MyDoom Seeks to Destroy Antivirus Firms 284
Khoo writes "Worm writers are threatening to attack antivirus companies F-Secure, Symantec, Trend Micro and McAfee.
In the latest version of MyDoom--MyDoom.AE--the authors embedded a message ridiculing rival worm Netsky and promising to attack the antivirus companies."
Ehh... (Score:5, Funny)
Re:Ehh... (Score:2, Funny)
Re:Ehh... (Score:5, Funny)
VIRUS WARNING:
Attention: Computer Labs Inc., makers of Virucide antivirus software have identified a highly dangerous new Trojan worm, MONKEYPOO. It will usually appear in an e-mail with the subject, "Congratulations.You have won!" it will then prompt you to click a link to collect your cash prize. It can also freely spread across networks.
Monkeypoo will read your address book, and mail a copy of itself to every address it finds, and it will look like you sent it. It will then invoke the secret self-destruct command held over from the original IBM PC's 8086 command set. This short line of code will cause the processor, ram, hard drive and any floppy drives to spin out of control and overheat until key components melt together, and will most likely cause a fire.
James Winklee, a former IBM programmer had this to say. "We developed the self-destruct code so government agencies such as the FBI and CIA could quickly and completely destroy compromised computer systems before an enemy could get their hands on classified information. When we saw how violently a PC executing the command burst into flames, we decided not to publish it's existence. It has been kept a secret successfully until now. If you get infected with the Monkeypoo Trojan worm, you may notice your computer going completely haywire. Physically unplug it from power as fast as you can, and send it in for repair. Only a professional can remove this one."
While Computer Labs Inc and other antivirus software makers are working on a solution, they haven't got one a home user could successfully run yet. "This is the worst kind of malicious code I have ever seen." said Marcus Polan of Computer labs Inc. Use extreme caution.
It is important that as many computer users as possible receive this warning, so send it out to as many people as you can. The entire Internet and every PC connected to it is at risk.
Scary stuff huh?
Re:Ehh... (Score:3, Funny)
Re:Ehh... (Score:5, Funny)
And hanging from the CD-ROM tray was...a hook!
Re:Ehh... (Score:5, Funny)
Please send this to everyone on your e-mail list - both male and female!
If a man comes to your front door and says he is conducting a survey and asks you to show him your arse, do not show him your arse.
This is a scam; he only wants to see your arse.
I wish I'd gotten this yesterday. I feel so stupid and cheap.
Re:Ehh... (Score:2)
Live Update (Score:4, Insightful)
*sighs*
nevermind
Re:Live Update (Score:2)
Ever since I installed NAV on an XP system I'm using, the boot time went from 30 seconds to well over three minutes. I swear it must scan EVERY file that gets opened, including the registry (which gets accessed a lot during a programming session).
I can't remove NAV because it's not my PC and the owner doesn't want me to replace NAV with something else, like AVG or something.
Re:Live Update (Score:3, Informative)
Sounds to me like you're talking about Norton AutoProtect, not LiveUpdate.
Re:Live Update (Score:2)
By default, NAV usually scans every file that gets touched. Dunno which version you're using, but buried somewhere in the settings should be a way to switch from "scan on access" to "scan on create".
scan on access (Score:2)
I wish I could find this setting, I have NAV 2004
Sam
Why hasn't this been done before? (Score:2)
Now what if the target of a DDoS was AV companies live update servers?
Anti-virus programs would not be able to download virus signatures against the new worms, making them ineffective unless manually updated.
Maybe Id care... (Score:4, Interesting)
Re:Maybe Id care... (Score:2, Funny)
Re:Maybe Id care... (Score:2)
Re:Maybe Id care... (Score:2)
Are they still dangerous?
The Mother Of All Bombs the US had a few years ago is just a rip-off of a rip-off of a rip-off of an idea as well. They still go boom.
If the virus is still dangerous, the fact that people can so easily recycle old viruses is way more disconcerting than simply deciding if it's not an innovative virus why fear it.
virii calling each other out... (Score:5, Funny)
Re:virii calling each other out... (Score:5, Funny)
Hey MyDoom! Yes she did, and she just pwned you!
Re:virii calling each other out... (Score:2)
hah reading that post brought back memories of a movie I just watched again this weekend.
"Hey Kritski; did your mom pick that out for you?" - Tito
I wonder how many people know which movie I'm talking about...
Re:virii calling each other out... (Score:2)
How come they call you Milkman?
Re:VIRUSES calling each other out... (Score:5, Funny)
Re:VIRUSES calling each other out... (Score:2)
think about it.... (Score:5, Interesting)
Without a doubt, I would (Score:5, Funny)
Re:think about it.... (Score:2, Insightful)
Yes, I would, it's nothing they could prevent.
Re:think about it.... (Score:2)
Bad analogy.
A better one would be "Would you hire a company, one that built a dam that is starting to leak in many places, to build your new dam?"
Re:think about it.... (Score:5, Insightful)
Any company's computers, even the best AV writers, are vulnerable to 1st day infections. Any company could get slammed if an unknown virus is introduced directly into their networks. So what would matter to me is not that they were taken down, but how quickly they are able to get their systems back online. That's indicative of how quickly they can get updates online and out to the rest of us who may be suffering the same fate.
Time... (Score:3, Interesting)
Anti-Virus software is dangerous (Score:5, Insightful)
Re:Anti-Virus software is dangerous (Score:2, Insightful)
But Air Bags can save your life, I don't feel right riding in a car without a full set. While some people who use Anti-virus may use their systems uwisely, I however suspect that most people who take the time to install, buy and update the license, are more aware of the problem, not less. The real pr
Re:Anti-Virus software is dangerous (Score:2)
Destroy ?? (Score:5, Insightful)
Re:Destroy ?? (Score:2)
Destroy the virus writers (Score:2)
Re:Destroy the virus writers (Score:2)
Re:Destroy ?? (Score:4, Insightful)
Anyway, true viruses are damn hard to find nowadays. Most AV programs protect against trojans and worms, not file-infecting viruses. Any AV company worth a damn has turned into a general security company (take note that symantec also owns bugtraq, for example). Long as people break into places, we're going to have locks....
Re:Destroy ?? (Score:2)
N3ws for n3rds, Stuff best left unheard ... (Score:4, Insightful)
We don't really want to boost the ego of those jacks, do we?
And hopefully, Taco won't repost the same story in a few days...
<sarcasm/>
Re:N3ws for n3rds, Stuff best left unheard ... (Score:2)
Frankly, if this is all it takes to boost their ego, then so be it. I'd rather boost some moron's ego and have the privilege to read my daily techno/geeky news than to have it censored so as to not offend anyone.
Re:N3ws for n3rds, Stuff best left unheard ... (Score:2)
With great power come great... (Score:2, Interesting)
Re:With great power come great... (Score:3, Funny)
Thats because Ninjas have Real Ultimate Power.
Now, if a virus could somehow enact the power of 10,000 ninjas on the internet, then it would be unstoppable, they would all go and stab your webserver in the eye, and they wouldn't even flinch.
[/tongue_in_cheek]
Back in reality, I'm watching out for the lower level Router attacks, or an attack of some type on the DNS roots. Whilst we believe we have the infrastructure to cope, I beli
Re:With great power come great... (Score:4, Funny)
TANGERINE ALERT! (Score:5, Funny)
I reccomend we immediately declare western civilization over to beat them to the punch.
There, got my sarcasm out for the day. Now to go to work and refuel it.
Virus Facts (Score:5, Informative)
I put together this report for our project team recently. The sources are MCI, Verisign, et al (mostly, esecurityplanet.com article -- yes, google makes reports easy/fun).
Wait time for AV fix
(source: http://www.esecurityplanet.com/views/article.php/
Below marks the average wait time from release of virus to each company providing definitions to find/clean
H:M Anti-Virus Program
06:51 Kaspersky
08:21 Bitdefender
08:45 Virusbuster
09:08 F-Secure
09:16 F-Prot
09:16 RAV
09:24 AntiVir
10:31 Quickheal
10:52 InoculateIT-CA
11:30 Ikarus
12:00 AVG
12:17 Avast
12:22 Sophos
12:31 Dr. Web
13:06 Trend Micro
13:10 Norman
13:59 Command
14:04 Panda
17:16 Esafe
24:12 A2
26:11 McAfee
27:10 Symantec
29:45 InoculateIT-VET
The averages vary from about 7 hours per virus to more than one full day (almost 30 hours). It's important to note two things about the figures in the table above:
Some of the programs were able to detect some of the viruses in the testing period heuristically -- without needing an update. Ikarus, Quickheal, and Virusbuster were able to do this with the Dumaru.Y virus, whereas Norman and RAV were able to do it with Bagle.B. In those cases, the anti-virus program was assigned a response time of zero for that one virus. This reduced those vendors' average response times.
On the other hand, A2 had not posted a signature for the Bagle.B virus within three days, when the test period ended. This program, therefore, was assigned a response time of 35 hours in this instance. If this virus had not been considered in the statistics, A2's average response time would have been reduced to 15:26 rather than 24:12.
Hours to saturation/Dollar damage done by:
Klez 2.5 hours $9B
Sobig 10 hours $14B
2003 overall virus damage $89B
Average cost to patch and protect one workstation (includes AV, PM & FW): $234.
Global spam decreased in August 2004 due to hurricanes (FL is the largest producer of global spam).
Re:Virus Facts (Score:2)
What about Clam AV? (Score:3, Interesting)
Im suprized it took this long (Score:2, Interesting)
Re:Im suprized it took this long (Score:3, Interesting)
Re:Im suprized it took this long (Score:2)
I wish I could remember the exact virus (anyone?), but there were several that would specifically try to infect a machine and disable anti-virus software from various venders, thus rendering the machine vulnerable to other virus attacks.
If my memory of timeframe serves, this was a problem in Windows 3.1 and 95... so, we're talking "old news" about targeting AV firms (in a sense).
I seem to recall there being DDOS attacks aga
Mydoom... (Score:3, Interesting)
That leaves... (Score:2, Funny)
F-Secure: Check
Symantec: Check
Trend Micro: Check
McAfee: Check
So that leaves... grisoft, Avast, and a couple dozen smaller companies. It's a conspiracy! THE BASTARDS!
~D
Mild threat (Score:2, Insightful)
Re:Mild threat (Score:5, Insightful)
Re:Mild threat (Score:2)
Re:Mild threat (Score:2)
You are correct, the most successful organisms (worms/viruses in this case) preserve the host in order to spread, w
Re:Mild threat (Score:2)
Re:Mild threat (Score:2, Interesting)
Just Give In (Score:2)
Re:Just Give In (Score:2)
What are you, French?
Why are all these Anti-Virus people using windows? (Score:3, Insightful)
Re:Why are all these Anti-Virus people using windo (Score:2)
And: 'because they know that windows is insecure' ?? Windows isn't any more insecure than your favorite BSD or Linux distro. It's how it's configured that makes it secure or not.
'if someone wants a virus to spread they just kill the updates for the anti-virus' : oh yeah, why didn't they think of that before? I have no idea how you plan to 'kill' the update though, since that's dif
How it's configured... (Score:2)
Right, if Windows is configured to not run any services and not be on the network it's C2 secure.
If you do any of those things it contains many network-exploitable 'root-level' vulnerabilities. Even if you follow the 65-page NSA documents on how to secure Windows.
As shipped, OpenBSD has had only a couple of these in the past se
NT 4 C2 security (Score:2)
Yes, NT 3.5.1 and NT 4 both received C2, given a specific configuration and specific hardware. IIRC NT 3.5.1 was "off-the-network, no floppy". The services allowed on a C2 NT4 box:
Note that many of these have had remote buffer overflow attacks since they
I guess they didn't get the memo (Score:3, Interesting)
Diversion (Score:3, Informative)
Nah, ... maybe I am too paranoid, this time...
Maybe not too paranoid (Score:2, Interesting)
There are plenty of new viruses out there all the time. There is plenty of attention to the nastiness out there, which is good for the market. So some company would tweak their tool so it adds a tiny bit to the general insecure situation.
They'd have to arrange for internal secrecy so few people get to know the issue.
They're ready to take a hit when the next guy does a comparative batch test for viruses and declares their product unsafe.
They can't leave a paper/email trail so
Re:Maybe not too paranoid (Score:2)
Why tell them? (Score:5, Funny)
Re:Why tell them? (Score:2)
Now, if you make a big deal out of "warning" the companies, and then hit and hurt them
Revamp IT infrastructure (Score:3, Insightful)
Let's say all companies in all countries, the governements and the IT suppliers join hands and pay into one large "IT fund" or donate research time and development for a joint new technology.
At the same time governements all over the world passes legislation to increase the reponsibility of IT vendors like e.g. Microsoft (faster bug fixes required by law, free bug fixes, longer free support, better en safer Windows code,
We use these measures to:
1) Get rid of x86/WinTel and all its legacy technology and software (no more ISA, no more IRQ, no more Win/DOS compatibility,
2) Get rid of Windows altogether and create a decent replacemnt for it without legacy and backwards compatability
3) All governements by Apple Machines and Mac OS X at huge discounts: already a huge step forward in security of our personal information and files.
I think this would enhance competition, drive the economy forward, foster future new developments and maybe get rid of monopolies and get decent competition in the IT market... and be a lot cheaper than the combined cost of all anti-virus licenses, and hidden costs of lost productivity and fall-out of current attacks...
I know... I know... I'm dreaming eh... Some forces would be against this... Damn....
Re:Revamp IT infrastructure (Score:2)
Yeah, like me. I don't particularly feel like replacing all my existing hardware and software, thanks. Even if I could, which would imply millions of developer hours spent on porting.
You're not dreaming, you're having a nightmare.
Creating the market (Score:2)
Sounds like the virus was written to help the antivirus companies justify their existence.
Hackers are stalking your children online...
Booga booga!
Re:Creating the market (Score:2)
Is 2005 the year linux rules the corporate world? 2006? I don't know about ruling at home since games are still a factor.
Has anyone thought about this.. (Score:3, Insightful)
You then have a virus that is attacking the 1 thing that can "defeat" it, thus the virus "wins" as it has effectivly knocked out the source of the antidote (providing the virus is able to spread at a very fast rate for the initial 12 or so hours).
There is quite a lot of research on the web regarding the speed at which viruses spread and the # of hosts infected in the first X hours, which makes for interesting reading.
To do it properly the virus shouldnt have any hardcoded IP addresses or domain names but instead seek the server name(s) from the (registry|av-binary|where ever it is stored). Other virus have failed in the past because l33t master coders were stupid enough to hard code a list of IP addresses.
A fast spreading virus that could do as described IMO would be a truely "successful" ground breaking virus, and it would certainly be interesting to see how the AV companies react to that.
(Im NOT suggesting, nor encouraging it to be done, just looking at an idea from a problem solving / technical implementation POV).
Jason
Comment removed (Score:5, Informative)
1337, motherfucka, do you speak it? (Score:2, Funny)
Re:English, motherfucka, do you speak it? (Score:2, Interesting)
Beware, (Score:2)
Re:English, motherfucka, do you speak it? (Score:2, Funny)
So there! (Score:2, Funny)
Viruses are boring... (Score:3, Interesting)
You know what would be a great virus/worm? One that totally fucks up the partitions on your hard drive forcing you to reformat and lose all your data.
Now THAT would be a funny virus. Imagine that getting spread across corporate america... you think it cost a lot to take 3 minutes out of the day to update virus defs and do a scan? Wait till you need to take hours out to reformat and reinstall.
These are what worms/viruses should be. Not this "Hacked by chinese" bullshit.
Re:Viruses are boring... (Score:2, Insightful)
Watch out McAfee (Score:2)
Let's hope the folks McAfee are smart enough not to open an email attachment from freehotchicks@VxIxAxGxRxA.com
Thoughts and musings on releasing malicious code (Score:5, Interesting)
First of all, access to the internet has to be completely anonymous. Many people have used their personal internet access or the one at work. Malicious code _will_ be traced back to the orginating internet access by security agencies of states hostile against the United States of America.
Anonymous access to the internet is easily possible from:
a) unsecured wireless access points
b) internet cafes
Since many public and private places in states that are hostile to the United States are nowadays under 24h covert video surveillance, unsecured wireless access points are safest. The safest way to use an unsecured access point would be from a car travelling at the maximum speed possible for a notebook on board to find a path through an unsecured access point to the internet. The malicious code package however should not be released directly to the internet but onto the first vulnerable system after the AP that has access to the internet. When using the AP the physical MAC-address of the wireless adaptor must not be used for obvious reasons, the card should be programmed with a new MAC-address. After releasing the malicious code package the notebook should immediately securely erase all traces of the malicious code package, the delivery system and the secure eraser. The secure erasure of the mentioned components should also be triggerable by a single keypress. The notebook should be kept under sufficient power and in a state where secure erasure can be triggered at all times (disable screensaver, power low standby etc.). The secure erasure should also be triggered when the notebook is about to enter a state where the secure erasure can not be triggered and completed (low power, etc.). The notebook should not be hooked up to the car's battery nor should any antennas or fixtures be evident that reveal the notebook is being actively used in the car. The warmth of the notebook in operation is not explainable therefore appropiate navigational software and a GPS mouse should be present. It is important to avoid areas where the car could leave identifiable tire tracks. If possible avoid entering zones of known video surveillance or zones where searches by hostile forces can be expected. I know this sounds paranoid but shit happens.
The malicious code should be wrapped into an installer that hides the malicious code onto the first vulnerable target after the access point for a period of at least six days and release the malicious code to the internet preferably on the evening of the friday following the minimum six days.
All code, excluding the delivery system and secure erasure code, should hide on the system using state of the art techniques (filesystem filters, hooking registry access, manipulation of NT kernel data areas).
If the malicious code happens to be a worm, a very slow rate of infection is advised as well as a novel vulnerability being exploited. This is in the hope that the worm will over months penetrate into sensitive intranets without being discovered. As the clock of a given node can not be depended on for accurate time/date information the worm instance should not rely on it to measure time. Instead time should be measured by cpu cycles, poweron/poweroff cycles etc. Systems belonging to a state hostile to the United States of America can be recognized through characteristics discovered through prior intelligence.
All development and testing that takes place while located in a state hostile against the United States of America should be confined to one system. Backups must use state of the art encryption must be accounted for and be destroyed after being superseded. If you (unwisely) choose to keep the final version of the code after the attack, encrypt it with a xor of r
Re:Thoughts and musings on releasing malicious cod (Score:3, Insightful)
Yeah, well, you are talking about regimes where the consequences of being discovered are a certain and painful death, I think being paranoid is probably pretty good advice...
But XORing against a random byte stream is not very good advice, because it is much more difficult than you might expect to generate such a random byte stream. Hint: The random number generator that comes with your compiler is not good enough.
Re:Just a bunch of horse crap... (Score:5, Insightful)
Re:Just a bunch of horse crap... (Score:3, Funny)
Re:Just a bunch of horse crap... (Score:2)
fink install clamav
Of course, then you'll have to add a cron job or something to run it periodically, or you can just run it by hand over things you've downloaded.
Re:Just a bunch of horse crap... (Score:3, Informative)
Re:Just a bunch of horse crap... (Score:2)
I honestly think that if the majority of people used linux then the virus writers would target the system more heavily.
Software is written by humans. Humans make mistakes. The OS is not gonna save you when one of your systems has a buffer overflow hack, etc. ALL systems
We need at least one (Score:3, Interesting)
We need a good Mac OS X virus to get us out of the '0' column.
As it is people can claim there simply isn't anybody interested in writing Mac OS X viruses. At least if we got one they'd have to admit it's just damn hard.
A kiddie scorned? (Score:2, Funny)
He should include his full résumé, address and phone number in the next one.
Re:Thanks, guys (Score:5, Insightful)
Re:all your base are belong to us (Score:2, Interesting)
You don't read Slashdot much, do you? Look at the wonderful use of the word "your" for "you're" as well as the numerous renderings of "where"/"were"/"we're" or "their" and "there".
Hmm, maybe the same folks who can't spell correctly on this site are the same ones writing these worms and viruses. Nawww, that couldn't be true.
Re:all your base are belong to us (Score:2, Insightful)
Let's not over-simplify things.
For a start, not everyone that writes a virus is an idiot. Yes, there are hundreds of script kiddies re-using someone else's virus code, but somewhere down the line, there's a black hat who is coming up with some pretty smart code. Let's not group together all virus writers as idiots and thus underestimate the threat they pose, which is probably greater than ever.
Secondly, they may have little command of the English language, but there's a fair chance they are not native E
Re:Virii??? (Score:5, Funny)
yeah sure, next time you gonna tell us that the plural of box is boxes and not boxen...
Internet=insecure (Score:3, Insightful)
Re:Writing virues senseless (Score:4, Interesting)
I wish I still had the e-mails handy, but I once communicated with a reformed Mac virus writer in the mid-90's. (The Mac platform had a minor virus epidemic in the late-80's to early-90's before the Windows platform overshadowed it.)
His explanation at the time was that both the Mac and Windows APIs felt very "constrained" at the time, and he wanted to experiment with what parts of the OS functionality were usable in certain contexts. IIRC, he was one of the first to exploit an old "UI drawing resource" security flaw that was patched during the System 7 era.
Prior to the 'Net, most virus writers wrote the things out of curiosity or accident, since a computer's primary function is to simply copy and move numerical data. That's essential what a virus or worm is: a mere data replicator. Now that most PC are connected to a worldwide network, unvetted data copying is considered dangerous by many. This is partly why some in the business and media worlds regard P2P sharing and open source as part of the same "underground" as virus writing and software piracy. Most end users nowadays have completely forgotten that computers are simply Xerox copiers at a fundamental level.