Catch up on stories from the past week (and beyond) at the Slashdot story archive

 



Forgot your password?
typodupeerror
×
Security IT

After 7 Years, MyDoom Worm Is Still Spreading 133

An anonymous reader writes "Researchers at Sophos have revealed that the MyDoom worm, which spread via email and launched denial-of-service attacks against websites belonging to SCO and Microsoft, is still spreading on the internet after more than seven years in existence. The firm suggests, tongue-in-cheek, that it would be nice if computer users updated their anti-virus software at least once every 5 years to combat the malware threat."
This discussion has been archived. No new comments can be posted.

After 7 Years, MyDoom Worm Is Still Spreading

Comments Filter:
  • by Anonymous Coward

    Hello dear christian friend,

    In the year of 2004 it is with great pleasure that I leave to you the sum ...

  • But if you got a MyDoom message in any modern software you'd get tons of warnings, and many e-mail programs would strip the attached executable as a matter of policy.
    • by jimicus ( 737525 )

      Stuff the MUA, the MTA should be stripping executables - and it should be doing so using the file signature, not the extension.

      • by Lord Byron II ( 671689 ) on Saturday June 18, 2011 @07:14AM (#36484490)

        Yes, because there's never a legitimate reason to send/receive executables. My university does this stripping crap and it's annoying as hell. They even yank out archive files. I eventually had to switch to Gmail from the university system, because I would send a colleague a zip file and they would email me back that I forgot to send an attachment (or vice-versa).

        A better option than blindly modifying emails is to look for virus signatures in the files. At least that way, you're only eliminating the things that are known to be harmful.

        • One shot windows executables are pretty much a standard espionage tool these days. Used only once a virus checker will never recognise them.

        • If only there were a dozen or so other ways to transfer potentially harmful data that coincidentally require user intervention.

          E-mail is fine for passive data, but it's too easy for executables. Users should have to jump through some hoops when handling executables, just like chemists have to take extra precautions when handling unknown or potentially hazardous substances. Handling protocol requires you to slow down and treat the material differently. Sounds good to me.

          If your users can't handle FTP, or

          • by rednip ( 186217 )

            Users should have to jump through some hoops when handling executables

            Such as not running as root/Administrator? However, I know plenty of professional SAs who could take that advice; it's just easier to run that way and they (in theory) know how to deal with permissions.

            Also, not all attachments are executable, yet most blanket exclude them all, so it eliminates one of the best ways to casually transport files. Worse, those that only go after attachments that appear to be executable miss some and create a false sense of security when dealing with them.

            I don't really know

          • E-mail is fine for passive data, but it's too easy for executables. Users should have to jump through some hoops when handling executables, just like chemists have to take extra precautions when handling unknown or potentially hazardous substances. Handling protocol requires you to slow down and treat the material differently. Sounds good to me.

            Like the infamous UAC messages of Windows Vista, which popped up whenever any application tried to do anything, and did nothing but annoyed people and conditioned

            • Re: (Score:2, Insightful)

              by Anonymous Coward

              impossible to roll back any changes, besides reformatting and restoring from a backup

              Btrfs snapshots. Fedora already has support for automatic snapshotting with yum so that you can yum install or yum remove something and, hey, unintended change? Rollback.

              Even such basic functionality as letting a program change what it will, but only applying the changes only to said program's context - pretend-admin, in other words - is missing

              Google for cgroups and isolation... there's a more specific term that will get y

            • It's difficult to figure out what's happening in your system, and it's impossible to roll back any changes

              Run it in a VM that allows rollbacks. Parallels supports this - I bet VMWare does too...

            • Modern computers don't have any security. Yes, this includes Linux, which isolates users from each other (to some extent) but doesn't give a single user any way of isolating his processes from each other and data.

              Wrong about *nix, I'm not in a position to comment on Microsoft. But feel free to weasel your way out of incorrect sweeping statements. If I have to point you at the solutions it's because you've gone to considerable trouble to ignore them.

              It's difficult to figure out what's happening in your system,

              for you maybe - the rest of us have no problems. Be fucking hard to debug if we couldn't.

              and it's impossible to roll back any changes, besides reformatting and restoring from a backup.

              More bullshit. Squashfs, unionfs, and others. Are you trying to say Restore Points© are the solution? (hint - them's backups). If you need to reformat to restore from backup it's

              • Wrong about *nix, I'm not in a position to comment on Microsoft. But feel free to weasel your way out of incorrect sweeping statements. If I have to point you at the solutions it's because you've gone to considerable trouble to ignore them.

                I'm sorry, did I hit a nerve?

                for you maybe - the rest of us have no problems. Be fucking hard to debug if we couldn't.

                For most people.

                More bullshit. Squashfs, unionfs, and others. Are you trying to say Restore Points© are the solution? (hint - them's backups).

                • For most people.

                  You try and change what you claimed. You are consistently wrong. You deny the truth.

                  I do not think it means what you think it means.

                  Thinking is a cerebral activity. If your statements involved your brain - then your brain is damaged. Weaselly - "Devious; misleading; sneaky." - that's you all right.

        • by jimicus ( 737525 ) on Saturday June 18, 2011 @07:34AM (#36484566)

          And your university is broadly doing the right thing. (Though it's wholly unnecessary to yank archives unless they contain executables, any self-respecting mail scanner will be able to read more-or-less any archival format).

          Scanning for "known-bad" things stopped being a good idea years ago. Frankly, unless you take a very hard line to block everything even remotely risky you are more-or-less guaranteeing a lot of clean-up work dealing with exploits. Every time something gets through, your staff can look forward to several hours of clearing up the resulting mess - and that's with a relatively small organisation.

          Google have the resources to effectively crowdsource much of this, and they don't have to deal with the fallout of anything that slips the net.

          What you should be doing is working with the system rather than against it - and the system should be set up to make it easy for you to do this. Services like yousendit.com are a rather more satisfactory solution for most endusers than an FTP server; I daresay a university should be able to put something similar together inhouse.

          • >Services like yousendit.com

            Please don't encourage those assholes. The spread of services that make their name include their TDL and come up with the rest of their name by describing what they do is one of the most irritating computer-related trends to come along in recent year. It might not be quite as bad if users didn't fall for it - "gotomypc.com? They can do that now? I'll try it, sounds useful!"

          • Absolutely. By blocking anything potentially dangerous, you end up with a safe organisation that isn't able to function well.
            Obviously, the I.T. guys see their own pain. But, the pain that excess security causes is widely distributed across space and time, and no one counts it all.

            So, in this case, yeah, a virus is bad news. But, the question is, is a virus more lost productivity than 1000 people who are unable to send zip files?

          • Comment removed based on user account deletion
        • Comment removed based on user account deletion
        • by donaldm ( 919619 )

          Yes, because there's never a legitimate reason to send/receive executables. My university does this stripping crap and it's annoying as hell. They even yank out archive files. I eventually had to switch to Gmail from the university system, because I would send a colleague a zip file and they would email me back that I forgot to send an attachment (or vice-versa).

          A better option than blindly modifying emails is to look for virus signatures in the files. At least that way, you're only eliminating the things that are known to be harmful.

          Yes we do know that is a a problem but "think of the children" :)

          On a more serious note. The best way is to take off the .exe or .zip or .whatever and send the binary as a simple file or even enclose the binaries in an compressed archive and take off the extension so you can send it. The problem is the person who is going to receive the binary must know how to put it into a format that is usable and it is amazing the number of people who have no idea how to do this even when you explicitly tell them in th

    • by L-four ( 2071120 )

      any modern software

      Is outlook 2000 modern software?

  • by Anonymous Coward

    Sure it's not XP mode?

    I don't run antivirus software in the VM because the VM almost is never up, but I wonder about people using it for significant amounts of time on a non-firewalled system. XP versions before SP1 would get root'd by simply having internet access.

    • Re: (Score:3, Insightful)

      Comment removed based on user account deletion
      • Re:XP Mode? (Score:4, Informative)

        by rhook ( 943951 ) on Saturday June 18, 2011 @07:21AM (#36484520)

        Stated in those terms, do you see now why it is perfectly feasible that there are computers out there with absolutely no virus checking on them that haven't been updated for nigh-on a decade.

        You wouldn't believe how many systems I have worked on that have anti-virus installed that came with the system but hasn't been updated since the free trial expired. I really wish manufacturers would stop shipping systems with anti-virus software that is only good for 60 days. Almost nobody ever pays for the subscription after the trial expires.

        • Computers should be safe to operate without expensive add on software.

          • Computers should be safe to operate without expensive add on software.

            That's an interesting thought. How about "cars should be safe to operate without expensive add on software / hardware". Guess what? They are! It is the idiot drivers that crash the cars by going too fast in poor conditions, tailgating, and other poor decisions and unsafe usage. This is the same thing as with computers. All major operating systems ship now with security features in place that help to keep users safe. Firewalls (on by default), ASLR, DEP, etc. have become pretty standard. The thing that hasn'

            • the computer user runs untrusted code that was sent to them by strangers

              Then how should code become trusted?

              Often times they "have to install this special video codec to watch [insert celebrity name here] boobs". Not only do they install this "codec", they give it admin rights.

              As I understand it, codec installers require the user to elevate because operating systems' multimedia frameworks offer no easy way to install a codec to a single user's account. Instead, codecs must be installed to the system for all users.

              • They claim you need to install a codec not because you actually need one, but because the vast majority of users have no idea what a codec is. They simply recognize it as some nerd term and take it as fact that they need it if they want to watch the video. The program that gets downloaded probably doesn't install a codec at all. It merely installs the virus. For that matter, the advertised video may not even exist. Sure, the user will get upset when they go though all that work and never get their vide
                • by tepples ( 727027 )

                  the vast majority of users have no idea what a codec is. They simply recognize it as some nerd term and take it as fact that they need it if they want to watch the video.

                  Then how is a legitimate codec, such as Xiph's Ogg codec pack, supposed to distinguish itself from fake codecs like the ones the scammers push?

            • All major operating systems ship now with security features in place that help to keep users safe. Firewalls (on by default), ASLR, DEP, etc. have become pretty standard.

              Buffer overflows in browsers, Flash, PDF readers, media players and more have all become pretty standard too. Merely browsing to a particular web site should not cause a computer to become overrun with malware, but sometimes it can.

            • by sjames ( 1099 )

              Not necessarily. In a car, driving too fast, running a light, tailgating, etc are never appropriate.

              Clicking OK is quite often the correct answer with a computer. You can't install software without it. The computer shouldn't make opening a data file and running an executable look and feel exactly the same.

          • No problem. We'll lock the computer down to the point where you may only install approved applications from an approved source. Sure, there'll be some exploits, but they'll be closed and you'll be forced to update (you automatically get them pushed onto your machine next time you connect to the internet, before any other connections are allowed). If a problem is detected your machine is shut down to prevent it from damaging other machines, the only connection possible is to the approved source and it will s

            • No problem. We'll lock the computer down to the point where you may only install approved applications from an approved source. Sure, there'll be some exploits, but they'll be closed and you'll be forced to update (you automatically get them pushed onto your machine next time you connect to the internet, before any other connections are allowed). If a problem is detected your machine is shut down to prevent it from damaging other machines, the only connection possible is to the approved source and it will stay that way until a fix has been pushed that ensures your machine is safe again.

              Your ideas intrigue me and I would like to subscribe to your newsletter, please sign me up.

              Steve
              Sent from my iPhone

            • by tepples ( 727027 )

              We'll lock the computer down to the point where you may only install approved applications from an approved source.

              Are you referring to video game consoles, where only established companies are approved sources? Or are you referring to iOS, where any Mac owner with $100 a year is an approved source?

          • Tell that to the DOJ
        • Comment removed based on user account deletion
        • by donaldm ( 919619 )

          You wouldn't believe how many systems I have worked on that have anti-virus installed that came with the system but hasn't been updated since the free trial expired. I really wish manufacturers would stop shipping systems with anti-virus software that is only good for 60 days. Almost nobody ever pays for the subscription after the trial expires.

          Yes I would believe since the PC's I have brought came with the wonderful 60 day virus scanner trial. My latest laptop (HP dv7 i7) came with Windows 7 however I just blew it away and installed Fedora 14 (now 15) and I use this machine for home and corporate use.

          Before people say that using a private machine in a corporate environment can aid in espionage I would answer yes it can, but unless the firm you work for provides a corporate machine you have no choice but to use your own. Anyway there are so many

      • I'm not sure if it's true, but i have heard that a lot of the spam is a result of the spammers themselves being scammed. They find some less bright guy running some sort of shady small business and convince him that spam is a legitimate form of marketing. He buys into it and pays to send some spam. Whether or not it works at all, the spammers still make money. Which means that spam will keep going as long as there are no consequences for the spammers and there are stupid people running shady businesses.

    • Comment removed based on user account deletion
    • But you can't just get to xp mode and be an idiot, I doubt it is the cause of this. Also the XP mode VM that comes with win7 Pro and Ult is SP3.

      There are some scenarios where it could be possible to go unpatched for that long and then suddenly get infected:

      Bubba picks up "one o' dem dare computer thingies" from a garage sale. "ain't nebber been on der inter-tubes, momma!" "Plug 'er in, bubba! The tubes man was here and said it's all hooked up!"

      The computer HAS been on the internet for 7 years and has gon
    • Re:XP Mode? (Score:4, Insightful)

      by rvw ( 755107 ) on Saturday June 18, 2011 @10:12AM (#36485318)

      XP versions before SP1 would get root'd by simply having internet access.

      If I run a VM (XP or something else), that VM must have a different ip-address than the host, and to have internet access, there must be some kind of router or routing system. To reach the VM from the internet, port forwarding must be configured. Maybe the host IP is directly accessible from the outside, but the VM is not. Even if no firewalls are active, there is no way that the VM can be infected simply by starting it up and giving it internet access. So for an infection to occur, you need to start a browser to visit a website that infects the OS of the VM. (And of course the host could be infected, and then spread the virus to the local network, but that's something else.)

      So can you explain how this VM will be infected after it started up without doing anything else on the machine?

  • Oh, I see! (Score:4, Insightful)

    by Ross R. Smith ( 2225686 ) on Saturday June 18, 2011 @06:55AM (#36484430)
    The only thing that comes to mind is 'PEBKAC'.
    • Re:Oh, I see! (Score:4, Interesting)

      by Opportunist ( 166417 ) on Saturday June 18, 2011 @09:25AM (#36485062)

      Responsible for about 90 to 95% of all new infections.

      I'm not kidding here, when you look at the current threats, you'll notice that most do not target exploits. Why should they? There is a very good reason not to target exploits but target the big layer-8 exploit sitting in front of the machine.

      1. Exploits get fixed. Users don't.
      2. Exploits are sometimes hard to craft. It's way easier to create a "click here to see the pig dance" executable.
      3. It's easy to adapt social engineering to a new "exploit" (e.g. when a new catastrophe hits, "click here for gory details") rather than adapting an exploit to circumvent AV tools and patches.

      If you're trying to break into a machine, use the biggest security hole that no software maker can ever patch: The user. Since most blanket attempts at phishing don't care whether they hit Joe Random over there or you, it wouldn't even matter if 90% of the users were smart enough not to click, it still wouldn't warrant the additional expense of writing code to exploit a security hole in the system.

  • by geekmux ( 1040042 ) on Saturday June 18, 2011 @07:30AM (#36484562)

    Is this really any surprise to anyone? People still believe that Bill Gates is going to pay you for forwarding email. Most attacks (malware, trojans, viruses, etc.) feed on the ignorance of the average person. It's sad really, but I don't expect anything different 27 years later, much less 7.

    • People still believe that Bill Gates is going to pay you for forwarding email.

      Well, there goes that lucrative 2nd income. I hope Santa doesn't skimp this year, I could really use some money.

  • by Twinbee ( 767046 ) on Saturday June 18, 2011 @08:22AM (#36484778)

    Or alternatively, not have a virus checker at all as it slows down PCs, and misdiagnoses all the time (I don't need it deleting files which I know are NOT a problem).

    Just be careful what sites you visit, do backups (using SyncBack of course) and a system restore will usually solve minor problems.

    • by Opportunist ( 166417 ) on Saturday June 18, 2011 @09:27AM (#36485078)

      And if you drive carefully, what do you need safety belts and airbags for?

      • by Twinbee ( 767046 )

        Safety belts don't choke you to death though, and airbags aren't made of lead.

        • Ok, but I'm a safe and careful driver, so according to your theory I don't need either.

          • by dotgain ( 630123 )

            Ok, but I'm a safe and careful driver,

            That may be true, but you're a careless analogy-maker. Vehicle restraint systems and anitvirus software are utterly dissimilar.

            But let's play your game: How many human lives have been saved as a direct result of antivirus software?

            • Human lives? Contemporize, man, the question is now the damage to the GDP.

              • by dotgain ( 630123 )
                I see what you did there!

                You're bitter about capitalism, therefore any and all hairbrained analogies are valid. Truly, you have a dizzying intellect.

          • But not everyone on the highway is safe or careful. The seatbelt protects you mostly from accidents with other people, not yourself.
            • And not every webpage you frequent is well secured.

              Like in my analogy, your security does not only depend on how well you can handle your machine. You're dependent on others who you interact with. Avoiding shady, dubious pages is no longer a safeguard against infections, pages can be hijacked and they are, I've seen anything from hotel booking pages to phone registers hosting exploits. And since you do not control that page and have no control over its security, and since you won't find out whether it actua

      • The trade-off in performance for the most common used virus-scanning packages is huge and should be taken into consideration. Lately I've used co-workers new laptops that make my 5 year old Pentium-M with Ubuntu seem very fast by comparison. In my experience with helping "friends" (people who find out I work with computers) with their computers, most of them have virus software installed that failed to detect the malicious software. And when I tried to remove it I had to try half a dozen scanners to find
  • by LoudMusic ( 199347 ) on Saturday June 18, 2011 @08:28AM (#36484794)

    If you really want to get people to run virus scanners (without making the scanner a virus itself) you'll have to make it beneficial to the individual. Create some really fun game and buried in the EULA mention that the program does a virus sweep each time it launches.

    Either that or fight fire with fire.

    • Make it like the Linux administration Doom port. Instead of showing running processes as enemies in Doom, make the malware appear as enemy combatants. You and the malware battle it out with either modern or futuristic weapons. Everytime you kill an enemy, that piece of malware gets destroyed. Everytime you lose a battle, the game deletes a random file on your filesystem...

  • Now this is a ridiculous description: "infected computers as part of a civil war between different factions of the Linux community."

  • Why should the average Joe care if a virus creates a DoS attack on Microsoft or SCO? all that he cares about (and he is right to do) is if his computer does the job he wants. If it is too slow, he can always service it or buy a new one.

    Instead of blaming the people actually responsible for the mess (i.e. the developers of the virus or of the operating system that let this happen), it is the users that are blamed? WTF?

  • by GuruBuckaroo ( 833982 ) on Saturday June 18, 2011 @01:14PM (#36486254) Homepage
    2004? Pfft. My IDS is still showing probes from the Blaster Worm, that was 2003.
    • My IDS is still showing probes from the Blaster Worm, that was 2003.

      Not bad, but I'm waiting for somebody to chime in that they just got the "I love you!" email.

  • I think some ppl should make a mimic my doom virus that simple informs the ppl
    they need to patch and until then their tcp/ip files have been removed.

    Gets them off the network and educates them.

    • I think some ppl should make a mimic my doom virus that simple informs the ppl they need to patch and until then their tcp/ip files have been removed.

      Gets them off the network and educates them.

      I think most users would find it hard to patch their system if they no longer have network access to do it.

  • Update once every 5 years. Got it. Cheers.

  • This virus has accomplished what no one else has managed on the Windows Platform. Backward Compatibility. 7 years and running!
  • by Anonymous Coward

    Just create a modified MyDoom to format the machines after one month of being infected, you will find less machines getting infected after that.

Genius is ten percent inspiration and fifty percent capital gains.

Working...