Catch up on stories from the past week (and beyond) at the Slashdot story archive


Forgot your password?
Security Bug Operating Systems Software Windows

More MyDoom Gloom 730

StarWreck points out this article in The Atlanta Journal Constitution citing "experts who believe the worm was put out for criminal profit motives by spammers and not by Linux Advocates." Further on that, deadmonk writes "MessageLabs is reporting that the recent Mydoom virus seems to have originated in Russia. A place where nobody gives a wet slap about a court case in the U.S. Personally, I'm looking for a serious apology (or at least a retraction) for the 'alleged' link between this ugly little nasty and Open Source / Linux users." Of course, there could be evil spammers who also like Linux (or don't like SCO), but until someone's caught, or fesses up, it's impossible to say. Read on for some more MyDoom updates, including a new variant (with a new payload), ramifications for Australians, and a forensic analysis of the worm.

fudgefactor7 writes "Hot on the heels of the last virus, Mydoom.b is on the loose. According to Computerworld, this variant has a larger payload and targets Microsoft's Web site for a distributed denial-of-service attack on Feb. 1, instead of The SCO Group Inc. Patch those systems and keep your A-V up to date. Definitions are available currently."

decaying writes "With the amount of virus-laden emails flying about due to the latest virus, Australian ISP Optus have started selectively blocking port 25 outbound. Optus say they are acting in accordance with their "Terms of use", quoting that they reserve the right to restrict access to any TCP/IP port. The only option is to use Optus' SMTP server and nothing else. Community site Whirlpool has an on-going discussion about the issue."

carnun writes "Just another link on MyDoom. Apparently the FBI are also getting in on the act. Interesting to see such a fast response." And to me, the most interesting one: Zeriel writes "After much discussion on a mailing list discussing trojan horses, some people have reached the conclusion that MyDoom doesn't accomplish its stated goal of DDOSing SCO at all! Choice quote from the analysis: "I have the new critter in a test environment where we conducted a preliminary and rudimentary functionality and threat analysis...I have played with the date, etc, but still no activity directed toward" The link also includes disassembly and analysis of the worm code."

This discussion has been archived. No new comments can be posted.

More MyDoom Gloom

Comments Filter:
  • Off Track (Score:5, Insightful)

    by andyrut ( 300890 ) on Wednesday January 28, 2004 @06:05PM (#8117503) Homepage Journal
    It's entirely possible that the authors of this virus targeted SCO, simply to make it appear that Linux zealots were throw off the law enforcement officials who might look for the culprit in the Linux community.

    While I despise these worms, you've got to admit that some of these more recent ones are pretty ingenious:

    Blaster - The only way to fix it is to grab stuff from Microsoft? Have it DDOS Windows Update.
    MyDoom - Hate SCO, Love Linux? Target Microsoft systems and leave Linux machines alone. Have it DDOS SCO.
    • Re:Off Track (Score:5, Insightful)

      by B'Trey ( 111263 ) on Wednesday January 28, 2004 @06:24PM (#8117803)
      It is entirely possible the SCO connection is a red herring. However, it's also possible it's an attempt to kill two birds with one stone. I certainly hope the author wasn't a Linux zealot trying to harm SCO. However, the argument that a Russian Linux user wouldn't care about the SCO trial doesn't hold water. Linux has come a long way in recent years and a large part of it's progress is directly attributable to commercial companies who have either invested in Linux, contributed code to Linux, or supported Linux developers. SCO's case appears extremely weak, and the chances of them having any sort of success seem very remote. However, if SCO were to win their case, it could heavily damage the Linux movement. Particularly if SCO were to be found to have ownership rights in certain technologies, it isn't all certain that a rewrite of the relevant portions of the kernel would be sufficient to remove the taint. Linux users worldwide could be affected.

      This is, of course, a worse case scenario and it doesn't provide any evidence that Linux fans were connected in any way. However, one can't dismiss the possibility simply because it came from Russia.
      • by pegr ( 46683 ) * on Wednesday January 28, 2004 @06:51PM (#8118175) Homepage Journal
        I certainly hope the author wasn't a Linux zealot trying to harm SCO.

        Especially when they're doing such a fine job all by themselves! ;)
      • Re:Off Track (Score:5, Insightful)

        by vanyel ( 28049 ) * on Wednesday January 28, 2004 @08:00PM (#8118917) Journal
        I certainly hope the author wasn't a Linux zealot trying to harm SCO.

        Indeed. Personally, I think the Open Source community should set up a fund to add to the reward SCO is offering because of the black eye it gives the community if he was.

      • by budgenator ( 254554 ) on Wednesday January 28, 2004 @08:09PM (#8119000) Journal
        The linked mailing-list at, [] reports the preliminary disassembly show that the worm only resolves the name, and is unhappy if the name doesn't resolve. My guess is that have the name resolve shows the worm that an active internet connection exists, with out tipping it's hand too badly. In test environments the worm didn't attact no matter what the computer's date was set to.
      • Re:Off Track (Score:5, Interesting)

        by LnxAddct ( 679316 ) <> on Wednesday January 28, 2004 @10:14PM (#8119807)
        Why is everybody looking at this so negatively? I've got tons of people finally talking to me about what this Linux thing is that they've heard me mention and that they saw in the news paper today. In the past 3 days I've gotten probably about 40 people interested in Linux who had never known about it before. Most are corporate types too. These are people that barely know what a harddrive is for, and here I am explaining not only what Linux is, but the whole Open Source movement and how great it is. This is great publicity! Didn't anyone ever hear "Any publicity is good publicity." ? The media finally has their story straight about what scum SCO is and I'm seeing Linux on the front page of my local newspaper ! This is great for the community. Linux is in the press and the media is making a mockery of SCO, and people are finally interested in Linux that never would have been before. And when you are talking to them about Novarg/MyDoom, don't forget to mention that it doesn't affect Linux.
    • Re:Off Track (Score:5, Insightful)

      by FortKnox ( 169099 ) on Wednesday January 28, 2004 @06:26PM (#8117823) Homepage Journal
      Target Microsoft systems and leave Linux machines alone.

      I'm no hacker, but I do have a technology background, here. Most worms and virii are windows based. Most exploits that are found are windows based. Making a linux worm is tough and hard, because not many people have the desire to go into the inner workings of the kernel and find exploits, not to mention that most linux users are smart enough to figure out when they have an attachment by a random person not to open it. Windows users could be a software engineer FBI agent... but it could also be grandma melba. Seeing as most virus writers don't use a multiplatform language like java to write their virii, I'm thinking windows is the best option for destruction if you get your kicks off by that.

      To say its because he's trying to frame linux users, or is a linux user just cause of it being a windows worm is pretty absurd.
    • Re:Off Track (Score:5, Insightful)

      by southpolesammy ( 150094 ) on Wednesday January 28, 2004 @06:33PM (#8117923) Journal
      As I said a couple of days ago [], the primary goal of this worm is not to DDoS SCO, it's to cause a big amount of traffic and noise in order to quietly install keystroke loggers in hopes of obtaining bank account numbers and passwords and be able to send that data back to some collector site without being seen due to the massive network jam.

      It's a classic misdirection tactic that criminals use all the time to slip past unnoticed. Get people to look somewhere else while you do your dirty work sight unseen.
      • Stawin-A Trojan (Score:5, Informative)

        by sharp-bang ( 311928 ) <> on Wednesday January 28, 2004 @07:00PM (#8118281) Homepage
        Sophos [] has intercepted a new trojan called Troj/Stawin-A [] that installs a keystroke logger, captures data related to financial institutions, and sends it back to a Russian e-mail address.
      • Re:Off Track (Score:4, Informative)

        by Anonymous Coward on Wednesday January 28, 2004 @10:48PM (#8120038)
        Just key stroke loggers?

        Back during the summer there was a Wired article on a spam operation which claimed to be running a network of over 450,000 computers - on trojaned systems. They are/were used to send spam. They are/were used to host the spamvertized sites (most likely proxies fetching the pages from a central location). They are/were used to host the nameservers for the operation's domain names. They are/were used to run DDoS attacks against anti-spam groups (SPEWS,, spamhaus, etc.).

        At least one (Russian) operation is still doing this. Check where the nameservers for are. Check where the host is. All on home user machines.

        Why do I say Russian? It used to be they hosted the spamvertized websites on trojaned home user machines, but used hacked commercial (not home user) systems for the nameservers. Usually only two (commercial systems are less easily taken over) and sometimes they went down and they were left with using their own nameservers (from which the others fetch the data) in Russia.

        And ... try one of the purchase links at (pirate software - another vector, for if you get this operation's provided software, an operation running on trojaned machines, would you install it?). Say, =12&mi d=2
        and watch carefully what happens.

        HTTP/1.1 302 Found
        Location: [varies]&mid=2

        And that gets a new redirection:

        HTTP/1.1 302 Found
        Location:[v aries]&mid=2&ipaddr=[victim's_IP_address]&ipaddrdc =[tracking_tag]

        One bounces off, for a moment, a Russian site which logs the victim's IP address and changes the URL for the purchase to include that and their tracking tag.

        Now, of course, if the registrars knew they were inserting the addresses of hacked systems in the root servers as nameservers for domains running on hacked machines they would ... what?

        Continue to do so, as long as they get paid.

        domaindiscover and are the registrars and complaints about their assisting on this attack on the internet, and complaints to ICANN about their registrars claiming that this support of hackers is "accredited" (by ICANN) activity since they are "accredited" registrars ... well, this has been going on for quite awhile. ICANN has been informed, directi and domaindiscover have been informed and on and on it goes.

        (nameservers running on hacked systems in the domain registrar domaindiscover, registrar

        and they know, have been informed over and over and over and over ...)

        If this is a professional spam operation which created MYDOOM, I would guess the goal is not so simple as key-stroke loggers but to have a bullet-proof network of their own, running on trojaned machines, which could only be stopped by actions by registrars who would block it along with ISPs who would be proactive in helping keep secure their users so those machines are not used to send spam, host spamvertized web sites, run nameservers for spam operations, assist in DDoS attacks, etc.

        Once they have such a network, I doubt they will be satisfied only to use it to send spam or grab data with key-stroke loggers.

        Folks over in are fed up with and domaindiscover knowingly assisting in this abuse of, and attack on, users and hiding behind their "accredited" status.
    • Re:Off Trek (Score:5, Funny)

      by NanoGator ( 522640 ) on Wednesday January 28, 2004 @06:42PM (#8118055) Homepage Journal
      "It's entirely possible that the authors of this virus targeted SCO, simply to make it appear that Linux zealots were responsible..."

      I wouldn't rule out Romulan involvement.
      • by Snork Asaurus ( 595692 ) on Wednesday January 28, 2004 @07:06PM (#8118344) Journal
        Earth has really been pissing Mars off lately:

        1) Earth landed a multi-ship advance scouting party on Mars this month

        2) An earth leader with a track record for aggression speculated in a speech about the resources that might be plundered from Mars

        3) Earth announced that it was preparing a full scale manned invasion of Mars by 2050

        4) SCO sent a letter demanding payment to Martian citizen Marvin, just in case he uses Linux in his Space Modulator

    • Re:Off Track (Score:3, Insightful)

      by Junks Jerzey ( 54586 )
      It's entirely possible that the authors of this virus targeted SCO, simply to make it appear that Linux zealots were responsible...

      Sadly, though, it shows the reputation that Linux zealots have made for themselves, not that it is any justification for this.
    • Because I'm sure framing someone else is such an ingenious origninal idea. Now if someone made a virus that changed your background to a picture of the man, well that would truely be ingenious.
      • Totally OT (Score:4, Funny)

        by back_pages ( 600753 ) <{ten.xoc} {ta} {segap_kcab}> on Wednesday January 28, 2004 @07:59PM (#8118913) Journal
        when I was an undergrad, a fun way for my friends and myself to amuse ourselves was to get really drunk (this makes it more amusing) and then cruise the schools intranet for dopes who had shared their entire hard drives on the network. We would do all sorts of bad things, but the best was defacing a person's Internet Explorer wallpaper.

        In Win98, I believe the wallpaper filename was stored in win.ini (it doesn't appear to be so in Win2k and this seriously isn't interesting enough for me to look it up at the moment.) We would grab that file and take a peek. If they had an image suitable to be defaced, we would draw mustaches on everyone and draw little cartoon baloons saying stuff like, "UR COMPUTAR HAS EBOLA!!11" and then overwrite their copy of the file. If they had a stupid background, we'd find something funny to give them.

        Between the sorely juvenile humor and the liquor, it was completely hilarious to us at the time. I was even called by the school's Computer Support Desk at one time to see if I knew anything about the rare computer virus the student computers had. And before anybody points out how childish and potentially criminal this was, let me say that it was childish and potentially criminal. We just screwed with people's wallpapers but we could have remotely deleted their entire hard drives. Educating the masses about computer security is a difficult task, but goddamn if drawing mustaches on people isn't funny.

    • by ericspinder ( 146776 ) on Wednesday January 28, 2004 @06:53PM (#8118204) Journal
      Throwing the authorities off-track might have been the idea, but I think that it JUST MIGHT have been an attempt at social engineering aimed at the sysAdmins and virus hunters.

      Just think, you are one of the first hunter to see the virus. You examine the code, and "Damn, their going after SCO, COOOOOOOOLL, I hate those bastards, I'm not reporting it". Or a sys admin at an email gateway. Most guys are real pros but maybe, just maybe a few took a little extra time...

      They say that it's one of the fastest spreading Virus to date, perhaps targeting SCO was the bump it needed.

    • Ingenious my arse (Score:5, Insightful)

      by Chuck Chunder ( 21021 ) on Wednesday January 28, 2004 @06:55PM (#8118221) Homepage Journal
      Didn't blaster target the wrong address [] for Windows Update?

      DDOS a website that probably gets about 10 interested visitors a day anyway?

      Personally I'm surprised at the lack of damage these things do. Our systems and people are apparently wide open to these things. Blaster and MyDoom should be viewed as warning shots. It's only going to be a matter of time before someone writes something that infects, spends 2-8 hours propagating itself and then nukes the system it's living on, causing real widespread damage rather than minor annoyances.
      • by zcat_NZ ( 267672 )
        and then nukes the system it's living on..

        Why does everyone seem to think this is the -worst- thing that could happen? Restore from backups, business as usual the next day. Sure, a lot of businesses would be fucked over, but anything really important is backed up.

        Now imagine a worm that spreads fast (flood-scan the local /16 plus a few random IP's outside that with tcp syn packets, infect anyone that syns) and then immediately goes dormant. Over the next month or so it quietly makes alterations to all th
  • McBride interview (Score:5, Insightful)

    by BWJones ( 18351 ) * on Wednesday January 28, 2004 @06:06PM (#8117512) Homepage Journal
    I'm looking for a serious apology (or at least a retraction) for the 'alleged' link between this ugly little nasty and Open Source / Linux users."

    Of note: Darl McBride was on local (Utah) television last night with a stinging quote. "What we are seeing here is the dark side of the open source movement" or something very close to that. I thought, no dude, you have it all backwards. SCO is the dark side of the open source movement.

    • by vladkrupin ( 44145 ) on Wednesday January 28, 2004 @06:10PM (#8117570) Homepage
      I think - No, dude, SCO is not the dark side of the open source movement. Aside from old Caldera, it has no relation to any side of the open source movement.
    • by haystor ( 102186 ) on Wednesday January 28, 2004 @06:10PM (#8117583)

      The virus is closed source and runs on Windows. It clearly has nothing to with the GNU/Linux.

      Hehe, insert joke about BSD catching a virus...
      • by commodoresloat ( 172735 ) on Wednesday January 28, 2004 @06:46PM (#8118104)
        Greetings. You have been infected with GNU/MyDoom, a destructive anti-SCO virus brought to you by members of the open source community. In order to get this virus to infect your system properly, you will need to use wget to download mydoom-config-2.4.6 from one of the usual mirrors. Be careful; this version of the virus is not compatible with versions of mydoom-config prior to 2.4.4. After you have downloaded the config tools and issued the usual incantations (./configure; make; make install), you can configure the virus from any directory simply by typing sudo mydoom-config -ort [your login id] [your current IP address] [full path to your email client] [interval since last kernel rebuild in seconds]. This virus is licensed under the GPL. If you have any questions, be sure to RTFM, the docs are installed at /usr/share/info/mydoom and all your config files are stored at ~/.mydoom.

        p.s. yes, it's an old joke, but still, you know you laughed....

      • This one? (Score:4, Funny)

        by ebbomega ( 410207 ) on Wednesday January 28, 2004 @06:55PM (#8118223) Journal
        To: Luser (
        From: Hax0r (
        Subject: *nix virus

        This is the only known Virus that works on all *nix systems. Please forward this to everybody on your list and delete all the files on your harddrive. Thank you.

        (Or something to that effect)
      • You may modify and redistribute this virus however often you like, so long as you include the source code. If you do not share the source code, you may not redistribute this virus.

        Sounds like a pretty sweet deal to me. No wonder Linux systems aren't hit very often; viruses violate the GPL.
    • SCO is the dark side of the open source movement.
      Darth McBride: "You underestimate the power of the dark side. If you will not fight, then you will meet your destiny."
    • by doug ( 926 )
      SCO is the back side of the open source movement.
    • Re:McBride interview (Score:5, Informative)

      by ananke ( 8417 ) on Wednesday January 28, 2004 @06:30PM (#8117889)
      Ironically, open source seems to be helping to stop that. Here's my story:

      I use mailscanner [sendmail wrapper] with clamav [opensource antivirus engine]. Clamav was one of the first engines that had definitions for the first mydoom worm. We started catching mydoom around 4:00PM EST, and none have gotten through to our windows workstations.

      Thanks to open source, we were able to prevent from contributing to the spread of this worm. So to sum it up: thanks to the clamav folks, and thanks to open source.
  • by Eyah....TIMMY ( 642050 ) * on Wednesday January 28, 2004 @06:06PM (#8117517)
    It was covered [] last week.

    Basically, to limit the spread of a worm on a network such as the internet, we can only diversify to make sure not all machines go down.

    Here's a presentation [] (sorry I could only find a PowerPoint version) that was made by Jonathan Wignall [] at DefCon last year about this topic. Same conclusion, diversifying is the necessary to combat worms.
    • Many worms nowadays are capable of traveling along multiple protocols and containing multiple payloads. Of course, worm writers generally don't bother because there are indeed far more copies of Windows out in the wild than anything else. However, if we began to see a more substantial plurality of OSes, I suspect multiple-architecture worms would become more common place; just pick your favorite exploit from each os, and make a separate payload for each. The worm might double or triple in size (depending
    • by BigBlockMopar ( 191202 ) on Wednesday January 28, 2004 @06:34PM (#8117931) Homepage

      Here's a presentation (sorry I could only find a PowerPoint version) that was made by Jonathan Wignall at DefCon last year about this topic. Same conclusion, diversifying is the necessary to combat worms.

      How ironic is that? Someone who allegedly knows something about network security, who insists on providing presentations in a format which:

      • promotes the very monoculture about which he speaks (noting that Microsoft doesn't offer a PowerPoint reader for Linux)
      • allows the embedding of executable content which could be (and has been) used to carry malicious code

      Fine, use PowerPoint for the presentation. But damn well save the slides as HTML, Acrobat, plain text, etc. for public downloading and consumption.

      At my university, the only department which saved all lecture notes, etc in proprietary format (and continues to do so!) was the very one which should know better: Systems and Computer Engineering. It's really pathetic.

    • by sheriff_p ( 138609 ) on Wednesday January 28, 2004 @06:48PM (#8118125)
      You can read a good rebuttal against the 'MONOCULTURE IS DEATH' argument here: onoculture.xml []

      written by someone who actually knows a little about malicious mobile code :-)
  • For profit? (Score:3, Interesting)

    by spun ( 1352 ) <> on Wednesday January 28, 2004 @06:07PM (#8117525) Journal
    You mean, a big bag of money showed up on some spammer's doorstep with a note promising much more if a DDoS against is included in the next release?

    Completely untraceable, even if caught: the spammer wouldn't know who sent the money, and could even claim, "I think it was some Linux Zealot."
  • by Anonymous Coward
    Personally, I'm looking for a serious apology (or at least a retraction) for the 'alleged' link between this ugly little nasty and Open Source / Linux users.

    We'll get right on that!

    The Mass Media.
  • by allism ( 457899 ) <> on Wednesday January 28, 2004 @06:07PM (#8117537) Journal
    The B variant [] targets both Microsoft and SCO.
  • by CGP314 ( 672613 ) <CGP AT ColinGregoryPalmer DOT net> on Wednesday January 28, 2004 @06:09PM (#8117553) Homepage
    place where nobody gives a wet slap

    Anyone care to clarify what a wet slap is?

    In London? Need a Physics Tutor? []

    American Weblog in London []
  • by grub ( 11606 ) <> on Wednesday January 28, 2004 @06:09PM (#8117554) Homepage Journal

    .. would TURN OFF those blasted "Your mail has a virus!" auto-replies. They accomplish nothing but the generation of yet more useless traffic.
    • Bravo! (Score:5, Funny)

      by Dman33 ( 110217 ) on Wednesday January 28, 2004 @06:14PM (#8117654)
      Not to mention all of the scared users calling the helpdesk insisting that they are infected.

      "Dude, you are using PINE! You are NOT infected!!!"
    • by forevermore ( 582201 ) on Wednesday January 28, 2004 @06:34PM (#8117945) Homepage
      would TURN OFF those blasted "Your mail has a virus!" auto-replies

      I agree - I've taken to replying to them in person, telling them of all the useless traffic they're making. Then again, I've only received one so far.

      On the other hand, I really wish that Amavis would respect its "locals" settings and when set not to reply to offsite addresses, NOT to respond to offsite senders. What the heck is an offsite recipient, anyway? If they're getting mail on my server, they're local. It's the senders that I care about being offsite, not the recipients.

    • .. would TURN OFF those blasted "Your mail has a virus!" auto-replies. They accomplish nothing but the generation of yet more useless traffic.

      A nice guy on the FreeBSD Mail-Toaster list put out a good script..

      I now grab all the IP's out of infected emails, and put them in my etc/tcp.smtp file:,RBLSMTPD="-VIRUS SOURCE Please check your computer for infections"
      IP obfuscated to protect the guilty

      How about that? You only get your mail bounced, with a virus warning if your IP (sure

  • by Samuel Duncan ( 737527 ) on Wednesday January 28, 2004 @06:09PM (#8117555) Journal
    Two steps:
    • Make bad system adminstrators personally responsible for the damages they create by not fixing security holes.
    • Give physical punishment to the virus writers. Money charges won't usually do the trick (paid by parents/community), but a decent spanking will teach them a lesson.
    • by Flower ( 31351 ) on Wednesday January 28, 2004 @06:53PM (#8118200) Homepage

      No patching would have prevented this worm. Look, when MyDoom comes in as a zip file the user has to open it once to access the actual payload. When you open the thing in WinZip it shows up as [random].[doc or whatever] but has the wrong icon. WinZip then identifies it as a pif file and in the screen says DOS executable. After all that, the user has to execute it again to deliver the actual payload.

      MyDoom has nothing to do with bad sysadmins. Nada! At work we have the desktops locked down and Outlook is setup to not permit autoexecute. Most executable attachments are dropped at the mailserver. The reason I say most is because we do allow Word documents and the like because surprise, surprise we have to actually run a business. Our signature files are updated daily and if a new virus comes out I do my job to make sure we're at the proper rev and run a manual update if we're not. The one thing I can't do is play Big Brother to a 1000+ employees scattered over the state 365/7 and smack them everytime they try to open some random shiny thing.

      And more importantly, how can a sysadmin stop some random Joe User on a home cable connection from executing the stupid worm or patching his damn system?

      That soundbite of yours starts getting a little hollow now doesn't it?

  • Proof of who's lying (Score:5, Interesting)

    by Saven Marek ( 739395 ) on Wednesday January 28, 2004 @06:09PM (#8117557)
    I have the new critter in a test environment where we conducted a preliminary and rudimentary functionality and threat analysis...I have played with the date, etc, but still no activity directed toward" The link also includes disassembly and analysis of the worm code."

    So basically, SCO being down right now is Yet Another Big Lie from SCO. Nice to see them shown up as spreaders of misinformation yet again. I'm sure the FBI will love to hear their excuses as to why they're pretending to be down, especially if they're attempting to blame the worm. Fascinating
  • Please Remember! (Score:5, Insightful)

    by Bruce Perens ( 3872 ) * <> on Wednesday January 28, 2004 @06:09PM (#8117559) Homepage Journal
    Excerpted from [], this bears repeating.

    It is likely that this virus has been assembled for the purpose of defaming the Linux developers by spammers, SCO, or others. Your behavior will influence whether or not it succeeds in this mission.

    Thus, I urge all persons who have sympathy for Free Software, Open Source, and Linux:

    • Do not cheer on attacks on the SCO site. By doing so, you falsely implicate our community in the attacks, in the eyes of outsiders who read your words. Our community believes in freedom of speech, not silencing our opponent's speech through net attacks. We will defeat SCO using the truth, not by gagging them.
    • Publicly deplore the attacks as an attempt to defame us, and not an effort of our community. Show others this notice.
    • Continue to fight SCO, using all legal means at your disposal. Show others the analysis of SCO's ongoing fraud at [] and elsewhere, and explain to them your own experience as a participant in the Free Software community.
    • Continue the visible presence of Free Software as a force for good in the world by producing excellent original software for everyone's free use and deploying it wherever possible. Promote these projects to the press and public as you carry them out. Do what you can for other public-good projects such as schools and non-profit organizations. [] is an excellent example of how to carry this out.
    • Show others by example that our side always takes the high road. When they see a low-road sort of action like denial-of-service, spam, or stock fraud, they'll know who to blame.

    Remember that your actions count. You are ambassadors of our community.

  • It's interesting (Score:3, Interesting)

    by nil5 ( 538942 ) on Wednesday January 28, 2004 @06:09PM (#8117564) Homepage
    if this is not a more effective form of economic terrorism, I don't know what is. These worms seem to cost US companies millions if not billions of dollars, and they're probably not so difficult to develop either.

    With such a hugely damaging effect for such little cost, wouldn't you say that is almost the perfect weapon?
  • by phaetonic ( 621542 ) on Wednesday January 28, 2004 @06:11PM (#8117600)
    Wouldn't it be ironic if a worm were to DDoS slashdot.

  • by Coocha ( 114826 ) <coocha@vt. e d u> on Wednesday January 28, 2004 @06:12PM (#8117608) Homepage
    ... here at Virginia Tech, the virus has had our pop/smtp servers down since sometime last night. Apparently it infected our financial aid listserv, which caters to 51,000 email addresses, most of them in the domain. Not to mention 8000 of the not-so-savvy on-campus undergrads whose systems have been infected. In the 4+ years I've been here, this is the longest downtime for our email system yet, even considering the downtime a couple routine server rebuilds caused. I'm sure other institutions, agencies, and businesses are experiences unheard-of downtimes as well.
  • Definitions are available currently

    According to the official site [] (at 5:00 EST) there are still no ClamAV defs available for the .b variant of this worm (affectionately known as Worm.SCO.*).

    Does anyone know where I can grab (and submit) a signature...or a copy of it (without waiting for it to trickle into a user's mailbox)?

  • Huh?! (Score:5, Insightful)

    by pclminion ( 145572 ) on Wednesday January 28, 2004 @06:12PM (#8117614)
    Of course, there could be evil spammers who also like Linux (or don't like SCO), but until someone's caught, or fesses up, it's impossible to say.

    What the hell would it matter anyway? Evil spammers probably also use toothpaste. Does that make everyone who uses toothpaste evil?

    The fallacious logic here astounds me. Wait, no it doesn't.

  • Linux users (Score:4, Insightful)

    by gid13 ( 620803 ) on Wednesday January 28, 2004 @06:13PM (#8117636)
    From the post: "Personally, I'm looking for a serious apology (or at least a retraction) for the 'alleged' link between this ugly little nasty and Open Source / Linux users."

    I don't know what it is with people trying to represent such large groups. Every group has nasty people in it! Since Linux is generally more efficient once set up (IMHO, anyway), then OF COURSE people will use it to do nasty things like serve spam and make DOS attacks and so on. I don't get why people are so patriotic all the time... "He's American! No AMERICAN could be evil!" Sigh...
  • by jaymzter ( 452402 ) on Wednesday January 28, 2004 @06:13PM (#8117639) Homepage
    A report [] covering F-Secure's work on the virus reveals this interesting comment imbedded in the virus:

    Buried in its programming code -- and only readable after it has been decrypted -- was also the message "Andy; I'm just doing my job, nothing personal, sorry" from the creator

    My tinfoil hat says it's some poor guy at SCO!
    • A couple of thoughts leapt to mind about that. Firstly the comment is in English, and the name is in English (Andre[i] would be the Russian equivalent) which kind of implies an English speaking author, despite the first capture being in Russia. Using compromised box(es) to initiate the spread of the worm would be a fairly obvious step to cover ones tracks.

      Secondly, since "andy" is one of the email addresses spoofed by the worm I'm guessing that the worm's author was a) commissioned to write the worm by

  • by Leroy_Brown242 ( 683141 ) on Wednesday January 28, 2004 @06:15PM (#8117672) Homepage Journal

    I've said it a thousand times.

    1. Mutt []
    2. Spamassassin []
    3. Greylisting []
    4. Profit!

    If it weren't for /., I'd have never noticed.

  • by dupper ( 470576 ) <> on Wednesday January 28, 2004 @06:16PM (#8117683) Journal
    All right, it's clearly one of us. 'Fess up, J. Random Slashdotter.

    Also, you forgot to make an RIAA variant, dumbass!

  • by RobinH ( 124750 ) on Wednesday January 28, 2004 @06:17PM (#8117698) Homepage
    Of course, there could be evil spammers who also like Linux (or don't like SCO), but until someone's caught, or fesses up, it's impossible to say.

    That sounds like terrorist speak to me. Thanks to recent legislation, anyone running Linux can now be 'detained' indefinitely without evidence. God bless Micro^H^H^H^H^H^H America.
  • by bogie ( 31020 ) on Wednesday January 28, 2004 @06:17PM (#8117700) Journal
    This was some criminal capitalizing on the Hot topic of the Linux vs SCO debate. If this worm has targeted the site you've have the same idiots saying terrorists did it. These criminals just used Linux as a scapegoat. I try to avoid reading articles about this worm because I just can't stomach reading all these posts about how the OSS community should "tread lightly" etc. Get a clue people.
  • by Saint Aardvark ( 159009 ) * on Wednesday January 28, 2004 @06:18PM (#8117717) Homepage Journal
    From a posting on the SecurityFocus Incidents mailing list []:

    ------- Forwarded message follows -------
    From: lsi <stuart cyberdelix net>
    To: focus-virus securityfocus com
    Subject: how to filter the Novarg virus
    Send reply to: stuart cyberdelix net
    Date sent: Wed, 28 Jan 2004 17:35:57 -0000

    I have devised a near-bulletproof Novarg filter.

    The following regular expressions trap this virus dead, no matter
    what subject line, message body, or filename it uses:

    If expression body matches "UEsDBAoAAA*" Move [virus folder]

    If expression body matches "TVqQAAMAAA*" Move
    [virus folder]

    This is because the worm is in fact the same program with many
    disguises. However the program looks the same when encoded with
    MIME. Therefore, the above are basically 'MIME sigs' which work just
    like a virus signature in a regular virusscanner.

    So to find it we merely filter on the MIME strings above, which are
    the first 10 bytes of the MIME content section.

    For users without enterprise-class content filters (such as me),
    these two regexp's work like a silver bullet.

    (That two different sigs are required suggests there are two versions
    of the virus in circulation.)

    No silver bullet for auto-notification messages, unfortunately :(


    ------- End of forwarded message -------
    • That's not really a good idea if you don't understand the format of Win32 executables and zip files.

      "TVqQAAMAAA" = 4D 5A 90 00 03 00 00 0x

      The first two bytes are "MZ", which will be the same on every dos and windows executable (except .com files). Matching against that part gains you nothing. You might as well just block by file extension.

      The rest are just bits of the header, which are hardly specific to this program. It would be better to check against part of the file that was actually code.

  • by djupedal ( 584558 ) on Wednesday January 28, 2004 @06:19PM (#8117731)
    OS for me...all go to the trash.

    Oh what a relief it is :)
  • by meshko ( 413657 ) on Wednesday January 28, 2004 @06:34PM (#8117942) Homepage
    do not follow the SCO lawsuite?
    Fuck, I'm pissed of more than usualy about Slashdot editors.
    If you were to read you would notice that the site follows the suite pretty closely, sometimes more so than Slashdot.

  • by cant_get_a_good_nick ( 172131 ) on Wednesday January 28, 2004 @06:42PM (#8118056)
    A couple days ago, a local televisions station (Fox 32 Chicago) had a 20 second blurb on the worm. It said there was a new computer virus around. The picture? Apple iMac. At least it was the newer iMac, I'm surprised they didn't put a IIci on there.

    The blurb had no information on what to do. Didn't say it was an MS virus, didn't say to go to any website to see what you could do. Just announced "another virus". Waste of time.
  • by codepunk ( 167897 ) on Wednesday January 28, 2004 @07:00PM (#8118284)
    Read the following....extremely scary....

    Listens on port 3127; accepts a maximum of 3 connections
    at a time. If the first byte of the recieved data is
    0x85, the DLL skips the next byte, then compares the next
    dword read to 133C9EA2h; if this is true, it accepts
    the executable from the sender, downloads it to a temp
    file/directory and runs it.
  • by verbatim ( 18390 ) on Wednesday January 28, 2004 @07:02PM (#8118306) Homepage
    I'm getting hundreds of these cute "you've got a virus" warning from mail servers around the world. They're all the same - We've found an infection in an email from you... except when you look at the headers of the original e-mail, it is plain as day that the e-mail never went through my mail server and just forged the e-mail address.

    A header from the most recent example:

    Received: from [] (
    by with esmtp (Exim 4.24)
    id 1AlqLU-0007Hx-48
    for; Wed, 28 Jan 2004 09:07:08 -0500

    RAWR. I mean, seriously. RAWR. ( is, btw).

    I'm being flooded by this crap. I've managed to get a filter going that catches them, but it's still traffic that I have to endure. And I'm getting them from ISPs all over the planet. RAWR.
  • by DynaSoar ( 714234 ) on Wednesday January 28, 2004 @07:13PM (#8118429) Journal
    Zeriel writes "After much discussion on a mailing list discussing trojan horses, some people have reached the conclusion that MyDoom doesn't accomplish its stated goal of DDOSing SCO at all! Choice quote from the analysis: "I have the new critter in a test environment where we conducted a preliminary and rudimentary functionality and threat analysis...I have played with the date, etc, but still no activity directed toward" The link also includes disassembly and analysis of the worm code."

    If it turns out that the DDOS payload is inert:

    Who was it that FIRST said it WOULD attack SCO, and how did they determine this? And who else quoted them without checking? (Not including normal media outlets, who'll quote anyone that can form a coherent sentence, if it'll fill white space.)

    If this thing doesn't perform as advertised, what we are seeing is the first (purposeful or not) FUDworm. It definitely is spreading virus-like and causing traffic problems, but also it's spreading FUD, and using all of us as vectors. We will all have been infected with a socially engineered disease. If this is the case, it's a master stroke of psyops. If not, considering its success so far, its example will be repeated for this purpose.

    • Okay, let's go over some of the facts:
      • The idea that the payload is inert comes from a single post on the internet by some random guy, and is now being quoted all over slashdot without anyone checking or verifying. It may turn out to be true, but either you should personally verify it, or at least wait for ONE other person to verify it before you start conspiracy theories.
      • Norton Antivirus [] believes the payload to be an active DDOS against So does F-Secure []. So does McAfee [].
      • You can look []
  • by Net_Wakker ( 576655 ) <puddingdepot@yahoo . c om> on Wednesday January 28, 2004 @07:18PM (#8118490)
    Email for my domain is wildcarded, so it really doesn't matter that much what's in front of the @ and I'll get it.
    The past 2 days I've received a shitload of Mydooms, and there's something funny going on. Mydoom will put common names in front of the @. I've started receiving viruses for brian@ and bill@ and claudia@ and fred@ and jerry@ and george@ and smith@ and and and. I even received one for debby@. What, she's doing my domain now?
    I've also noticed that some of the "senders" are constructed the same way.
  • by John Walker ( 68738 ) on Wednesday January 28, 2004 @07:18PM (#8118493) Homepage
    In the discussion cited [] in the main article, the observation is made from disassembly of the payload:

    Nicolas Brulez:
    from my quick and dirty analysis, its a thread that does the DDOS.
    It has below normal priority, and it just does a GET.

    GET / HTTP/1.1\r\nHost:\r\n\r\n"

    This is very interesting, because my site has been under a broadly based but inexplicably benign apparent DDoS attack which is bombarding my site with precisely such requests (obviously, not at a rate of just one hit from each IP every four minutes. (This rate is not absolutely consistent, and some seem to be running multiple copies of the requester, each hitting every four minutes.)

    I've been watching this and running analyses since it became obvious something was up and have posted an incident report [] page on my site which I'm updating as things develop. Bottom line, the apparent attack appears to have reached equilibrium with a total of 2894 different IP addresses hitting my site since the outbreak, with the hit rate following a diurnal pattern (there's a chart in the incident report) which peaks at around 20,000 hits per hour from on the order of 1000 different hosts at 20:00-21:00 UTC every day.

    I'd previously concluded this probably had nothing to do with MyDoom. Although a few of the hosts hitting me are listening on the MyDoom remote control post, most aren't. (Of course, a test version may use a different port or none at all--I discuss in the document.) But the fact that the hits are precisely the same--a simple request to the home page--makes me wonder. All of these sites hitting me request only the "/" page (which at my site is just a <frameset> container, which any browser would follow up with hits on the content frames).

    Has anybody else seen this kind of traffic hitting their sites?
  • needs re-thinking (Score:5, Interesting)

    by aca ( 442822 ) on Wednesday January 28, 2004 @07:19PM (#8118506)
    In my opinion, I don't think it was a Linux fan that caused it.

    Firstly, he attack was not technologically sophisticated, in that it required exploiting a weakness in the operating system. The style of the attack was conceptually sophisticated, it was a worm not a virus. Which means that the attack relied on 'social engineering' or 'human weakness' to succeed.

    The exploit however was quite creative. It was multi-faceted, even doing a DDOS on ''.

    Personally, I suspect that the creator and the executor of this worm may be two different persons altogether. Most importantly, the one ultimately responsible for the worm's spread and impact on the internet is not a Linux fan.

    Linux users, ones that are capable enough to create such a worm, would more likely be above average intelligence. They would know very well, the consequences of DDOS'sing SCO's web-site, and that these consequences will most definitely be extremely detrimental to Linux. They would also know very well that a DDOS of SCO's web-site is almost a trivial thing to fix, and doesn't help in reducing SCO's position in any way.

    Other than making SCO spend some money to rectify the DDOS, and preventing some of SCO's limited customer base from accessing SCO's web-site, it doesn't do relatively much harm to SCO (as compared to finding a back-door or hole into SCO's internal network). There is no real motivation for a Linux fan to carry out a DDOS on SCO's web-site.

    I think the REAL reason for this worm, was for a 'frame-up'. It coincides with the conceptually sophisticated thinking as evidenced in its style of attack. I think the real reason was to *help* SCO and Microsoft, because both of these entities have the most to gain from it. Even with the recent 'b' variant of the worm targetting Microsoft. I still think the original motive remains the same.

    Either that, or we're dealing with an extremely shallow and stupid 'Linux fan', which I very highly doubt.

    People reading this may start having this thought of 'oh, another conspiracy theory...', but I would ask readers to carefully think about the obvious and carefully consider the occurence of this worm. Industrial espionage has been around for a long-time, and we know that it happens. What's to prevent it worms or viruses being used in industrial espoinage? Especially when the internet is a lot more relevant to businesses today.
  • Version 2 commentary (Score:5, Interesting)

    by WebGangsta ( 717475 ) on Wednesday January 28, 2004 @07:22PM (#8118544)
    By now you probably have heard that there's a new version (MyDoom.B) that is also making it's way across the Internet, this time supposedly targeting Microsoft.

    According to Symantec [], this version now modifies your HOSTS file to try and disable the user from being able to reach antivirus websites.

    Among other entries in the HOSTS file are Doubleclick, FastClick, and some other advertising-related companies. Should I be concerned or happy that the virus may make surfing the web a little bit better by doing this?

  • by mabu ( 178417 ) on Wednesday January 28, 2004 @07:35PM (#8118685)
    I recommend that other ISPs do what we're doing to deal with this. The problem with using content-based filtering is that it constantly needs updating and still costs you bandwidth and system resources.

    The propagation of this worm is not unlike the propagation of spam. The ISPs are doing a piss-poor job of regulating the smtp traffic of their non-business customers.

    My solution to this is very simple, and all I ask is that the large ISPs separate their DUL IP space from any legitimate mail relays they operate.

    For example, we're seeing a ton of spam originate from Videotron in Canada. An IPWHOIS shows that this is one of their major blocks:

    Le Groupe Videotron Ltee VL-2BL -

    The easy thing to do is put 4 lines in my /etc/mail/access file to block those 4 class Bs, and bingo... I've shut out more than 250,000 IPs from sending me spam or worms. I modify the error message to redirect inquiries to a web page with a form that legitimate users can use to whitelist their IP/relay.

    Using this method, I take the burden off my network. If you are selective about the IP blocks you ban, you can really whittle this down to almost no bouncing of legitimate mail.

    Many ISPs are using DUL RBLs to accomplish the same thing, but the problem is that this requires more resources and huge databases of every possible IP. If you know that an ISP has allocated a large number of IP space to customers who shouldn't be operating their own SMTP relay, you can bypass this and just cut them off.

    Generally speaking, I employ this method primarily with Asian and Middle-Eastern IP blocks where I don't normally expect any mail traffic in the first place, so the collateral is minimal if any.

    Now if you have DSL or Cable and you've hung your own SMTP relay on your home network, yes, you might have some problems with this method, but it only takes a few seconds to request whitelist authorization and then it's done. Spammers aren't going through this trouble and if they do, I can track them when they try to make these requests.

    If more ISPs employed this technique, it would be very effective. I am convinced that many large ISPs, including AOL are already doing this in one form or another: being very picky about accepting certain types of traffic from certain IP blocks.

    The next evolution of RBLs will probably involve something like what I'm doing... which is the ultimate movement to a whitelist system where you deny the most-henous sources and make them request acceptance. It's a lot easier to maintain a small list of authorized SMTP relays among a very large blacklisted DUL IP space.
  • Let me guess.... (Score:3, Informative)

    by Kjella ( 173770 ) on Wednesday January 28, 2004 @08:16PM (#8119056) Homepage
    Personally, I'm looking for a serious apology (or at least a retraction) for the 'alleged' link between this ugly little nasty and Open Source / Linux users." were going for +1, Funny? I mean this is SCO, the company that never ever makes unfounded allegations, assume there is evidence of a crime where there isn't, deny the facts when they go against their claims or otherwise do anything shady. Of course they'll apologize.

    That'll be the day the temperature in hell goes sub-zero - on the Kelvin scale.

  • by CAIMLAS ( 41445 ) on Wednesday January 28, 2004 @08:29PM (#8119153) Homepage
    I can't believe this worm has been remotely successful. It's hard to believe that so many people are so incredibly stupid.

    It's a bloody -attached- zip file, with a file inside it! People have been told for over a decade to NOT OPEN ATTACHMENTS. You'd think they'd catch on sooner than later.

    This is all the more reason to strip all binaries from email at the server. Granted, then viruses would be linking to sites - but that'd be relatively easy to shut down, and wouldn't pose any significant threat.
  • Quick Poll: (Score:5, Informative)

    by KalvinB ( 205500 ) on Wednesday January 28, 2004 @09:25PM (#8119487) Homepage
    How many e-mail server admins here are running up to date anti-virus software so that they aren't contributing exponentially to this problem by allowing their clients to get these infected e-mails in the first place?

    *raises hand*

    Oh yes, and Hotmail over there.

    These viruses can't infect Linux (yet) but that's no excuse not to run anti-virus software that kills off virus infected e-mails on your Linux servers so that they're not getting to "clueless Windows users" in the first place.

  • Port 25 blocking (Score:4, Insightful)

    by Awptimus Prime ( 695459 ) on Wednesday January 28, 2004 @09:29PM (#8119514)
    decaying writes "With the amount of virus-laden emails flying about due to the latest virus, Australian ISP Optus have started selectively blocking port 25 outbound. Optus say they are acting in accordance with their "Terms of use", quoting that they reserve the right to restrict access to any TCP/IP port. The only option is to use Optus' SMTP server and nothing else. Community site Whirlpool has an on-going discussion about the issue."

    That's not even worth mentioning. There is no good reason for the average user to need access to SMTP servers besides the one at their ISP.

    Years back, when I did technical support, the ISP I worked for had just implemented such a filter. The number of spammers who used our services immediately found new ISPs. The only fallout were a few customers who needed email clients reconfigured for non-local mailboxes, as they were using the other ISPs smtp server.

    I do recall a few knuckle-heads (NT4/Linux wannabe super geeks) whine excessively over the issue, as they felt some right of theirs had been infringed. Ignorance is bliss, I suppose.

    For anyone who is considering Technical Support for a living, just hang up the phone as soon as you find out someone is from Boca Raton, Florida. I swear, everybody I've talked to from that place thought thought they were some guru, but usually had no clue. My point, if you are such a damn brilliant administrator, then you shouldn't be calling technical support whining about your messe d up copy of enduroo. ;-)

    Back to the topic at hand, there is no excuse for any ISP who houses an smtp server to allow it's customers access to just anywhere on port 25. I know it's a subject that will cause some flames, but someone has to compensate for the insecure, broken nature of SMTP.

    I welcome anything AOL or Microsoft can bring to the table concerning this matter. I definitely don't see the community doing anything about it except for yelling at people to add more filters. This does little in regards to the bandwidth costs and server time (not to mention my client's cpu time wasted filtering) associated with massive amounts of spam.
    • by phillymjs ( 234426 ) <slashdot AT stango DOT org> on Wednesday January 28, 2004 @10:44PM (#8119994) Homepage Journal
      Most of the spam I get these days comes from SMTP-trojaned Windows boxes sitting on consumer broadband networks.

      As I receive spam from these machines, I forward it to the appropriate abuse@ and add the enclosing netblock to my SMTP blacklist. I am slowly but surely shitcanning the customer IP ranges of every consumer broadband network in North America. Considering how uppity the broadband ISPs get when people "abuse" their allegedly-unlimited bandwidth, I'm astounded that they allow unpatched, zombied Windows boxes to just pump out thousands of spam messages.

      Probably 98% of people with broadband have zero need or desire to access an SMTP server other than what is provided by their ISP. To that end, I wholeheartedly agree with you that port 25 on these networks should be restricted. The 2% who require less-restricted SMTP capability could be accomodated for a few bucks more per month, and the ISPs could probably add a "one strike and you're out" policy-- account termination upon the first proven complaint about spam originating from the machine of one of those less-restricted SMTP users.

    • And for those that need Sendmail/qmail/Postfix/whatever, how hard is it, really, to configure the MTA to send mail through the ISP server?
  • by Anonymous Bullard ( 62082 ) on Wednesday January 28, 2004 @10:47PM (#8120026) Homepage
    A while ago I was listening to the BBC World Service radio when they suddenly broadcast a story about the SCO virus attacks, with the "exciting" issue of newsworthiness apparently being their US$250,000 reward for the head(s) of the script kiddies involved. Knowing SCO I smelled rat and sure enough, SCO's Sonntag was allowed to turn the radio interview into an extended rant against Linux and the whole open-source model while "reaffirming" their ownership of the platform!

    I immediately clicked on the feedback link on the BBC website and let the editors know how lopsided and unreasonable their reporting actually was, pointing them to the website as well.

    I have considerable experience in attempting to correct misrepresented facts in the media and know that it is often quite hopeless, but if enough people do it and give some proper backing to their arguments perhaps some of the damage can still be repaired.

"Tell the truth and run." -- Yugoslav proverb