More MyDoom Gloom 730
fudgefactor7 writes "Hot on the heels of the last virus, Mydoom.b is on the loose. According to Computerworld, this variant has a larger payload and targets Microsoft's Web site for a distributed denial-of-service attack on Feb. 1, instead of The SCO Group Inc. Patch those systems and keep your A-V up to date. Definitions are available currently."
decaying writes "With the amount of virus-laden emails flying about due to the latest virus, Australian ISP Optus have started selectively blocking port 25 outbound. Optus say they are acting in accordance with their "Terms of use", quoting that they reserve the right to restrict access to any TCP/IP port. The only option is to use Optus' SMTP server and nothing else. Community site Whirlpool has an on-going discussion about the issue."
carnun writes "Just another link on MyDoom. Apparently the FBI are also getting in on the act. Interesting to see such a fast response." And to me, the most interesting one: Zeriel writes "After much discussion on a mailing list discussing trojan horses, some people have reached the conclusion that MyDoom doesn't accomplish its stated goal of DDOSing SCO at all! Choice quote from the analysis: "I have the new critter in a test environment where we conducted a preliminary and rudimentary functionality and threat analysis...I have played with the date, etc, but still no activity directed toward www.sco.com." The link also includes disassembly and analysis of the worm code."
Off Track (Score:5, Insightful)
While I despise these worms, you've got to admit that some of these more recent ones are pretty ingenious:
Blaster - The only way to fix it is to grab stuff from Microsoft? Have it DDOS Windows Update.
MyDoom - Hate SCO, Love Linux? Target Microsoft systems and leave Linux machines alone. Have it DDOS SCO.
McBride interview (Score:5, Insightful)
Of note: Darl McBride was on local (Utah) television last night with a stinging quote. "What we are seeing here is the dark side of the open source movement" or something very close to that. I thought, no dude, you have it all backwards. SCO is the dark side of the open source movement.
Comment removed (Score:1, Insightful)
I wish all mail admins.. (Score:5, Insightful)
.. would TURN OFF those blasted "Your mail has a virus!" auto-replies. They accomplish nothing but the generation of yet more useless traffic.
Please Remember! (Score:5, Insightful)
It is likely that this virus has been assembled for the purpose of defaming the Linux developers by spammers, SCO, or others. Your behavior will influence whether or not it succeeds in this mission.
Thus, I urge all persons who have sympathy for Free Software, Open Source, and Linux:
Remember that your actions count. You are ambassadors of our community.
Re:McBride interview (Score:4, Insightful)
Huh?! (Score:5, Insightful)
What the hell would it matter anyway? Evil spammers probably also use toothpaste. Does that make everyone who uses toothpaste evil?
The fallacious logic here astounds me. Wait, no it doesn't.
Linux users (Score:4, Insightful)
I don't know what it is with people trying to represent such large groups. Every group has nasty people in it! Since Linux is generally more efficient once set up (IMHO, anyway), then OF COURSE people will use it to do nasty things like serve spam and make DOS attacks and so on. I don't get why people are so patriotic all the time... "He's American! No AMERICAN could be evil!" Sigh...
Of course it wasn't some malicous Linux user (Score:5, Insightful)
Re:Not to condone writing worms.... (Score:3, Insightful)
(Not trolling by saying stupid Windows users - it could just as easily be written as stupid computer users who happen to be using Windows - but....anyway, I'm rambling, I will shut up now.)
Re:Off Track (Score:5, Insightful)
This is, of course, a worse case scenario and it doesn't provide any evidence that Linux fans were connected in any way. However, one can't dismiss the possibility simply because it came from Russia.
Re:Off Track (Score:5, Insightful)
I'm no hacker, but I do have a technology background, here. Most worms and virii are windows based. Most exploits that are found are windows based. Making a linux worm is tough and hard, because not many people have the desire to go into the inner workings of the kernel and find exploits, not to mention that most linux users are smart enough to figure out when they have an attachment by a random person not to open it. Windows users could be a software engineer FBI agent... but it could also be grandma melba. Seeing as most virus writers don't use a multiplatform language like java to write their virii, I'm thinking windows is the best option for destruction if you get your kicks off by that.
To say its because he's trying to frame linux users, or is a linux user just cause of it being a windows worm is pretty absurd.
Re:Am I the only one? (Score:3, Insightful)
Re:Off Track (Score:5, Insightful)
It's a classic misdirection tactic that criminals use all the time to slip past unnoticed. Get people to look somewhere else while you do your dirty work sight unseen.
Isn't It Ironic - Don't You Think? (Score:5, Insightful)
Here's a presentation (sorry I could only find a PowerPoint version) that was made by Jonathan Wignall at DefCon last year about this topic. Same conclusion, diversifying is the necessary to combat worms.
How ironic is that? Someone who allegedly knows something about network security, who insists on providing presentations in a format which:
Fine, use PowerPoint for the presentation. But damn well save the slides as HTML, Acrobat, plain text, etc. for public downloading and consumption.
At my university, the only department which saved all lecture notes, etc in proprietary format (and continues to do so!) was the very one which should know better: Systems and Computer Engineering. It's really pathetic.
what makes you think that people in Russia (Score:4, Insightful)
Fuck, I'm pissed of more than usualy about Slashdot editors.
If you were to read www.linux.org.ru you would notice that the site follows the suite pretty closely, sometimes more so than Slashdot.
Apology? (Score:2, Insightful)
I want to preserve this one and bring it out the next time some moron starts carrying on about how the US is involved in Iraq because of some vague connection that the Bush administration has with oil companies.
Re:Off Track (Score:3, Insightful)
Sadly, though, it shows the reputation that Linux zealots have made for themselves, not that it is any justification for this.
Re:The ultimate call for group think. (Score:3, Insightful)
Cheers,
Craig
Re:Security could be easily enhanced (Score:5, Insightful)
No patching would have prevented this worm. Look, when MyDoom comes in as a zip file the user has to open it once to access the actual payload. When you open the thing in WinZip it shows up as [random].[doc or whatever] but has the wrong icon. WinZip then identifies it as a pif file and in the screen says DOS executable. After all that, the user has to execute it again to deliver the actual payload.
MyDoom has nothing to do with bad sysadmins. Nada! At work we have the desktops locked down and Outlook is setup to not permit autoexecute. Most executable attachments are dropped at the mailserver. The reason I say most is because we do allow Word documents and the like because surprise, surprise we have to actually run a business. Our signature files are updated daily and if a new virus comes out I do my job to make sure we're at the proper rev and run a manual update if we're not. The one thing I can't do is play Big Brother to a 1000+ employees scattered over the state 365/7 and smack them everytime they try to open some random shiny thing.
And more importantly, how can a sysadmin stop some random Joe User on a home cable connection from executing the stupid worm or patching his damn system?
That soundbite of yours starts getting a little hollow now doesn't it?
Social engineering for Sysadmins (Score:4, Insightful)
Just think, you are one of the first hunter to see the virus. You examine the code, and "Damn, their going after SCO, COOOOOOOOLL, I hate those bastards, I'm not reporting it". Or a sys admin at an email gateway. Most guys are real pros but maybe, just maybe a few took a little extra time...
They say that it's one of the fastest spreading Virus to date, perhaps targeting SCO was the bump it needed.
Ingenious my arse (Score:5, Insightful)
DDOS a website that probably gets about 10 interested visitors a day anyway?
Personally I'm surprised at the lack of damage these things do. Our systems and people are apparently wide open to these things. Blaster and MyDoom should be viewed as warning shots. It's only going to be a matter of time before someone writes something that infects, spends 2-8 hours propagating itself and then nukes the system it's living on, causing real widespread damage rather than minor annoyances.
Re:Off Track (Score:2, Insightful)
Sadly, though, it shows the reputation that Linux zealots have made for themselves, not that it is any justification for this.
Made for themselves?
This is a classic case of blame-the-victim. Someone gets maligned in the press, slandered by corporate greed machines, and somehow this is because of "the reputation [they] made for themselves?"
I supose your next line will be that they were "just asking for it" because of the way they were dressed.
-- MarkusQ
Re:Please Remember! (Score:2, Insightful)
I'm glad that SCO got DDOS'd, they're bastards and deserve it.
There's nothing wrong with this imo.
What I think IS a problem, is you trying to make it seem like OSS is one big community where everyone has the same opinions and they all move in the same direction.
I should be able to say "fuck SCO" all day long and it have nothing to do with the fact I use OSS. but then you start making it seem that liking OSS is some kind of religion that governs all my actions.
I use Linux cos it has the tools I need. I use Firebird because it's a fantastic browser. I say "fuck SCO" cos they're full of BS. Get over it.
I'm tired of this... (Score:4, Insightful)
A header from the most recent example:
Received: from [200.223.39.59] (helo=writeopen.com)
by mailforward.freeparking.co.uk with esmtp (Exim 4.24)
id 1AlqLU-0007Hx-48
for brian@dwrees.co.uk; Wed, 28 Jan 2004 09:07:08 -0500
RAWR. I mean, seriously. RAWR. (writeopen.com is 69.0.209.130, btw).
I'm being flooded by this crap. I've managed to get a filter going that catches them, but it's still traffic that I have to endure. And I'm getting them from ISPs all over the planet. RAWR.
Re:A million zombied machines for anyones use (Score:4, Insightful)
Unfortunately, I have a feeling somewhere, some authority is typing "virus writer's home address" into Google.
Who Said It'll Attack SCO? & A FUDworm? (Score:4, Insightful)
If it turns out that the DDOS payload is inert:
Who was it that FIRST said it WOULD attack SCO, and how did they determine this? And who else quoted them without checking? (Not including normal media outlets, who'll quote anyone that can form a coherent sentence, if it'll fill white space.)
If this thing doesn't perform as advertised, what we are seeing is the first (purposeful or not) FUDworm. It definitely is spreading virus-like and causing traffic problems, but also it's spreading FUD, and using all of us as vectors. We will all have been infected with a socially engineered disease. If this is the case, it's a master stroke of psyops. If not, considering its success so far, its example will be repeated for this purpose.
Re:Off Track (Score:2, Insightful)
Re: Please Remember! (Score:4, Insightful)
I totally agree with Bruce on this one and just wish more "advocates" had the maturity and insight to realize this isn't a joke.
Most resource-efficient way to deal with this (Score:3, Insightful)
The propagation of this worm is not unlike the propagation of spam. The ISPs are doing a piss-poor job of regulating the smtp traffic of their non-business customers.
My solution to this is very simple, and all I ask is that the large ISPs separate their DUL IP space from any legitimate mail relays they operate.
For example, we're seeing a ton of spam originate from Videotron in Canada. An IPWHOIS shows that this is one of their major blocks:
Le Groupe Videotron Ltee VL-2BL
24.200.0.0 - 24.203.255.255
The easy thing to do is put 4 lines in my
Using this method, I take the burden off my network. If you are selective about the IP blocks you ban, you can really whittle this down to almost no bouncing of legitimate mail.
Many ISPs are using DUL RBLs to accomplish the same thing, but the problem is that this requires more resources and huge databases of every possible IP. If you know that an ISP has allocated a large number of IP space to customers who shouldn't be operating their own SMTP relay, you can bypass this and just cut them off.
Generally speaking, I employ this method primarily with Asian and Middle-Eastern IP blocks where I don't normally expect any mail traffic in the first place, so the collateral is minimal if any.
Now if you have DSL or Cable and you've hung your own SMTP relay on your home network, yes, you might have some problems with this method, but it only takes a few seconds to request whitelist authorization and then it's done. Spammers aren't going through this trouble and if they do, I can track them when they try to make these requests.
If more ISPs employed this technique, it would be very effective. I am convinced that many large ISPs, including AOL are already doing this in one form or another: being very picky about accepting certain types of traffic from certain IP blocks.
The next evolution of RBLs will probably involve something like what I'm doing... which is the ultimate movement to a whitelist system where you deny the most-henous sources and make them request acceptance. It's a lot easier to maintain a small list of authorized SMTP relays among a very large blacklisted DUL IP space.
Re:Ingenious my arse (Score:3, Insightful)
Why does everyone seem to think this is the -worst- thing that could happen? Restore from backups, business as usual the next day. Sure, a lot of businesses would be fucked over, but anything really important is backed up.
Now imagine a worm that spreads fast (flood-scan the local
That's the worst virus I can think of.
Re:Off Track (Score:5, Insightful)
Indeed. Personally, I think the Open Source community should set up a fund to add to the reward SCO is offering because of the black eye it gives the community if he was.
Common sense lacking in virus writers? (Score:2, Insightful)
Port 25 blocking (Score:4, Insightful)
That's not even worth mentioning. There is no good reason for the average user to need access to SMTP servers besides the one at their ISP.
Years back, when I did technical support, the ISP I worked for had just implemented such a filter. The number of spammers who used our services immediately found new ISPs. The only fallout were a few customers who needed email clients reconfigured for non-local mailboxes, as they were using the other ISPs smtp server.
I do recall a few knuckle-heads (NT4/Linux wannabe super geeks) whine excessively over the issue, as they felt some right of theirs had been infringed. Ignorance is bliss, I suppose.
For anyone who is considering Technical Support for a living, just hang up the phone as soon as you find out someone is from Boca Raton, Florida. I swear, everybody I've talked to from that place thought thought they were some guru, but usually had no clue. My point, if you are such a damn brilliant administrator, then you shouldn't be calling technical support whining about your messe d up copy of enduroo.
Back to the topic at hand, there is no excuse for any ISP who houses an smtp server to allow it's customers access to just anywhere on port 25. I know it's a subject that will cause some flames, but someone has to compensate for the insecure, broken nature of SMTP.
I welcome anything AOL or Microsoft can bring to the table concerning this matter. I definitely don't see the community doing anything about it except for yelling at people to add more filters. This does little in regards to the bandwidth costs and server time (not to mention my client's cpu time wasted filtering) associated with massive amounts of spam.
Re:Off Track (Score:2, Insightful)
As far as being off track (not unlike this virus plural rot in a story about a worm) wouldn't it be funny to have someone claim SCO's $250,000 bounty for a worm that never would have caused them harm?
Re:Port 25 blocking (Score:5, Insightful)
As I receive spam from these machines, I forward it to the appropriate abuse@ and add the enclosing netblock to my SMTP blacklist. I am slowly but surely shitcanning the customer IP ranges of every consumer broadband network in North America. Considering how uppity the broadband ISPs get when people "abuse" their allegedly-unlimited bandwidth, I'm astounded that they allow unpatched, zombied Windows boxes to just pump out thousands of spam messages.
Probably 98% of people with broadband have zero need or desire to access an SMTP server other than what is provided by their ISP. To that end, I wholeheartedly agree with you that port 25 on these networks should be restricted. The 2% who require less-restricted SMTP capability could be accomodated for a few bucks more per month, and the ISPs could probably add a "one strike and you're out" policy-- account termination upon the first proven complaint about spam originating from the machine of one of those less-restricted SMTP users.
~Philly
Re:Way OT (Score:3, Insightful)
"English"
oh. Wow. English != Latin.
Just because a word is wrong in latin doesn't make in wrong in english. New words are made up every day and accepted into normal speech. Most of these words don't have latin roots.
More specifically, a word is only a phonetic way of transfering information. if a significant number of people use a word and know what it means, that word has correctly transfered this information, and therefore is correct regardless of whether some anal language nazi thinks so.
I always have and always will say Virii. Most people I know say Virii. Therefore, Virii IS a valid word, even if it is only slang, like Boxen or scr1pt k1dd33.
Thank you and goodnight.
Re:Port 25 blocking (Score:3, Insightful)
Re:Off Track (Score:2, Insightful)
My reasons for thinking this are:
1) For every 100 linux users, I suspect that ~40% of them are people that are currently "dabbling" in linux. These users are as new to linux as "Grandma Gertrude" is to Windows.
2) Of the 100 linux users mentioned, I would guess that ~75% have never done more than glanced at the source code for any given program, much less the kernal. Give these users two pieces of code to run. They are just as likely to run the "bad code" as they are the "good code".
3) I think most would agree that the linux kernal is "safer" than a Windows system. But what about all the programs that get installed on top of (over?) the linux kernal? Many reports are released daily about buffer overflows, etc that effect these programs. Taking the hypothetical 100 linux users I mention above, I would venture that at most 25% of these people apply the patches in a reasonably short time frame.
4) Windows is targeted because it is common. The structure/implementation of Windows "probably" lends itself to the ease of compromising it. However, I venture the guess that a sufficiently motivated malware author (notice I didn't say hacker) could construct an exploit that would cripple many of the linux boxes owned by the people that I mention in 1, 2, and 3.
All I'm really saying is: The Linux Community should make sure it doesn't say, "Bring it on!" Because, the bad guys WILL.