computer.

Re:McBride interview

[muckdog]

aahh does SCO Linux ring a bell, How about SCO as a founding member of United Linux. They were a part of the open source movement. They turned to the dark side just like Vader in a search for more Money ^H^H^H^H^H Power.

Stawin-A Trojan

[sharp-bang]

Sophos [sophos.com] has intercepted a new trojan called Troj/Stawin-A [sophos.com] that installs a keystroke logger, captures data related to financial institutions, and sends it back to a Russian e-mail address.

A million zombied machines for anyones use

[codepunk]

Read the following....extremely scary....

Listens on port 3127; accepts a maximum of 3 connections
at a time. If the first byte of the recieved data is
0x85, the DLL skips the next byte, then compares the next
dword read to 133C9EA2h; if this is true, it accepts
the executable from the sender, downloads it to a temp
file/directory and runs it.

Re:Stawin-A Trojan

[johnmc]

Make that Troj/Stawin-A [sophos.com]..
There was a typo in the URL

Re:Block port 25?

[cpghost]

Operating a mail server carries special responsibilities with it. You have to make sure that you're not operating an open relay (even inadvertantly), you must monitor your outgoing mail(logs), to make sure that your server is not being abused as a spam source, and you should react to problems such as mail-loops etc., e.g. by assuming the role of postmaster.

While most of us /.-ers are technically savvy enough to do this, a whole lot of Windows-PC owners are not. Their machines are constantly being hijacked by viruses, and then they become spam zombies from hell. I can understand why ISPs are reluctant to keep port 25 open to such people. OTOH, I don't like this collective punishment meted out by some ISPs who don't discriminate between responsible and irresponsible users.

It is quite common for ISPs to block port 25 for dial-up users, but they won't do so if they assign to you a static IP. In most cases, people with static IPs are more responsible (and technically savvy) than Joe Sixpack, and there's often no need to block them. Of course, in an ideal world, the ACLs on ISPs routers would be configured dynamically for every user who logs in. It is easy to implement a whitelist/ blacklist of users and block only those who don't act responsibly, open everything for users who have a good history of fixing bugs or keeping a tight ship, and giving everyone else the benefit of the doubt.

Re:How to filter the worm:

[TwinkieStix]

In the last myDoom article I posted this [slashdot.org], but it seems relevant in this thread too. Here is a procmail recipe that will work on any Linux Mail server that uses procmail, including postfix sendmail etc. Just add it to your /etc/procmailrc file (may be a different folder, but this is pretty standard). It seems to have stopped all of the myDoom messages from coming in:

:0 B
* ^UEsDBAoAAAAAA...OzDKJx\+eAFgAAABYAA
/dev/null

Watch MyDoom in Action!

[pfifltrigg]

If you would like to watch MyDoom's effect on www.sco.com as we near February 1, have a look at a little tool [64.22.206.199] I cooked up.

Procmail recipie with antivirus signatures

[Anonymous Coward]

Here's a really cool procmail recipie I came across today which includes virus signatures for email bourne payloads...

http://freshmeat.net/projects/yavr [freshmeat.net]

Works like a charm

SCO connection is a red herring

[budgenator]

The linked mailing-list at,Math.org [math.org.il] reports the preliminary disassembly show that the worm only resolves the name SCO.com, and is unhappy if the name doesn't resolve. My guess is that have the name resolve shows the worm that an active internet connection exists, with out tipping it's hand too badly. In test environments the worm didn't attact SCO.com no matter what the computer's date was set to.

Let me guess....

[Kjella]

Personally, I'm looking for a serious apology (or at least a retraction) for the 'alleged' link between this ugly little nasty and Open Source / Linux users."

...you were going for +1, Funny? I mean this is SCO, the company that never ever makes unfounded allegations, assume there is evidence of a crime where there isn't, deny the facts when they go against their claims or otherwise do anything shady. Of course they'll apologize.

That'll be the day the temperature in hell goes sub-zero - on the Kelvin scale.

Kjella

Re:Way OT

[AJWM]

Why is the plural of virus viruses? One octopus and many octopi. One cactus, many cacti. Why not one virus, many virii?

Then why spell it with two 'i's? "Viri" would be correct by your example.

However, in the original latin, "virus" is a collective rather than singular noun (eg "snow" vs "snowflake", although the original meaning is more like "slime".) Perhaps whoever first applied the word to the infectious microscopic critters should have used "virum" as the singular (like "bacterium") in which case the plural would be "vira", but s/he didn't, so we're stuck with "virus" as the singular and an argument over "viri[i]"/"viruses" as the plural.

Personally I think it should be "viruses". You wouldn't say "many doofii", would you? It's "one doofus, many doofuses".

Re:Who Said It'll Attack SCO? & A FUDworm?

[interiot]

Okay, let's go over some of the facts:

• The idea that the payload is inert comes from a single post on the internet by some random guy, and is now being quoted all over slashdot without anyone checking or verifying. It may turn out to be true, but either you should personally verify it, or at least wait for ONE other person to verify it before you start conspiracy theories.
  
  
• Norton Antivirus [symantec.com] believes the payload to be an active DDOS against www.sco.com. So does F-Secure [f-secure.com]. So does McAfee [mcafee.com].
  
  
• You can look at the worm yourself [slashdot.org] and verify that it contains references to www.sco.com. Combine this with the fact that the worm is fairly small and is UPX compressed, you can conclude that the worm author took up space with the reference for a reason, either to create conspiracy theories (which would be unprecedented for a worm/virus I believe) or it's actually to DDOS a website (happens all the time with worms/viruses).
  
  
• The partial dissassembly [math.org.il] that people have posted so far indicates that the worm does use the www.sco.com address while creating a thread, opening a socket, and send some data.

So please, Please, PLEASE, would slashdot posters and moderators stop with the conspiracy theory stuff until someone posts a full disassembly on the internet, and lots of people verify that the analysis is correct. Until then, trying to come up with flamboyant conspiracy theories isn't going to do anything.

Quick Poll:

[KalvinB]

How many e-mail server admins here are running up to date anti-virus software so that they aren't contributing exponentially to this problem by allowing their clients to get these infected e-mails in the first place?

*raises hand*

Oh yes, and Hotmail over there.

These viruses can't infect Linux (yet) but that's no excuse not to run anti-virus software that kills off virus infected e-mails on your Linux servers so that they're not getting to "clueless Windows users" in the first place.

Ben

Re:Ingenious my arse

[zcat_NZ]

I think they're _stupider_ than that..

nimda was supposed to attack whitehouse.gov, but used a hard-coded IP address and tested it first. The admins changed the address from (iirc 198.137.240.91 to 198.137.240.92, trivially avoiding the DDoS.

sobig attacked www.windowsupdate.com, an almost totally useless 'typo redirect' on a completely unrelated subnet, not windowsupdate.microsoft.com, the site where everyone gets their windows updates from. To avoid the 'attack' Microsoft just switched the DNS for windowsupdate.com off, and nobody even noticed. They also akamai-cached all of microsoft.com at the same time, although this was likely planned a month or so beforehand and completely coincidental. It certinly wasn't necessary, since the DDoS attack was never aimed anywhere near microsoft.com. And it totally confused most of the press who had no idea that "windowsupdate.com" was NEVER the actual windows update site.

Early analysis of MyDoom suggests that it resolves www.sco.com but doesn't try to connect, even when the machine clock is set forward. Not even once. That makes for a fairly unimpressive DDoS.

Re:Off Track

[Anonymous Coward]

Just key stroke loggers?

Back during the summer there was a Wired article on a spam operation which claimed to be running a network of over 450,000 computers - on trojaned systems. They are/were used to send spam. They are/were used to host the spamvertized sites (most likely proxies fetching the pages from a central location). They are/were used to host the nameservers for the operation's domain names. They are/were used to run DDoS attacks against anti-spam groups (SPEWS, abuse.net, spamhaus, etc.).

At least one (Russian) operation is still doing this. Check where the nameservers for oem-sale.biz are. Check where the host www.oem-sale.biz is. All on home user machines.

Why do I say Russian? It used to be they hosted the spamvertized websites on trojaned home user machines, but used hacked commercial (not home user) systems for the nameservers. Usually only two (commercial systems are less easily taken over) and sometimes they went down and they were left with using their own nameservers (from which the others fetch the data) in Russia.

And ... try one of the purchase links at www.oem-sale.biz (pirate software - another vector, for if you get this operation's provided software, an operation running on trojaned machines, would you install it?). Say,
http://www.oem-sale.biz/cgi-bin/order.pl?iid =12&mi d=2
and watch carefully what happens.

HTTP/1.1 302 Found
Location: http://82.196.65.37/cgi-bin/c/check.pl?iid=12&aid= [varies]&mid=2

And that gets a new redirection:

HTTP/1.1 302 Found
Location: http://oem-sale.biz/cgi-bin/order.pl?iid=12&aid=[v aries]&mid=2&ipaddr=[victim's_IP_address]&ipaddrdc =[tracking_tag]

One bounces off, for a moment, a Russian site which logs the victim's IP address and changes the URL for the purchase to include that and their tracking tag.

Now, of course, if the registrars knew they were inserting the addresses of hacked systems in the root servers as nameservers for domains running on hacked machines they would ... what?

Continue to do so, as long as they get paid.

domaindiscover and directi.com are the registrars and complaints about their assisting on this attack on the internet, and complaints to ICANN about their registrars claiming that this support of hackers is "accredited" (by ICANN) activity since they are "accredited" registrars ... well, this has been going on for quite awhile. ICANN has been informed, directi and domaindiscover have been informed and on and on it goes.

(nameservers running on hacked systems in the domain morozreg.biz: registrar domaindiscover

oem-sale.biz, registrar directi.com

and they know, have been informed over and over and over and over ...)

If this is a professional spam operation which created MYDOOM, I would guess the goal is not so simple as key-stroke loggers but to have a bullet-proof network of their own, running on trojaned machines, which could only be stopped by actions by registrars who would block it along with ISPs who would be proactive in helping keep secure their users so those machines are not used to send spam, host spamvertized web sites, run nameservers for spam operations, assist in DDoS attacks, etc.

Once they have such a network, I doubt they will be satisfied only to use it to send spam or grab data with key-stroke loggers.

Folks over in news.admin.net-abuse.email are fed up with directi.com and domaindiscover knowingly assisting in this abuse of, and attack on, users and hiding behind their "accredited" status.

Re:How to filter the worm:

[rabidcow]

That's not really a good idea if you don't understand the format of Win32 executables and zip files.

"TVqQAAMAAA" = 4D 5A 90 00 03 00 00 0x

The first two bytes are "MZ", which will be the same on every dos and windows executable (except .com files). Matching against that part gains you nothing. You might as well just block by file extension.

The rest are just bits of the header, which are hardly specific to this program. It would be better to check against part of the file that was actually code.

"UEsDBAoAAA" = 50 4B 03 04 0A 00 00 0x

Again, the first two bytes are a signature, in this case "PK", which identifies it as a zip file. The 03 04 is then a marker to tell it what sort of record follows, best case you're only matching against 3.5 bytes that are actually relevant.