Author signs MyDoom virus 629
Mikoca writes "Information Week carries the story of how its author signed it "andy" and left the message "I'm just doing my job, nothing personal, sorry." Thanks, Andy!"
This discussion has been archived.
No new comments can be posted.
Author signs MyDoom virus
Related Links Top of the: day, week, month.
"The great question... which I have not been able to answer... is, `What does woman want?'" -- Sigmund Freud
HEY! (Score:4, Funny)
im gonna turn him in for fun and profit
and
FP!
Re:HEY! (Score:5, Funny)
Re:HEY! (Score:4, Funny)
Andy Wharhol (Score:5, Interesting)
There are several reasons to suspect MyDoom is written to order besides the note. The original launch appears to have been from machines broadcasting the virus payload. That is why the virus suddenly came out of nowhere. The author must have expected this since the timetable for the SCO attack was pretty short.
I suspect we will eventually discover that the MyDoom.B virus is launched by the same gang.
The way to catch these guys is to look at the worst types of criminal spam out there - the Paypal, Citibank etc. impersonations that are intended to perform identity theft. I'll bet that one of those gangs sent the message. They have the resources to pay for bespoke hacking.
Alternatively break into one of the spam sender forums and look to see if someone is retailing a new batch of 'owned' machines.
Re: it's WARHOL not Wharhol (Score:3, Funny)
-russ
p.s. the guy down the block put up a sign condemning someone who had stolen lights off his plow, and yes, he spelled it "asswhole".
bad andy (Score:2)
Re:HEY! Doom's ancestry? (Score:5, Interesting)
Tried to search for more info and came across the 1992 Doom2 virus: http://www.sophos.com/virusinfo/analyses/doom2.ht
I am curious about these viruses. Are they "evolving" from older viruses? Seems like some fun research to find algorithms to track this evolution and predict/detect he next one.
Any links?
Re:HEY! Doom's ancestry? (Score:5, Informative)
Someone wrote the Doom2 virus, and someone else wrote the MyDoom.A virus. Someone else entirely modified the MyDoom.A virus to create the MyDoom.B virus. There is no way to "find algorithems to track this evolution" because it does not exist.
Re:HEY! Doom's ancestry? (Score:4, Interesting)
The tricky part would be deciding what parts of the code might get a change, and how to make changes that wouldn't be immediately fatal. (See genetic programming.)
Once the thing got started, it might do nearly anything. Say your original version sent out 50% exact copies and 50% with a single bit alteration in a random location. (This is to keep the thing small.) That has the potential to swamp any virus detection method. If enough changed variants are successfully propagating. But that is, of course, a big if.
But do notice that this thing isn't of value to anyone except someone who just wants to disable the net. You can't immunize against it in any permanent way, because it will evolve away. And it changes rapidly (perhaps too rapidly, but the mutations should fix that).
The problem is, most of the mutations will be highly defective. It's only the survivors that will cause problems. Well, that's what you expect from a system based on evolution.
This just in... (Score:5, Funny)
Re:This just in... (Score:2)
Good thing I'm not named andy (Score:2)
well.. (Score:5, Interesting)
maybe he just got an offer he couldn't refuse...
i'm sure somebody will say that darl had himself made that offer
Re:well.. (Score:5, Funny)
You just fulfilled your own self fulfilling prophecy, young man. Excellent work.
Re:well.. (Score:2)
as to the russian references there's not much evidence about it either, nor do I think there ever will. how hard it can be to find a computer
Re:well.. (Score:2)
Re:well.. (Score:4, Interesting)
He can always say no.
Of course, he might be risking getting fired for saying it.
Personally, I'd rather be unemployed than be paid by someone with the ethics to deliberately release software like this.
Of course, where I live, I'd be paid a reasonable sum for turning the guy in (presumably there would be _some_ sort of paper trail that could be used as evidence... and if there wasn't, what reason would there even be to *START* on the project?). And that would give me some money to live on while I searched for a different job.
Hmm... now that I think about it, how would this go in an interview...? "Why did you quit your last job?" "My boss asked me to do something that was illegal." You know... I have no idea how the interviewer might respond to that... I could see it going either way.
Your scrotum will pay for your refusal... (Score:4, Insightful)
Unemployed, maybe, but would you rather be hung upside down from a tree by your scrotum?
Thats what you get when you say 'no' to the right (wrong) people, dude. Where have you been living?
I am sure (Score:5, Funny)
Look, all signs point to 'Yes'.
ANDY = 65 78 68 89
(fill out your own steps in the middle...)
DARL = 68 65 82 76
Re:I am sure (Score:5, Funny)
Re:I am sure (Score:5, Funny)
ANDY
HANDY
HARDY
HARD
CARD
CARL
DARL
Yup, your story checks out.
Organized crime and cracking/spam/ID theft? (Score:5, Interesting)
With all the stories about viruses (like MiMail) being backdoors for spammers, how likely is it that organized crime has gotten involved in the computer crime business? It fits their uh, business model, pretty well -- lots of opportunity for stealing credit card info, bank info, etc. And it's not like Tony Soprano has to learn Visual Basic, either -- there's plenty of people who would either do this on their own and sell stolen info to the Mob.
One of the things they could do is start a generic programming business and hire a dozen or so coders and have them start working on a fairly generic database system. Have a manager type get to know them and figure out which might have money problems, drug problems or some other vulnerability. Once you get them 'snared', you can get them to write a trojan app, phishing site, what have you -- the Mob maintains arm's length deniability and reaps the profits.
It's been widely reported that organized crime has been deeply entrenched in Wall Street and the securities industry -- how different is the securities boilerroom from a trojan/programming boilerroom? Maybe I'm naive and they've been at this since day one, but it wouldn't surprise me if it wasn't another white collar angle for organized crime.
can't blame him (Score:5, Funny)
Reward...? (Score:2)
I can't get to the article, but wasn't there a reward for turning in the guy that wrote it? Maybe he was trying to turn himself in for the reward money. =)
Right, that's his real name. (Score:4, Funny)
Re:Right, that's his real name. (Score:5, Funny)
Truly, you have a dizzying intellect.
Re:Right, that's his real name. (Score:5, Funny)
Re:Right, that's his real name. (Score:2)
Well, "she," actually, but excellent work nonetheless.
Re:Right, that's his real name. (Score:5, Funny)
Re:Right, that's his real name. (Score:3, Funny)
Re:Right, that's his real name. (Score:3, Funny)
Re:Right, that's his real name. (Score:2)
Re:Right, that's his real name. (Score:5, Funny)
>Truly, you have a dizzying intellect.
But he must have known that we were not stupid, either, and so clearly he knew we would look for someone NOT named Andy, which means that we cannot rule out anyone who IS named Andy, either.
But wait! I'm just getting started!
The first detection of the virus was in Russia, and as everybody knows, in Soviet Russia the noun verbs YOU, so we clearly cannot rule out anyone who happens to be named "Novarg" or, uh, "MyDoom"...
But Russia, as everybody knows, is entirely people by communists, and communists never do anything by themselves, but always as a group. So clearly we cannot rule out the entire nation of Russia working in concert to produce this virus.
But the virus writer, knowing we were not stupid, undoubtedly knew that we would deduce all these facts about Russia, and so we clearly cannot rule out any one in the population of the rest of the world.
Are we there yet? Not even close!
The vast majority of virus writers are never caught, which means they are very careful. Very careful people do not unwittingly reveal their names, so we clearly must presume that the writer did not think the inclusion of the name "andy" would be of any help to us in finding him (or her).
So then "andy" must have felt safe and secure amidst the worldwide sea of other andys, especially having not posted to /. in almost a year. Clearly the virus writer is andy [slashdot.org].
Re:Right, that's his real name. (Score:4, Funny)
============
look on the bright side (Score:2)
(or not..)
Re:Right, that's *his*?! real name. (Score:5, Funny)
hey, good point (Score:2)
yes, it could be Andrea wot done it too!
(slight sarcasm, btw)
Re:Right, that's his real name. (Score:5, Funny)
So you've made you're choice?
You'd like to think so wouldn't you!
You fell victim to one of the classic blunders, the most famous of which is "Never get involved in a debate over *NIX editors", but only slightly less famous is this: "Never go in against a Geek, when *Linux* is on the line!". Hahahahahah!
*Thud*
Re:Right, that's his real name. (Score:5, Funny)
You keep using that word... I do not believe it is as funny as you think it is funny.
Re:Right, that's his real name. (Score:2)
So you'd be better off looking for someone who dosn't like "Andy". Maybe the next virus will be signed "George", "Tony", "Saddam", "Osama", "Ariel"...
Re:Right, that's his real name. (Score:4, Funny)
Andy... sure! (Score:4, Interesting)
Re:Andy... sure! (Score:5, Informative)
Re:Andy... sure! (Score:2)
Re:Andy... sure! (Score:3, Interesting)
No big conspiracy...
sorry for what (Score:5, Insightful)
Re:sorry for what (Score:5, Insightful)
Re:sorry for what (Score:5, Funny)
Re:sorry for what (Score:5, Insightful)
why would you ever want to do this? i can't even think of the last time I got an executable attachment that wasn't a virus.
all email programs should disable the feature that allows you to double click on an icon and launch a virus. because:
A) no one needs a "feature" like this. Save to Disk and then run if neccesary.
B) icons are designed to be clicked. as desktop users, we're trained to click on things. it's how we interact with our computer.
C) a warning dialog after the double-click is useless. The person has already decided to run the program, to them it just seems like annoying interference from their stupid computer.
Re:sorry for what (Score:4, Interesting)
Re:sorry for what (Score:3, Interesting)
It is often said that what users fail to understand is that they should not run "untrusted binaries". But in my opinion this is the greatest shortcoming of all modern operating systems. I want my operating system to shield resources beloninging to one binary from another. Much in the s
Re:sorry for what (Score:4, Informative)
Oh, an email from... me? I didn't send myself an email. I think I'll open it. What's this? A zip file? I don't recognize it. Hmm, I think I'll open it. Aha! There's a program here that I've never seen before. I wonder why I zipped it up and emailed it to myself. I guess I better run it...
Yes, in case you were wondering, this *actually* happened. I don't think MS could do anything to protect users such as this. I suppose they *could* run Knoppix or something, at least until more Linux viruses are floating around.
safe exec (Score:3, Insightful)
I am thinking that Ximian could have capability to create a temprorary sandboxed wine VM to deal with attachements. I am sure someone could do the same for that legacy OS that stupid people run. Every time you double click on an attachment, or actually even open email it is doing it in a sandboxed VM or something along thos lines...
Oh man! (Score:5, Funny)
"AAAANNNDDYYYYYYYY!"
Track him using the Patriot Act! (Score:5, Funny)
Re:Track him using the Patriot Act! (Score:2)
Real Player (Score:5, Funny)
I'm sorry I buried these options on the listbox,
I'm sorry I'm popping up this on the screen,
I'm sorry I'm forgetting the setting to not start on start up, etc.
Re:Real Player (Score:4, Funny)
Worse than spam (Score:2, Insightful)
Down already? (Score:5, Funny)
Andy? Like in Toy Story? (Score:2)
Is this evidence? (Score:2, Interesting)
Maybe Andy really is just doing his job!
Server Dead... heres the story (Score:4, Informative)
The creator of what anti-virus experts say is the fastest spreading virus ever on the Internet signed MyDoom and MyDoom.B with "andy," and left the following message in the latter version: "I'm just doing my job, nothing personal, sorry."
"Our interpretation is that he's apologizing to the general public," Jimmy Kuo, research fellow at anti-virus software maker Network Associates Technology Inc., said Friday. "Our guess is that someone is paying him to write this thing."
Both MyDoom versions install a "back door" in infected PCs, enabling hackers to commandeer the machines to send spam, launch denial of service attacks, or perform other nefarious acts.
Some experts, however, doubted the sincerity of the apology. Many virus writers leave cryptic messages in their code to tease investigating authorities and to pat themselves on the back for their handiwork.
"If he's really sorry, then why did he release it," said Michele Morelock, technical support leader at anti-virus software maker Sophos Inc. "I would imagine it's much more tongue-in-cheek than saying I'm really sorry for releasing it."
The MyDoom virus launched a denial-of-service attack early Sunday that crippled SCO Group's Web site with hundreds of thousands of requests, an SCO spokesman said. The attack is programmed to continue on the company's Web site until Feb. 12, according to messages left inside the virus' code.
But the spokesman said SCO will unveil a contingency plan Monday for customers to access the site. He declined to discuss those plans, citing hackers.
MyDoom.B also prevents infected computers from accessing the Web sites of Microsoft and many anti-virus software makers, making it difficult for the owner of an infected machine to get help.
Microsoft and SCO have each offered a reward of $250,000 for the arrest and conviction of the MyDoom author. Both companies are also assisting in investigations by the FBI, the U.S. Secret Service and Interpol, an international police organization.
Postini Inc., a security company that cleanses E-mail before it reaches corporate networks, said Friday it had intercepted more than 12.5 million copies of MyDoom and its variant since the original virus was launched last Monday. In the first 24 hours of the attack, Postini intercepted 3.5 million copies of the virus. On Friday, the company reported an infection rate of 1 in 24 E-mails.
Based on its own customer submissions, security vendor Symantec Corp. said MyDoom was spreading on Friday at a rate of 30% to 40% less than its peak earlier in the week. MyDoom.B wasn't even on the company's list of top 5 viruses.
Nevertheless, Symantec expects the viruses to continue be a threat for months. "These viruses tend to stick around for months and months," said Alfred Huger, Symantec's senior director of engineering. "The Internet is a very big place."
Re:Server Dead... heres the story (Score:3, Interesting)
Strange then that sco.com [sco.com] is working fine, as are their DNS servers. All they've done is pulled A records for their various www hosts and according to netcraft www.sco.com seemed ok [netcraft.com] too until they pulled the DNS record.
Surely SCO arent hyping this up? Would be very atypical of them..
Re:Server Dead... heres the story (Score:3, Interesting)
Making just sco.com go to their home page would work perfectly. They could also make www.sco.com go to some big server that they pay that delivers a simple "click here" page, though I doubt they will do that because it will make most peopl
Dear Andy (Score:5, Funny)
You are a moron.
I would like to stick hot pokers in your eyes.
I'm just expressing my opinion, nothing personal.
Limits (Score:5, Funny)
Now, can I get some cash from SCO for eliminating 5994000000 people as suspects?
No you must pay a license fee! (Score:5, Funny)
Re:Limits (Score:3, Funny)
google cache (Score:4, Informative)
Isn't it ironic.... (Score:5, Funny)
News need a story (Score:4, Insightful)
The real story is that these worms and viruses have become big business and the only people who profit from them are software vendors selling anti-virus, Microsoft through services, and spammers.
Quoted message wrong (Score:5, Interesting)
"Andy; I'm just doing my job, nothing personal, sorry."
My^H^HThe Authors Name is not "Andy", he just says "Sorry" to him
Re:Quoted message wrong (Score:5, Informative)
"Andy; I'm just doing my job, nothing personal, sorry."
My^H^HThe Authors Name is not "Andy", he just says "Sorry" to him :)
Even though its an AC post, MOD parent up....and it may be that "Andy" is the author of the A variant("andy" was found in version A exe), and the author of the B variant(where this sorry message was found) is just apologizing to the original author for whatever reason.
And maybe the new author is named Barney, cuz, like, it reminds me of Barney Fife saying sorry to Andy Griffith or something, or we could guess all day long with no real basis for any of it. Wheeee!
Related news: Virus copyright violation. (Score:5, Funny)
With about one million illegally installed copies of the virus, windows users are massively abusing copyrights. Furthermore, each of these 1M PC's have made an estimated 1000 ilegal copies of the virus, contributing to a total pirated amount of 699 billion dollars, dwarfing the SCO lawsuits.
Yes, the real pirates are the windows users!
Asked how the virus author fiels about the damage the virus does to the world-economy, the reply is "the pirated copying of my IP is causing me much more damage than whatever damage may be done to any economy".
movie quote? (Score:3, Interesting)
Havent watched it tho, so I'm not sure, and imdb's page about the original and the remake dont have any memorable quotes similar to the MyDoom sig.
A-HA! A CLUE! (Score:5, Funny)
Just for statement clarification... (Score:3, Insightful)
Its all fake (Score:2, Interesting)
Some people at
http://www.math.org.il/mydoom-facts.txt
Sorry I cleaned my browser history and forgot the post which leads to the URL on a mailing list.
BTW thank God that virus, which spreads somehow that easy wasn't Hybris ( http://securityresponse.symantec.com/avcenter/ven c
Don't blame Andy! (Score:5, Interesting)
I am just glad that Andy's attachement wasn't named "format_my_c_drive.exe"
Re:Don't blame Andy! (Score:4, Insightful)
Haha! You fell for it! (Score:5, Funny)
2004 Spaced Odyssey (Score:5, Funny)
Andy (Score:5, Funny)
How do I see for myself? (Score:2)
How do I go about disassembling a Windows virus on Linux? Which tools do I use? I was once skilled in the art of disassembly, but that was on the Amiga. My knowledge of the Intel assembly language is a bit lacking, but with a little help (mainly, which tools? as said above) I should be able to pick it apart.
As for the virus itself, I have a copy thanks to Earthlink's email virus scanner that forwarded me a full copy of a mail sent in my name...
Embedded Image in MyDoom (Score:4, Funny)
Authorities didn't want to tip their hand, but the signed text message wasn't the only information they were able to extract from the virus.
Through detailed analysis, investigators have been able to recover a JPEG image as well.
Based on this newly uncovered evidence in the case, apprehension of "Bad Andy" [commando.com] is expected sometime this morning; the suspect was last seen at a pizza parlor.
Here he is!! (Score:4, Funny)
The *real* URL for this story (Score:5, Informative)
I've got it! (Score:4, Funny)
I should post this AC (Score:5, Interesting)
This virus spread faster than anything I've ever seen to date - we "discovered" the virus on our system after one of our "brilliant users" forwarded an email to me that had a "clean" .zip attachment they couldn't open (they thought). I use a RedHat box as my primary workstation, so I wasn't terribly nervous about a .zip, but I ran f-prot and clamav against the file anyway and it did indeed come back clean. I re-ran the definition updates and it still came back clean.
So I unzipped it and ran strings on it. The first things I saw were sync.c and all the .DLL's at the end of the file and I figured that it was a new virus. We immediately put a cludged filter in place on our email and went looking around the 'Net for some sort of announcement of this new virus - which we found on f-secure's web site. It was about an hour later that we were able to get a signature update for our anti-virus software on our mail server and about 6 hours later before we were able to get updates for our enterprise anti-virus software (I won't mention the vendor).
We "caught" over 400 infected messages before we even had a signature for it. That was scary. But what scared me most was the thought that this could have been a "real" worm. MyDoom isn't very creative and not that harmful - making me think it was written by/for spammers, myself. But a few of my coworkers got to talking. What would have happened if this had a more creative payload and it spread via network shares as well? What if, instead of opening back doors (which made it very easy to nmap our networks for infected machines even before we had a "detection" tool) it just looked for all .xls files and randomly changed numbers. What if it then looked for .doc files and randomly added garbage, deleted words, or some other crap? How long would it be before people started realizing this was larger than just a file or two getting corrupted? By then these files have been backed up and/or forwarded to others as well.
I remember several years back now there was a virus that replaced all .jpg files with copies of itself. It about ruined a friend of mine who was trying to start a "web design" business and had thousands of images, many custom made for his clients, destroyed in an instant. It devastated him (he does good backups now).
If someone decided to get serious and release a worm with a (dare I say) "terrorist" payload. They could, literaly bring my comapny to its knees in a matter of seconds.
Now before you go off half-cocked and yell at me for "giving people ideas", take a deep breath. Almost everyone in my office was thinking along the same lines. We were discussing ways to mitigate an event like this in our own enterprise and how we could block any spread out of our networks.
We came up with the obvious: have good backups, but then we started to think about how to stop the spread out of our networks and realized that up till that point anyone could have an SMTP "server"/virus set up and send mail out. We now block ALL incomming and outgoing SMTP except the ones to and from our mail servers. We also don't allow POP or IMAP in or out except to our mail servers. If people want to check other accounts they can RPOP from our server - at least it will go through our virus and spam filters first.
If more ISP's/companies did this, the spead of MyDoom would have been slower. But how do you mitigate the effects of having a virus "corrupt" all your documents? Even if you catch it right away and restore from last night's backups (after checking ALL your computers for infection) you still lose an entire day's worth of work for many departments. That's a big setback.
MyDoom infected department heads and department "techie" people first because their users came to them with an attachment that they "couldn't open". The "techie" people explained later that they had their virus s
DOING HIS JOB???!!! (Score:5, Insightful)
Viruses are turning computers into spam relays. Other viruses are DoSing various anti-spam blackholes. Yeah, this one happened to hit SCO and Microsoft, but the payload is easily changed, now that the virus framework is out there.
Viruses are being PROFESSIONALLY written to HELP SPAMMERS! Go read some recent comments from Symmantec folks, and you'll see the same conclusion: Spam and viruses are being funded and run by organised crime.
Will Microsoft stop them? Nope! The US government? Not a chance. AOL? Laughable.
I quite believe that the author (whether Andy or not) was doing exactly what he said--his job, that he was no doubt being paid very well for.
All Points Bulletin (Score:3, Funny)
Hired by the Anti-virus vendors (Score:4, Interesting)
Yeah, yeah, I know, Conspiricy Theory, But man does it ever smell bad.
Spammers still spreading it (Score:3, Interesting)
Re:LinuxWorld disapproves of "andy" (Score:2, Informative)
Re:Come on, Windows-fanatics! Write a Linux Virus! (Score:2)
I always have the feeling people like windows as long as they don't know anything else.
In all seriousness, that's what I've always thought of Linux fanatics. They use Linux because they don't like Windows, not because they have a thorough understanding of operating systems.
While I like some architectural decisions of UNIX/Linux, I find Windows to be much less of a headache. Yeah, you have to deal with virii and crap like that, but just keep up with patches and so on
Re:Come on, Windows-fanatics! Write a Linux Virus! (Score:5, Funny)
There is one. It's call the "Linux Desktop Battle". It drains resources by causing users to argue of which desktop is best and frequently update the desktops as new features are incrementally added. It also creates uncertainty in potential users who do not know which one to use. A side benefit is it stifles creativity in developers as they attempt to duplicate the Windows desktop on Linux instead of innovating new UI enhancements.
Next time I'll write about the "write your own driver" virus.
Re:True ? (Score:2)
Either that, or they're pissed off about the pipeline explosion story [slashdot.org] running in the NYT
Re:True ? (Score:5, Interesting)
Jesus, are you trolling or is it just stupidity?
First, there are no "Soviet officials" as the Soviet Union ceased to exist more than a decade ago.
Second, it does very little to draw attention from the USSR - you know, the guy's name could be Andrej.
Third, what do you mean by "their security"? It's MS's security that seems to be beyond repair, as Windows + Outlook is their product, not Russia's.
Re:True ? (Score:2)
However if they *can't* control their hackers (who can?) and this went out without their knowledge, than they can't have inserted a comment in the virus to detract from that.