More MyDoom Gloom 730
fudgefactor7 writes "Hot on the heels of the last virus, Mydoom.b is on the loose. According to Computerworld, this variant has a larger payload and targets Microsoft's Web site for a distributed denial-of-service attack on Feb. 1, instead of The SCO Group Inc. Patch those systems and keep your A-V up to date. Definitions are available currently."
decaying writes "With the amount of virus-laden emails flying about due to the latest virus, Australian ISP Optus have started selectively blocking port 25 outbound. Optus say they are acting in accordance with their "Terms of use", quoting that they reserve the right to restrict access to any TCP/IP port. The only option is to use Optus' SMTP server and nothing else. Community site Whirlpool has an on-going discussion about the issue."
carnun writes "Just another link on MyDoom. Apparently the FBI are also getting in on the act. Interesting to see such a fast response." And to me, the most interesting one: Zeriel writes "After much discussion on a mailing list discussing trojan horses, some people have reached the conclusion that MyDoom doesn't accomplish its stated goal of DDOSing SCO at all! Choice quote from the analysis: "I have the new critter in a test environment where we conducted a preliminary and rudimentary functionality and threat analysis...I have played with the date, etc, but still no activity directed toward www.sco.com." The link also includes disassembly and analysis of the worm code."
Off Track (Score:5, Insightful)
While I despise these worms, you've got to admit that some of these more recent ones are pretty ingenious:
Blaster - The only way to fix it is to grab stuff from Microsoft? Have it DDOS Windows Update.
MyDoom - Hate SCO, Love Linux? Target Microsoft systems and leave Linux machines alone. Have it DDOS SCO.
Re:Off Track (Score:5, Insightful)
This is, of course, a worse case scenario and it doesn't provide any evidence that Linux fans were connected in any way. However, one can't dismiss the possibility simply because it came from Russia.
Re:Off Track (Score:5, Funny)
Especially when they're doing such a fine job all by themselves!
Re:Off Track (Score:5, Insightful)
Indeed. Personally, I think the Open Source community should set up a fund to add to the reward SCO is offering because of the black eye it gives the community if he was.
Re:Off Track (Score:3, Funny)
I offer 15 lines of code. From System V.
SCO connection is a red herring (Score:5, Informative)
Re:SCO connection is a red herring (Score:5, Funny)
Re:Off Track (Score:5, Interesting)
Regards,
Steve
Re:Off Track (Score:5, Insightful)
I'm no hacker, but I do have a technology background, here. Most worms and virii are windows based. Most exploits that are found are windows based. Making a linux worm is tough and hard, because not many people have the desire to go into the inner workings of the kernel and find exploits, not to mention that most linux users are smart enough to figure out when they have an attachment by a random person not to open it. Windows users could be a software engineer FBI agent... but it could also be grandma melba. Seeing as most virus writers don't use a multiplatform language like java to write their virii, I'm thinking windows is the best option for destruction if you get your kicks off by that.
To say its because he's trying to frame linux users, or is a linux user just cause of it being a windows worm is pretty absurd.
Re:Way OT (Score:5, Informative)
Then why spell it with two 'i's? "Viri" would be correct by your example.
However, in the original latin, "virus" is a collective rather than singular noun (eg "snow" vs "snowflake", although the original meaning is more like "slime".) Perhaps whoever first applied the word to the infectious microscopic critters should have used "virum" as the singular (like "bacterium") in which case the plural would be "vira", but s/he didn't, so we're stuck with "virus" as the singular and an argument over "viri[i]"/"viruses" as the plural.
Personally I think it should be "viruses". You wouldn't say "many doofii", would you? It's "one doofus, many doofuses".
Re:Way OT (Score:3, Insightful)
"English"
oh. Wow. English != Latin.
Just because a word is wrong in latin doesn't make in wrong in english. New words are made up every day and accepted into normal speech. Most of these words don't have latin roots.
More specifically, a word is only a phonetic way of transfering information. if a significant number of people use a word and know what it means, that word has correctly transfered this information, and therefore is correct regardless of whether some a
Re:Off Track (Score:3, Interesting)
In my opinion it might be acceptable to use "virii" for computer viruses. If we can pluralize "box" as "boxen", why not. But it's definitely not the standard plural of "virus".
Re:Off Track (Score:5, Insightful)
It's a classic misdirection tactic that criminals use all the time to slip past unnoticed. Get people to look somewhere else while you do your dirty work sight unseen.
Stawin-A Trojan (Score:5, Informative)
Re:Stawin-A Trojan (Score:5, Informative)
There was a typo in the URL
Re:Stawin-A Trojan (Score:3, Funny)
Re:Off Track (Score:4, Informative)
Back during the summer there was a Wired article on a spam operation which claimed to be running a network of over 450,000 computers - on trojaned systems. They are/were used to send spam. They are/were used to host the spamvertized sites (most likely proxies fetching the pages from a central location). They are/were used to host the nameservers for the operation's domain names. They are/were used to run DDoS attacks against anti-spam groups (SPEWS, abuse.net, spamhaus, etc.).
At least one (Russian) operation is still doing this. Check where the nameservers for oem-sale.biz are. Check where the host www.oem-sale.biz is. All on home user machines.
Why do I say Russian? It used to be they hosted the spamvertized websites on trojaned home user machines, but used hacked commercial (not home user) systems for the nameservers. Usually only two (commercial systems are less easily taken over) and sometimes they went down and they were left with using their own nameservers (from which the others fetch the data) in Russia.
And
http://www.oem-sale.biz/cgi-bin/order.pl?ii
and watch carefully what happens.
HTTP/1.1 302 Found
Location: http://82.196.65.37/cgi-bin/c/check.pl?iid=12&aid
And that gets a new redirection:
HTTP/1.1 302 Found
Location: http://oem-sale.biz/cgi-bin/order.pl?iid=12&aid=[
One bounces off, for a moment, a Russian site which logs the victim's IP address and changes the URL for the purchase to include that and their tracking tag.
Now, of course, if the registrars knew they were inserting the addresses of hacked systems in the root servers as nameservers for domains running on hacked machines they would
Continue to do so, as long as they get paid.
domaindiscover and directi.com are the registrars and complaints about their assisting on this attack on the internet, and complaints to ICANN about their registrars claiming that this support of hackers is "accredited" (by ICANN) activity since they are "accredited" registrars
(nameservers running on hacked systems in the domain morozreg.biz: registrar domaindiscover
oem-sale.biz, registrar directi.com
and they know, have been informed over and over and over and over
If this is a professional spam operation which created MYDOOM, I would guess the goal is not so simple as key-stroke loggers but to have a bullet-proof network of their own, running on trojaned machines, which could only be stopped by actions by registrars who would block it along with ISPs who would be proactive in helping keep secure their users so those machines are not used to send spam, host spamvertized web sites, run nameservers for spam operations, assist in DDoS attacks, etc.
Once they have such a network, I doubt they will be satisfied only to use it to send spam or grab data with key-stroke loggers.
Folks over in news.admin.net-abuse.email are fed up with directi.com and domaindiscover knowingly assisting in this abuse of, and attack on, users and hiding behind their "accredited" status.
Re:Off Trek (Score:5, Funny)
I wouldn't rule out Romulan involvement.
I'm betting that Martians are behind this (Score:5, Funny)
1) Earth landed a multi-ship advance scouting party on Mars this month
2) An earth leader with a track record for aggression speculated in a speech about the resources that might be plundered from Mars
3) Earth announced that it was preparing a full scale manned invasion of Mars by 2050
4) SCO sent a letter demanding payment to Martian citizen Marvin, just in case he uses Linux in his Space Modulator
Re:Off Track (Score:3, Insightful)
Sadly, though, it shows the reputation that Linux zealots have made for themselves, not that it is any justification for this.
Re:Off Track (Score:3, Funny)
Totally OT (Score:4, Funny)
In Win98, I believe the wallpaper filename was stored in win.ini (it doesn't appear to be so in Win2k and this seriously isn't interesting enough for me to look it up at the moment.) We would grab that file and take a peek. If they had an image suitable to be defaced, we would draw mustaches on everyone and draw little cartoon baloons saying stuff like, "UR COMPUTAR HAS EBOLA!!11" and then overwrite their copy of the file. If they had a stupid background, we'd find something funny to give them.
Between the sorely juvenile humor and the liquor, it was completely hilarious to us at the time. I was even called by the school's Computer Support Desk at one time to see if I knew anything about the rare computer virus the student computers had. And before anybody points out how childish and potentially criminal this was, let me say that it was childish and potentially criminal. We just screwed with people's wallpapers but we could have remotely deleted their entire hard drives. Educating the masses about computer security is a difficult task, but goddamn if drawing mustaches on people isn't funny.
Social engineering for Sysadmins (Score:4, Insightful)
Just think, you are one of the first hunter to see the virus. You examine the code, and "Damn, their going after SCO, COOOOOOOOLL, I hate those bastards, I'm not reporting it". Or a sys admin at an email gateway. Most guys are real pros but maybe, just maybe a few took a little extra time...
They say that it's one of the fastest spreading Virus to date, perhaps targeting SCO was the bump it needed.
Ingenious my arse (Score:5, Insightful)
DDOS a website that probably gets about 10 interested visitors a day anyway?
Personally I'm surprised at the lack of damage these things do. Our systems and people are apparently wide open to these things. Blaster and MyDoom should be viewed as warning shots. It's only going to be a matter of time before someone writes something that infects, spends 2-8 hours propagating itself and then nukes the system it's living on, causing real widespread damage rather than minor annoyances.
Re:Ingenious my arse (Score:3, Insightful)
Why does everyone seem to think this is the -worst- thing that could happen? Restore from backups, business as usual the next day. Sure, a lot of businesses would be fucked over, but anything really important is backed up.
Now imagine a worm that spreads fast (flood-scan the local
Re:Ingenious my arse (Score:5, Informative)
nimda was supposed to attack whitehouse.gov, but used a hard-coded IP address and tested it first. The admins changed the address from (iirc 198.137.240.91 to 198.137.240.92, trivially avoiding the DDoS.
sobig attacked www.windowsupdate.com, an almost totally useless 'typo redirect' on a completely unrelated subnet, not windowsupdate.microsoft.com, the site where everyone gets their windows updates from. To avoid the 'attack' Microsoft just switched the DNS for windowsupdate.com off, and nobody even noticed. They also akamai-cached all of microsoft.com at the same time, although this was likely planned a month or so beforehand and completely coincidental. It certinly wasn't necessary, since the DDoS attack was never aimed anywhere near microsoft.com. And it totally confused most of the press who had no idea that "windowsupdate.com" was NEVER the actual windows update site.
Early analysis of MyDoom suggests that it resolves www.sco.com but doesn't try to connect, even when the machine clock is set forward. Not even once. That makes for a fairly unimpressive DDoS.
Re:Off Track (Score:5, Funny)
How dumb do you have to be to infuriate the entire Open Source community by claiming you own Linux and trying to license it for $699 per CPU?
McBride is cunning (Score:4, Funny)
Disgruntled SCO Employee: This company is going down the tubes. If I stay here much longer I'll never find work again! I quit! *slam*
Darl McBride: Damn! We just lost our last programmer! What are we going to do now?
Grand Vizier: *rubbing hands together* Well, now I suggest we go to the very salt of the earth...To the spammers!
McBride: Wha? What the hell are you talking about?
Mr. Burns: Obviously our only course of action is to utilize the dark side of the force. We must make those young linux whippersnappers look bad by making a virus that seems to target our own servers!
McBride: Brilliant! We'll make it look like those linux communists are trying to destroy our legitimate business! Make it so!
Mr. Burns: Eeeexcellent.....
Thus goes the story I heard from a passing lunatic...
Re:the virus dies if www.sco.com dies (Score:3, Funny)
McBride interview (Score:5, Insightful)
Of note: Darl McBride was on local (Utah) television last night with a stinging quote. "What we are seeing here is the dark side of the open source movement" or something very close to that. I thought, no dude, you have it all backwards. SCO is the dark side of the open source movement.
Re:McBride interview (Score:4, Insightful)
Re:McBride interview (Score:5, Funny)
The virus is closed source and runs on Windows. It clearly has nothing to with the GNU/Linux.
Hehe, insert joke about BSD catching a virus...
but there's an open source version of the virus... (Score:5, Funny)
p.s. yes, it's an old joke, but still, you know you laughed....
Re:but there's an open source version of the virus (Score:3, Funny)
All I do is emerge sync && emerge mydoom and I'm good to go. Ebuild is currently in Portage, just sync your systems
This one? (Score:4, Funny)
From: Hax0r (jeffk@somethingawful.com)
Subject: *nix virus
This is the only known Virus that works on all *nix systems. Please forward this to everybody on your list and delete all the files on your harddrive. Thank you.
(Or something to that effect)
Re:McBride interview (Score:3, Funny)
Sounds like a pretty sweet deal to me. No wonder Linux systems aren't hit very often; viruses violate the GPL.
Re:McBride interview (Score:3, Funny)
Darth McBride: "You underestimate the power of the dark side. If you will not fight, then you will meet your destiny."
Re:McBride interview (Score:3, Funny)
Linus: "Hell no, you're just a desperate old fart who's jealous of my DNA and wants to take some credit for it."
Darth: "Shit."
close (Score:3)
Re:McBride interview (Score:5, Informative)
I use mailscanner [sendmail wrapper] with clamav [opensource antivirus engine]. Clamav was one of the first engines that had definitions for the first mydoom worm. We started catching mydoom around 4:00PM EST, and none have gotten through to our windows workstations.
Thanks to open source, we were able to prevent from contributing to the spread of this worm. So to sum it up: thanks to the clamav folks, and thanks to open source.
It's another case against OS monoculture (Score:5, Informative)
Basically, to limit the spread of a worm on a network such as the internet, we can only diversify to make sure not all machines go down.
Here's a presentation [defcon.org] (sorry I could only find a PowerPoint version) that was made by Jonathan Wignall [defcon.org] at DefCon last year about this topic. Same conclusion, diversifying is the necessary to combat worms.
Eventually, that might not help. (Score:3, Interesting)
Isn't It Ironic - Don't You Think? (Score:5, Insightful)
Here's a presentation (sorry I could only find a PowerPoint version) that was made by Jonathan Wignall at DefCon last year about this topic. Same conclusion, diversifying is the necessary to combat worms.
How ironic is that? Someone who allegedly knows something about network security, who insists on providing presentations in a format which:
Fine, use PowerPoint for the presentation. But damn well save the slides as HTML, Acrobat, plain text, etc. for public downloading and consumption.
At my university, the only department which saved all lecture notes, etc in proprietary format (and continues to do so!) was the very one which should know better: Systems and Computer Engineering. It's really pathetic.
Re:It's another case against OS monoculture (Score:4, Interesting)
http://www.virusbtn.com/magazine/archives/200312/
written by someone who actually knows a little about malicious mobile code
For profit? (Score:3, Interesting)
Completely untraceable, even if caught: the spammer wouldn't know who sent the money, and could even claim, "I think it was some Linux Zealot."
OK, Deadmonk!! (Score:2, Funny)
We'll get right on that!
Sincerely,
The Mass Media.
In addition, not instead of (Score:5, Informative)
Am I the only one? (Score:5, Funny)
Anyone care to clarify what a wet slap is?
--
In London? Need a Physics Tutor? [colingregorypalmer.net]
American Weblog in London [colingregorypalmer.net]
Re:Am I the only one? (Score:3, Insightful)
I wish all mail admins.. (Score:5, Insightful)
.. would TURN OFF those blasted "Your mail has a virus!" auto-replies. They accomplish nothing but the generation of yet more useless traffic.
Bravo! (Score:5, Funny)
"Dude, you are using PINE! You are NOT infected!!!"
Re:I wish all mail admins.. (Score:5, Interesting)
I agree - I've taken to replying to them in person, telling them of all the useless traffic they're making. Then again, I've only received one so far.
On the other hand, I really wish that Amavis would respect its "locals" settings and when set not to reply to offsite addresses, NOT to respond to offsite senders. What the heck is an offsite recipient, anyway? If they're getting mail on my server, they're local. It's the senders that I care about being offsite, not the recipients.
Re:I wish all mail admins.. -bah! (Score:3, Interesting)
A nice guy on the FreeBSD Mail-Toaster list put out a good script..
I now grab all the IP's out of infected emails, and put them in my etc/tcp.smtp file:
123.123.17.50:allow,RBLSMTPD="-VIRUS SOURCE Please check your computer for infections"
IP obfuscated to protect the guilty
How about that? You only get your mail bounced, with a virus warning if your IP (sure
Security could be easily enhanced (Score:3, Interesting)
Re:Security could be easily enhanced (Score:5, Insightful)
No patching would have prevented this worm. Look, when MyDoom comes in as a zip file the user has to open it once to access the actual payload. When you open the thing in WinZip it shows up as [random].[doc or whatever] but has the wrong icon. WinZip then identifies it as a pif file and in the screen says DOS executable. After all that, the user has to execute it again to deliver the actual payload.
MyDoom has nothing to do with bad sysadmins. Nada! At work we have the desktops locked down and Outlook is setup to not permit autoexecute. Most executable attachments are dropped at the mailserver. The reason I say most is because we do allow Word documents and the like because surprise, surprise we have to actually run a business. Our signature files are updated daily and if a new virus comes out I do my job to make sure we're at the proper rev and run a manual update if we're not. The one thing I can't do is play Big Brother to a 1000+ employees scattered over the state 365/7 and smack them everytime they try to open some random shiny thing.
And more importantly, how can a sysadmin stop some random Joe User on a home cable connection from executing the stupid worm or patching his damn system?
That soundbite of yours starts getting a little hollow now doesn't it?
Proof of who's lying (Score:5, Interesting)
So basically, SCO being down right now is Yet Another Big Lie from SCO. Nice to see them shown up as spreaders of misinformation yet again. I'm sure the FBI will love to hear their excuses as to why they're pretending to be down, especially if they're attempting to blame the worm. Fascinating
Please Remember! (Score:5, Insightful)
It is likely that this virus has been assembled for the purpose of defaming the Linux developers by spammers, SCO, or others. Your behavior will influence whether or not it succeeds in this mission.
Thus, I urge all persons who have sympathy for Free Software, Open Source, and Linux:
Remember that your actions count. You are ambassadors of our community.
Re:The ultimate call for group think. (Score:3, Insightful)
The problem with that is it doesn't hurt SCOX at all. Look at their business; look at the SEC filings with their financial numbers -- SCOX is not getting any revenue from their website, but they do get some sympathy every time some jackhole pulls a DoS on their pathetic site (of course, in the lab tests show that MyDoom.a doesn't actually execute the DoS code.) Yeah, SCOX can kiss my arse as well, but so can the spammers who coded this and
Re: Please Remember! (Score:4, Insightful)
I totally agree with Bruce on this one and just wish more "advocates" had the maturity and insight to realize this isn't a joke.
It's interesting (Score:3, Interesting)
With such a hugely damaging effect for such little cost, wouldn't you say that is almost the perfect weapon?
Not to condone writing worms.... (Score:3, Interesting)
Re:Not to condone writing worms.... (Score:3, Insightful)
(Not trolling by saying stupid Windows users - it could just as easily be written as stupid computer users who happen to be using Windows - but....anyway, I'm rambling, I will shut up now.)
Re:Not to condone writing worms.... (Score:4, Funny)
I don't find the fast reactions unbelievable... (Score:5, Informative)
Re:I don't find the fast reactions unbelievable... (Score:4, Interesting)
Some VT students who have been here longer said they've received the virus on average twice per minute for the last 36 hours. Ouch? Dumb user, no doubt, but I wouldn't yet conclude that it was some mission critical machine that was comprimised.
Still no updated virus defs (Score:2)
According to the official site [sourceforge.net] (at 5:00 EST) there are still no ClamAV defs available for the .b variant of this worm (affectionately known as Worm.SCO.*).
Does anyone know where I can grab (and submit) a signature...or a copy of it (without waiting for it to trickle into a user's mailbox)?
Huh?! (Score:5, Insightful)
What the hell would it matter anyway? Evil spammers probably also use toothpaste. Does that make everyone who uses toothpaste evil?
The fallacious logic here astounds me. Wait, no it doesn't.
Linux users (Score:4, Insightful)
I don't know what it is with people trying to represent such large groups. Every group has nasty people in it! Since Linux is generally more efficient once set up (IMHO, anyway), then OF COURSE people will use it to do nasty things like serve spam and make DOS attacks and so on. I don't get why people are so patriotic all the time... "He's American! No AMERICAN could be evil!" Sigh...
Does Andy work at SCO (Score:5, Interesting)
Buried in its programming code -- and only readable after it has been decrypted -- was also the message "Andy; I'm just doing my job, nothing personal, sorry" from the creator
My tinfoil hat says it's some poor guy at SCO!
Re:Does Andy work at SCO (Score:3, Interesting)
Secondly, since "andy" is one of the email addresses spoofed by the worm I'm guessing that the worm's author was a) commissioned to write the worm by
If I've said it once . . . (Score:5, Informative)
I've said it a thousand times.
If it weren't for /., I'd have never noticed.
The new payload is to DDoS MS (Score:5, Funny)
Also, you forgot to make an RIAA variant, dumbass!
We have you now... (Score:3, Funny)
That sounds like terrorist speak to me. Thanks to recent legislation, anyone running Linux can now be 'detained' indefinitely without evidence. God bless Micro^H^H^H^H^H^H America.
Of course it wasn't some malicous Linux user (Score:5, Insightful)
How to filter the worm: (Score:3, Informative)
Re:How to filter the worm: (Score:3, Informative)
"TVqQAAMAAA" = 4D 5A 90 00 03 00 00 0x
The first two bytes are "MZ", which will be the same on every dos and windows executable (except
The rest are just bits of the header, which are hardly specific to this program. It would be better to check against part of the file that was actually code.
"UEsDBA
Patch patch scratch and lose (Score:3, Interesting)
Oh what a relief it is
what makes you think that people in Russia (Score:4, Insightful)
Fuck, I'm pissed of more than usualy about Slashdot editors.
If you were to read www.linux.org.ru you would notice that the site follows the suite pretty closely, sometimes more so than Slashdot.
Clueless Newscaster. (Score:3, Funny)
The blurb had no information on what to do. Didn't say it was an MS virus, didn't say to go to any website to see what you could do. Just announced "another virus". Waste of time.
Re:Clueless Newscaster. (Score:3, Funny)
Imagine that.
A million zombied machines for anyones use (Score:5, Informative)
Listens on port 3127; accepts a maximum of 3 connections
at a time. If the first byte of the recieved data is
0x85, the DLL skips the next byte, then compares the next
dword read to 133C9EA2h; if this is true, it accepts
the executable from the sender, downloads it to a temp
file/directory and runs it.
Re:A million zombied machines for anyones use (Score:4, Insightful)
Unfortunately, I have a feeling somewhere, some authority is typing "virus writer's home address" into Google.
I'm tired of this... (Score:4, Insightful)
A header from the most recent example:
Received: from [200.223.39.59] (helo=writeopen.com)
by mailforward.freeparking.co.uk with esmtp (Exim 4.24)
id 1AlqLU-0007Hx-48
for brian@dwrees.co.uk; Wed, 28 Jan 2004 09:07:08 -0500
RAWR. I mean, seriously. RAWR. (writeopen.com is 69.0.209.130, btw).
I'm being flooded by this crap. I've managed to get a filter going that catches them, but it's still traffic that I have to endure. And I'm getting them from ISPs all over the planet. RAWR.
Who Said It'll Attack SCO? & A FUDworm? (Score:4, Insightful)
If it turns out that the DDOS payload is inert:
Who was it that FIRST said it WOULD attack SCO, and how did they determine this? And who else quoted them without checking? (Not including normal media outlets, who'll quote anyone that can form a coherent sentence, if it'll fill white space.)
If this thing doesn't perform as advertised, what we are seeing is the first (purposeful or not) FUDworm. It definitely is spreading virus-like and causing traffic problems, but also it's spreading FUD, and using all of us as vectors. We will all have been infected with a socially engineered disease. If this is the case, it's a master stroke of psyops. If not, considering its success so far, its example will be repeated for this purpose.
Re:Who Said It'll Attack SCO? & A FUDworm? (Score:3, Informative)
Mydoom generates it's own recipients (Score:3, Interesting)
The past 2 days I've received a shitload of Mydooms, and there's something funny going on. Mydoom will put common names in front of the @. I've started receiving viruses for brian@ and bill@ and claudia@ and fred@ and jerry@ and george@ and smith@ and and and. I even received one for debby@. What, she's doing my domain now?
I've also noticed that some of the "senders" are constructed the same way.
Possible test version hitting me. Anybody else? (Score:5, Interesting)
This is very interesting, because my site has been under a broadly based but inexplicably benign apparent DDoS attack which is bombarding my site with precisely such requests (obviously www.fourmilab.ch, not www.sco.com) at a rate of just one hit from each IP every four minutes. (This rate is not absolutely consistent, and some seem to be running multiple copies of the requester, each hitting every four minutes.)
I've been watching this and running analyses since it became obvious something was up and have posted an incident report [fourmilab.ch] page on my site which I'm updating as things develop. Bottom line, the apparent attack appears to have reached equilibrium with a total of 2894 different IP addresses hitting my site since the outbreak, with the hit rate following a diurnal pattern (there's a chart in the incident report) which peaks at around 20,000 hits per hour from on the order of 1000 different hosts at 20:00-21:00 UTC every day.
I'd previously concluded this probably had nothing to do with MyDoom. Although a few of the hosts hitting me are listening on the MyDoom remote control post, most aren't. (Of course, a test version may use a different port or none at all--I discuss in the document.) But the fact that the hits are precisely the same--a simple request to the home page--makes me wonder. All of these sites hitting me request only the "/" page (which at my site is just a <frameset> container, which any browser would follow up with hits on the content frames).
Has anybody else seen this kind of traffic hitting their sites?
needs re-thinking (Score:5, Interesting)
Firstly, he attack was not technologically sophisticated, in that it required exploiting a weakness in the operating system. The style of the attack was conceptually sophisticated, it was a worm not a virus. Which means that the attack relied on 'social engineering' or 'human weakness' to succeed.
The exploit however was quite creative. It was multi-faceted, even doing a DDOS on 'www.sco.com'.
Personally, I suspect that the creator and the executor of this worm may be two different persons altogether. Most importantly, the one ultimately responsible for the worm's spread and impact on the internet is not a Linux fan.
Linux users, ones that are capable enough to create such a worm, would more likely be above average intelligence. They would know very well, the consequences of DDOS'sing SCO's web-site, and that these consequences will most definitely be extremely detrimental to Linux. They would also know very well that a DDOS of SCO's web-site is almost a trivial thing to fix, and doesn't help in reducing SCO's position in any way.
Other than making SCO spend some money to rectify the DDOS, and preventing some of SCO's limited customer base from accessing SCO's web-site, it doesn't do relatively much harm to SCO (as compared to finding a back-door or hole into SCO's internal network). There is no real motivation for a Linux fan to carry out a DDOS on SCO's web-site.
I think the REAL reason for this worm, was for a 'frame-up'. It coincides with the conceptually sophisticated thinking as evidenced in its style of attack. I think the real reason was to *help* SCO and Microsoft, because both of these entities have the most to gain from it. Even with the recent 'b' variant of the worm targetting Microsoft. I still think the original motive remains the same.
Either that, or we're dealing with an extremely shallow and stupid 'Linux fan', which I very highly doubt.
People reading this may start having this thought of 'oh, another conspiracy theory...', but I would ask readers to carefully think about the obvious and carefully consider the occurence of this worm. Industrial espionage has been around for a long-time, and we know that it happens. What's to prevent it worms or viruses being used in industrial espoinage? Especially when the internet is a lot more relevant to businesses today.
Version 2 commentary (Score:5, Interesting)
According to Symantec [symantec.com], this version now modifies your HOSTS file to try and disable the user from being able to reach antivirus websites.
Among other entries in the HOSTS file are Doubleclick, FastClick, and some other advertising-related companies. Should I be concerned or happy that the virus may make surfing the web a little bit better by doing this?
Most resource-efficient way to deal with this (Score:3, Insightful)
The propagation of this worm is not unlike the propagation of spam. The ISPs are doing a piss-poor job of regulating the smtp traffic of their non-business customers.
My solution to this is very simple, and all I ask is that the large ISPs separate their DUL IP space from any legitimate mail relays they operate.
For example, we're seeing a ton of spam originate from Videotron in Canada. An IPWHOIS shows that this is one of their major blocks:
Le Groupe Videotron Ltee VL-2BL
24.200.0.0 - 24.203.255.255
The easy thing to do is put 4 lines in my
Using this method, I take the burden off my network. If you are selective about the IP blocks you ban, you can really whittle this down to almost no bouncing of legitimate mail.
Many ISPs are using DUL RBLs to accomplish the same thing, but the problem is that this requires more resources and huge databases of every possible IP. If you know that an ISP has allocated a large number of IP space to customers who shouldn't be operating their own SMTP relay, you can bypass this and just cut them off.
Generally speaking, I employ this method primarily with Asian and Middle-Eastern IP blocks where I don't normally expect any mail traffic in the first place, so the collateral is minimal if any.
Now if you have DSL or Cable and you've hung your own SMTP relay on your home network, yes, you might have some problems with this method, but it only takes a few seconds to request whitelist authorization and then it's done. Spammers aren't going through this trouble and if they do, I can track them when they try to make these requests.
If more ISPs employed this technique, it would be very effective. I am convinced that many large ISPs, including AOL are already doing this in one form or another: being very picky about accepting certain types of traffic from certain IP blocks.
The next evolution of RBLs will probably involve something like what I'm doing... which is the ultimate movement to a whitelist system where you deny the most-henous sources and make them request acceptance. It's a lot easier to maintain a small list of authorized SMTP relays among a very large blacklisted DUL IP space.
Let me guess.... (Score:3, Informative)
That'll be the day the temperature in hell goes sub-zero - on the Kelvin scale.
Kjella
my amazement is beyond comprehension (Score:5, Interesting)
It's a bloody -attached- zip file, with a file inside it! People have been told for over a decade to NOT OPEN ATTACHMENTS. You'd think they'd catch on sooner than later.
This is all the more reason to strip all binaries from email at the server. Granted, then viruses would be linking to sites - but that'd be relatively easy to shut down, and wouldn't pose any significant threat.
Quick Poll: (Score:5, Informative)
*raises hand*
Oh yes, and Hotmail over there.
These viruses can't infect Linux (yet) but that's no excuse not to run anti-virus software that kills off virus infected e-mails on your Linux servers so that they're not getting to "clueless Windows users" in the first place.
Ben
Port 25 blocking (Score:4, Insightful)
That's not even worth mentioning. There is no good reason for the average user to need access to SMTP servers besides the one at their ISP.
Years back, when I did technical support, the ISP I worked for had just implemented such a filter. The number of spammers who used our services immediately found new ISPs. The only fallout were a few customers who needed email clients reconfigured for non-local mailboxes, as they were using the other ISPs smtp server.
I do recall a few knuckle-heads (NT4/Linux wannabe super geeks) whine excessively over the issue, as they felt some right of theirs had been infringed. Ignorance is bliss, I suppose.
For anyone who is considering Technical Support for a living, just hang up the phone as soon as you find out someone is from Boca Raton, Florida. I swear, everybody I've talked to from that place thought thought they were some guru, but usually had no clue. My point, if you are such a damn brilliant administrator, then you shouldn't be calling technical support whining about your messe d up copy of enduroo.
Back to the topic at hand, there is no excuse for any ISP who houses an smtp server to allow it's customers access to just anywhere on port 25. I know it's a subject that will cause some flames, but someone has to compensate for the insecure, broken nature of SMTP.
I welcome anything AOL or Microsoft can bring to the table concerning this matter. I definitely don't see the community doing anything about it except for yelling at people to add more filters. This does little in regards to the bandwidth costs and server time (not to mention my client's cpu time wasted filtering) associated with massive amounts of spam.
Re:Port 25 blocking (Score:5, Insightful)
As I receive spam from these machines, I forward it to the appropriate abuse@ and add the enclosing netblock to my SMTP blacklist. I am slowly but surely shitcanning the customer IP ranges of every consumer broadband network in North America. Considering how uppity the broadband ISPs get when people "abuse" their allegedly-unlimited bandwidth, I'm astounded that they allow unpatched, zombied Windows boxes to just pump out thousands of spam messages.
Probably 98% of people with broadband have zero need or desire to access an SMTP server other than what is provided by their ISP. To that end, I wholeheartedly agree with you that port 25 on these networks should be restricted. The 2% who require less-restricted SMTP capability could be accomodated for a few bucks more per month, and the ISPs could probably add a "one strike and you're out" policy-- account termination upon the first proven complaint about spam originating from the machine of one of those less-restricted SMTP users.
~Philly
Re:Port 25 blocking (Score:3, Insightful)
BBC let SCO vent Linux FUD unchallenged (Score:5, Interesting)
I immediately clicked on the feedback link on the BBC website and let the editors know how lopsided and unreasonable their reporting actually was, pointing them to the groklaw.net website as well.
I have considerable experience in attempting to correct misrepresented facts in the media and know that it is often quite hopeless, but if enough people do it and give some proper backing to their arguments perhaps some of the damage can still be repaired.
Re:Block port 25? (Score:3, Interesting)
Re:MyDoom victim (Score:3, Informative)
The SCO DDOS is nothing compared to the fact that the worm opens up a back door which allows other people complete control over his computer.
Re:Why is this an issue? (Score:3, Interesting)
1. Nowadays your average computer user is a moron.
I'm sure you and everyone else knows some hopeless PC user who uses Outlook, can't help but click on some attachment, believes everything they read online, or does not patch their Windows on a regular basis. All it takes is a few of these n00bs to make life miserable for others in one form or another.
2. Filtering on the client side doesn't really a