More MyDoom Gloom 730
fudgefactor7 writes "Hot on the heels of the last virus, Mydoom.b is on the loose. According to Computerworld, this variant has a larger payload and targets Microsoft's Web site for a distributed denial-of-service attack on Feb. 1, instead of The SCO Group Inc. Patch those systems and keep your A-V up to date. Definitions are available currently."
decaying writes "With the amount of virus-laden emails flying about due to the latest virus, Australian ISP Optus have started selectively blocking port 25 outbound. Optus say they are acting in accordance with their "Terms of use", quoting that they reserve the right to restrict access to any TCP/IP port. The only option is to use Optus' SMTP server and nothing else. Community site Whirlpool has an on-going discussion about the issue."
carnun writes "Just another link on MyDoom. Apparently the FBI are also getting in on the act. Interesting to see such a fast response." And to me, the most interesting one: Zeriel writes "After much discussion on a mailing list discussing trojan horses, some people have reached the conclusion that MyDoom doesn't accomplish its stated goal of DDOSing SCO at all! Choice quote from the analysis: "I have the new critter in a test environment where we conducted a preliminary and rudimentary functionality and threat analysis...I have played with the date, etc, but still no activity directed toward www.sco.com." The link also includes disassembly and analysis of the worm code."
For profit? (Score:3, Interesting)
Completely untraceable, even if caught: the spammer wouldn't know who sent the money, and could even claim, "I think it was some Linux Zealot."
Security could be easily enhanced (Score:3, Interesting)
Proof of who's lying (Score:5, Interesting)
So basically, SCO being down right now is Yet Another Big Lie from SCO. Nice to see them shown up as spreaders of misinformation yet again. I'm sure the FBI will love to hear their excuses as to why they're pretending to be down, especially if they're attempting to blame the worm. Fascinating
It's interesting (Score:3, Interesting)
With such a hugely damaging effect for such little cost, wouldn't you say that is almost the perfect weapon?
Not to condone writing worms.... (Score:3, Interesting)
Does Andy work at SCO (Score:5, Interesting)
Buried in its programming code -- and only readable after it has been decrypted -- was also the message "Andy; I'm just doing my job, nothing personal, sorry" from the creator
My tinfoil hat says it's some poor guy at SCO!
Patch patch scratch and lose (Score:3, Interesting)
Oh what a relief it is
Eventually, that might not help. (Score:3, Interesting)
Further more, universal binaries like those associated with Java or
Maybe diversifying will help a little for a short while, but the real solution to this problem is to write better code.
Re:Does Andy work at SCO (Score:2, Interesting)
Re:I wish all mail admins.. (Score:5, Interesting)
I agree - I've taken to replying to them in person, telling them of all the useless traffic they're making. Then again, I've only received one so far.
On the other hand, I really wish that Amavis would respect its "locals" settings and when set not to reply to offsite addresses, NOT to respond to offsite senders. What the heck is an offsite recipient, anyway? If they're getting mail on my server, they're local. It's the senders that I care about being offsite, not the recipients.
Re:Block port 25? (Score:3, Interesting)
the virus dies if www.sco.com dies (Score:0, Interesting)
"only activity I can get it to perform related
to www.sco.com is to resolve the name. In fact,
it seems very unhappy if it cannot resolve
www.sco.com. Once it can, it happily scans
local files for anything that can be construed
(very loosely) as a domain and tries to resolve
mail servers based on these."
So, rather than being a DDOS, this worm/virus
essentially says "take down www.sco.com or else".
Taking down www.sco.com is Darl's responsibility.
Will he do it to stop the worm? If he doesn't,
can be be said to support the worm?
Re:Off Track (Score:2, Interesting)
Except-
The SCO DOS attack (geez, the TLAs are bumping and grinding today) suggests the pro-Linux link. Does any other faction have a beef with Darl?
Re:In addition, not instead of (Score:1, Interesting)
Maybe it is a confession of the author that he was hired by somebody?
Re:It's another case against OS monoculture (Score:4, Interesting)
http://www.virusbtn.com/magazine/archives/200312/
written by someone who actually knows a little about malicious mobile code
Re:I wish all mail admins.. -bah! (Score:3, Interesting)
A nice guy on the FreeBSD Mail-Toaster list put out a good script..
I now grab all the IP's out of infected emails, and put them in my etc/tcp.smtp file:
123.123.17.50:allow,RBLSMTPD="-VIRUS SOURCE Please check your computer for infections"
IP obfuscated to protect the guilty
How about that? You only get your mail bounced, with a virus warning if your IP (sure dial-up _could_ be hit - but I'm a standalone email provider) sent a virus through my system in the last day.
Re:Why is this an issue? (Score:3, Interesting)
1. Nowadays your average computer user is a moron.
I'm sure you and everyone else knows some hopeless PC user who uses Outlook, can't help but click on some attachment, believes everything they read online, or does not patch their Windows on a regular basis. All it takes is a few of these n00bs to make life miserable for others in one form or another.
2. Filtering on the client side doesn't really address the larger problem of these scripts consuming *tremendous* amounts of bandwidth, network and system resources.
If you're an end-user, you can't appreciate how much fun it is to manage a server that is getting hammered with this crap. Even if you block it out, you still have to deal with reduced performance and limited bandwidth available to all your users because of yet another unpatched MS hole or irresponsible ISP.
And of course, whenever there's another announcement of a "virus" every person with a PC who can't get it to work right is convinced that the "virus" is the culprit.
Mydoom generates it's own recipients (Score:3, Interesting)
The past 2 days I've received a shitload of Mydooms, and there's something funny going on. Mydoom will put common names in front of the @. I've started receiving viruses for brian@ and bill@ and claudia@ and fred@ and jerry@ and george@ and smith@ and and and. I even received one for debby@. What, she's doing my domain now?
I've also noticed that some of the "senders" are constructed the same way.
Possible test version hitting me. Anybody else? (Score:5, Interesting)
This is very interesting, because my site has been under a broadly based but inexplicably benign apparent DDoS attack which is bombarding my site with precisely such requests (obviously www.fourmilab.ch, not www.sco.com) at a rate of just one hit from each IP every four minutes. (This rate is not absolutely consistent, and some seem to be running multiple copies of the requester, each hitting every four minutes.)
I've been watching this and running analyses since it became obvious something was up and have posted an incident report [fourmilab.ch] page on my site which I'm updating as things develop. Bottom line, the apparent attack appears to have reached equilibrium with a total of 2894 different IP addresses hitting my site since the outbreak, with the hit rate following a diurnal pattern (there's a chart in the incident report) which peaks at around 20,000 hits per hour from on the order of 1000 different hosts at 20:00-21:00 UTC every day.
I'd previously concluded this probably had nothing to do with MyDoom. Although a few of the hosts hitting me are listening on the MyDoom remote control post, most aren't. (Of course, a test version may use a different port or none at all--I discuss in the document.) But the fact that the hits are precisely the same--a simple request to the home page--makes me wonder. All of these sites hitting me request only the "/" page (which at my site is just a <frameset> container, which any browser would follow up with hits on the content frames).
Has anybody else seen this kind of traffic hitting their sites?
needs re-thinking (Score:5, Interesting)
Firstly, he attack was not technologically sophisticated, in that it required exploiting a weakness in the operating system. The style of the attack was conceptually sophisticated, it was a worm not a virus. Which means that the attack relied on 'social engineering' or 'human weakness' to succeed.
The exploit however was quite creative. It was multi-faceted, even doing a DDOS on 'www.sco.com'.
Personally, I suspect that the creator and the executor of this worm may be two different persons altogether. Most importantly, the one ultimately responsible for the worm's spread and impact on the internet is not a Linux fan.
Linux users, ones that are capable enough to create such a worm, would more likely be above average intelligence. They would know very well, the consequences of DDOS'sing SCO's web-site, and that these consequences will most definitely be extremely detrimental to Linux. They would also know very well that a DDOS of SCO's web-site is almost a trivial thing to fix, and doesn't help in reducing SCO's position in any way.
Other than making SCO spend some money to rectify the DDOS, and preventing some of SCO's limited customer base from accessing SCO's web-site, it doesn't do relatively much harm to SCO (as compared to finding a back-door or hole into SCO's internal network). There is no real motivation for a Linux fan to carry out a DDOS on SCO's web-site.
I think the REAL reason for this worm, was for a 'frame-up'. It coincides with the conceptually sophisticated thinking as evidenced in its style of attack. I think the real reason was to *help* SCO and Microsoft, because both of these entities have the most to gain from it. Even with the recent 'b' variant of the worm targetting Microsoft. I still think the original motive remains the same.
Either that, or we're dealing with an extremely shallow and stupid 'Linux fan', which I very highly doubt.
People reading this may start having this thought of 'oh, another conspiracy theory...', but I would ask readers to carefully think about the obvious and carefully consider the occurence of this worm. Industrial espionage has been around for a long-time, and we know that it happens. What's to prevent it worms or viruses being used in industrial espoinage? Especially when the internet is a lot more relevant to businesses today.
Version 2 commentary (Score:5, Interesting)
According to Symantec [symantec.com], this version now modifies your HOSTS file to try and disable the user from being able to reach antivirus websites.
Among other entries in the HOSTS file are Doubleclick, FastClick, and some other advertising-related companies. Should I be concerned or happy that the virus may make surfing the web a little bit better by doing this?
Re:Proof of who's lying (Score:2, Interesting)
Re:Off Track (Score:2, Interesting)
"There's an arsonist running loose, and he keeps stepping on people's flowers as he runs away. Oh, the poor flowers. Won't somebody think of the flowers....."
Re:Does Andy work at SCO (Score:3, Interesting)
Secondly, since "andy" is one of the email addresses spoofed by the worm I'm guessing that the worm's author was a) commissioned to write the worm by parties unknown, and b) included a colleague's email in the spoof list, perhaps by mistake.
So the question is, will Andy, whoever he is, get pissed off enough to turn his colleague in for the $250,000 reward posted by SCO and turn over a new leaf? /tinfoil Assuming he's not working for SCO of course. /tinfoil
Re:I don't find the fast reactions unbelievable... (Score:4, Interesting)
Some VT students who have been here longer said they've received the virus on average twice per minute for the last 36 hours. Ouch? Dumb user, no doubt, but I wouldn't yet conclude that it was some mission critical machine that was comprimised.
Wouldn't it be ironic... (Score:2, Interesting)
This is of course an unlikely situation since if it was discovered SCO was behind the worm then it would all be over for the company. However, it is an interesting thought...
Re:Off Track (Score:1, Interesting)
SCO got more publicity today than it has in months at a time when their case was running out of steam.
Their stock also went up a couple of times today before the whole market took a dive.
my amazement is beyond comprehension (Score:5, Interesting)
It's a bloody -attached- zip file, with a file inside it! People have been told for over a decade to NOT OPEN ATTACHMENTS. You'd think they'd catch on sooner than later.
This is all the more reason to strip all binaries from email at the server. Granted, then viruses would be linking to sites - but that'd be relatively easy to shut down, and wouldn't pose any significant threat.
Re:Off Track (Score:2, Interesting)
Re:Off Track (Score:5, Interesting)
Regards,
Steve
BBC let SCO vent Linux FUD unchallenged (Score:5, Interesting)
I immediately clicked on the feedback link on the BBC website and let the editors know how lopsided and unreasonable their reporting actually was, pointing them to the groklaw.net website as well.
I have considerable experience in attempting to correct misrepresented facts in the media and know that it is often quite hopeless, but if enough people do it and give some proper backing to their arguments perhaps some of the damage can still be repaired.
Re:Why OT (Score:2, Interesting)
Anybody else notice (Score:2, Interesting)
Re:Off Track (Score:3, Interesting)
In my opinion it might be acceptable to use "virii" for computer viruses. If we can pluralize "box" as "boxen", why not. But it's definitely not the standard plural of "virus".