More MyDoom Gloom

StarWreck points out this article in The Atlanta Journal Constitution citing "experts who believe the worm was put out for criminal profit motives by spammers and not by Linux Advocates." Further on that, deadmonk writes "MessageLabs is reporting that the recent Mydoom virus seems to have originated in Russia. A place where nobody gives a wet slap about a court case in the U.S. Personally, I'm looking for a serious apology (or at least a retraction) for the 'alleged' link between this ugly little nasty and Open Source / Linux users." Of course, there could be evil spammers who also like Linux (or don't like SCO), but until someone's caught, or fesses up, it's impossible to say. Read on for some more MyDoom updates, including a new variant (with a new payload), ramifications for Australians, and a forensic analysis of the worm.

fudgefactor7 writes "Hot on the heels of the last virus, Mydoom.b is on the loose. According to Computerworld, this variant has a larger payload and targets Microsoft's Web site for a distributed denial-of-service attack on Feb. 1, instead of The SCO Group Inc. Patch those systems and keep your A-V up to date. Definitions are available currently."

decaying writes "With the amount of virus-laden emails flying about due to the latest virus, Australian ISP Optus have started selectively blocking port 25 outbound. Optus say they are acting in accordance with their "Terms of use", quoting that they reserve the right to restrict access to any TCP/IP port. The only option is to use Optus' SMTP server and nothing else. Community site Whirlpool has an on-going discussion about the issue."

carnun writes "Just another link on MyDoom. Apparently the FBI are also getting in on the act. Interesting to see such a fast response." And to me, the most interesting one: Zeriel writes "After much discussion on a mailing list discussing trojan horses, some people have reached the conclusion that MyDoom doesn't accomplish its stated goal of DDOSing SCO at all! Choice quote from the analysis: "I have the new critter in a test environment where we conducted a preliminary and rudimentary functionality and threat analysis...I have played with the date, etc, but still no activity directed toward www.sco.com." The link also includes disassembly and analysis of the worm code."

Off Track

[andyrut]

It's entirely possible that the authors of this virus targeted SCO, simply to make it appear that Linux zealots were responsible...to throw off the law enforcement officials who might look for the culprit in the Linux community.

While I despise these worms, you've got to admit that some of these more recent ones are pretty ingenious:

Blaster - The only way to fix it is to grab stuff from Microsoft? Have it DDOS Windows Update.
MyDoom - Hate SCO, Love Linux? Target Microsoft systems and leave Linux machines alone. Have it DDOS SCO.

Re:Off Track

[B'Trey]

It is entirely possible the SCO connection is a red herring. However, it's also possible it's an attempt to kill two birds with one stone. I certainly hope the author wasn't a Linux zealot trying to harm SCO. However, the argument that a Russian Linux user wouldn't care about the SCO trial doesn't hold water. Linux has come a long way in recent years and a large part of it's progress is directly attributable to commercial companies who have either invested in Linux, contributed code to Linux, or supported Linux developers. SCO's case appears extremely weak, and the chances of them having any sort of success seem very remote. However, if SCO were to win their case, it could heavily damage the Linux movement. Particularly if SCO were to be found to have ownership rights in certain technologies, it isn't all certain that a rewrite of the relevant portions of the kernel would be sufficient to remove the taint. Linux users worldwide could be affected.

This is, of course, a worse case scenario and it doesn't provide any evidence that Linux fans were connected in any way. However, one can't dismiss the possibility simply because it came from Russia.

Re:Off Track

[FortKnox]

Target Microsoft systems and leave Linux machines alone.

I'm no hacker, but I do have a technology background, here. Most worms and virii are windows based. Most exploits that are found are windows based. Making a linux worm is tough and hard, because not many people have the desire to go into the inner workings of the kernel and find exploits, not to mention that most linux users are smart enough to figure out when they have an attachment by a random person not to open it. Windows users could be a software engineer FBI agent... but it could also be grandma melba. Seeing as most virus writers don't use a multiplatform language like java to write their virii, I'm thinking windows is the best option for destruction if you get your kicks off by that.

To say its because he's trying to frame linux users, or is a linux user just cause of it being a windows worm is pretty absurd.

Re:Off Track

[southpolesammy]

As I said a couple of days ago, the primary goal of this worm is not to DDoS SCO, it's to cause a big amount of traffic and noise in order to quietly install keystroke loggers in hopes of obtaining bank account numbers and passwords and be able to send that data back to some collector site without being seen due to the massive network jam.

It's a classic misdirection tactic that criminals use all the time to slip past unnoticed. Get people to look somewhere else while you do your dirty work sight unseen.

Re:Off Track

Most worms and virii are windows based. Most exploits that are found are windows based. Making a linux worm is tough and hard, because not many people have the desire to go into the inner workings of the kernel and find exploits, not to mention that most linux users are smart enough to figure out when they have an attachment by a random person not to open it

Or maybe, just maybe they go after Windows boxs and not Linux because virtually 100% of the desktops out there are running Windows. Who outside of Slashdot would notice a Linux only virus?

Re:Off Track

[Jonathan+the+Nerd]

How dumb do you have to be to actually think this malware was created by Linux zealots?

How dumb do you have to be to infuriate the entire Open Source community by claiming you own Linux and trying to license it for $699 per CPU?

Re:Off Track

[Popageorgio]

After all, it doesn't target Mac users either, and the new anti-Microsoft.com DOS attack of MyDoom.B would fit the intentions of a Mac activist. But I haven't seen anyone accuse Mac users. All the evidence is circumstantial.

Except-

The SCO DOS attack (geez, the TLAs are bumping and grinding today) suggests the pro-Linux link. Does any other faction have a beef with Darl?

Re:Off Track

[RyuuzakiTetsuya]

not very. Besides,w hat if this was just the work of some stupid stupid stupid script kiddie who didn't like SCO?

Re:Off Track

How is this modded insightfull? I've heard and seen what both these can do, and as stated above MyDoom might not do what it seems its supposed to do at all, and there is nothing all that special about them. Blaster was based on published problems and this one requires the user to open an attachment, just like *every* other worm and virus.

So where is this inginuity?

A trained monkey could make turn a bunch of zombie systems on SCO's site, but only an idiot would really think that that tactic was going to be a smoke screen to people who look for the sources of these all day. They follow the infection back to trace where it began, not look at what it does or doesn't do.

In the end, there is nothing inginious or even special about this one, its just one more in a long line of e-mail worms, and anything ingenious was done a long time ago.

Re:Off Track

[wmajik]

Throwing geeks off track is damn dirty business!

Case in point that last email virus I got.. what was it called... oh yes:

MyDuke3D - Hate deadlines, Love Hype? Keep repeating 'Forever!' until people start thinking 'Whenever!'

:)

Re:Off Track

[Junks+Jerzey]

It's entirely possible that the authors of this virus targeted SCO, simply to make it appear that Linux zealots were responsible...

Sadly, though, it shows the reputation that Linux zealots have made for themselves, not that it is any justification for this.

Re:Off Track

[The+Analog+Kid]

Because I'm sure framing someone else is such an ingenious origninal idea. Now if someone made a virus that changed your background to a picture of the goatse.cx man, well that would truely be ingenious.

Re:Off Track

[pegr]

I certainly hope the author wasn't a Linux zealot trying to harm SCO.

Especially when they're doing such a fine job all by themselves! ;)

Re:Off Track

[MarkusQ]

Sadly, though, it shows the reputation that Linux zealots have made for themselves, not that it is any justification for this.

Made for themselves?

This is a classic case of blame-the-victim. Someone gets maligned in the press, slandered by corporate greed machines, and somehow this is because of "the reputation [they] made for themselves?"

I supose your next line will be that they were "just asking for it" because of the way they were dressed.

-- MarkusQ

Re:Off Track

Whether or not this virus was created by Linux-zealots doesn't matter. The fact that the majority of Linux-zealots that I've spoken to (including reading posts on this site) think the fact that the virus is targetting SCO is a GOOD thing makes me put part of the blame on the Linux-zealots here and across the world.

It's like with a little kid, when they throw a tantrum if you always run over to them and do whatever it takes to make them stop they'll ALWAYS throw tantrums. But when you just ignore them they eventually stop and grow out of it.

The fact that you guys are publicly going around saying what this virus does is a good thing is going to only feed these f***ers even more. Plus it'll make other's think "wow, everyone will love it if we make a virus that targets so-and-so."

Linux/Open-Source lovers are all about "working together" and "bettering ourselves as a community". How about getting together and tracking these guys down instead of sitting here and blabbing about how you guys hope that this shows SCO just how much they're hated. Cause they're not just DDOSing SCO, they're also killing YOUR ISP's bandwidth and annoying the hell out of everyone.

Re:Off Track

[exhilaration]

Damn, I knew I should've saved that image!

Re:Off Track

[Morosoph]

Simpler explanation: MyDoom creators are seeking help from OS fans to spread their worm.

As in "hey, cool, I've got the MyDoom virus; I'll let it run for a little while longer before wiping it".

Result: more hacked systems to act as open relays with keyloggers to pick up bank details...

This virus is cunning in other ways, such as how it shares on Kazza; why not appeal to those who'd give it a helping hand in DDOSing SCO?

Re:Off Track

then why would they need keyloggers, open mail relays and proxies?

Re:Off Track

Get people to look somewhere else while you do your dirty work sight unseen.

Works great for foreign policy too!

Re:Off Track

[raz2]

What's with all those conspiracy theories. Someone wrote a virus, someone apparently had a bad experience with SCO, maybe they don't even really know what the issue is, maybe they picked SCO out randomly, maybe they thought "S C O" sounded as a nice target, maybe they're wannabee Linux nerds, and what not, I could go on for a while.

I fail to see the big deal here, apart from that it spreads really fast and clogs up my upstream bandwidth. All the fancy stories behind "why it was written" and "for what purpose" are speculations, and we again see how much of an impact one rumour can have on a whole bunch of people who just want to believe something.

Re:Off Track

[insensitive+claude]

Malware author != script kiddie

Re:Off Track

So they can attack their blood enemies on various IRC channels, of course.

Re:Off Track

[homer_ca]

"Who outside of Slashdot would notice a Linux only virus?"

Try all those web servers on the Internet. Apache servers outnumber IIS servers by a big margin, and most of them run Linux.

Re:Off Track

[mindbooger]

Exactly! Have you noticed that the last 3 or 4 of these oubreaks (at least!) have installed backdoors or keystroke loggers and all anyone will talk about is the SPAM and DDOS aspects of them? Aargh!

"There's an arsonist running loose, and he keeps stepping on people's flowers as he runs away. Oh, the poor flowers. Won't somebody think of the flowers....."

Re:Off Track

[PCM2]

It's entirely possible that the authors of this virus targeted SCO, simply to make it appear that Linux zealots were responsible...to throw off the law enforcement officials who might look for the culprit in the Linux community.

Are you really implying that law enforcement might think Eric S. Raymond or Miguel De Icaza wrote this virus? Because, if not, who is this "Linux community" you think your average FBI agent is aware of? And is it really throwing them off the scent if, failing to view the Linux community as a scapegoat, they would be forced to search amongst the "hacker community"?

Re:Off Track

[vanyel]

I certainly hope the author wasn't a Linux zealot trying to harm SCO.

Indeed. Personally, I think the Open Source community should set up a fund to add to the reward SCO is offering because of the black eye it gives the community if he was.

Re:Off Track

[bfg9000]

I'm still laughing at SCO's offer to pay a $250,000 reward to whoever can catch the MyDoom author. It's a bit like OJ offering $250,000 for the arrest of his wife's killer....

Re:Off Track

[lighting]

Actually, the correct spelling is virii according to "Webster's New Collegiate Dictionary" By the way... the worms rely on security holes to spread. If there were no security holes the worms wouldn't be able to spread (of course that means getting rid of 99% of computer users, but...)

Re:Off Track

[iminplaya]

"...send that data back to some collector site..."

Re:Off Track

Ha! Of course it wasn't Linux users... they don't have the skills to write a virus like this.

Re:Off Track

[pantycrickets]

Try all those web servers on the Internet. Apache servers outnumber IIS servers by a big margin, and most of them run Linux.

Most, not all, viruses require user intervention to spread. How many Linux desktops are there vs. Microsoft desktops?

Re:Off Track

Now if they can only get a bazillion Linux production server admins to run untrusted code at the same time. It seems that finding windows users is probably easier.

Re:Off Track

[vsprintf]

Now if someone made a virus that changed your background to a picture of the goatse.cx man, well that would truely be ingenious.

No, that would be truly disgusting, and only a company that sells keyboards would do such a thing. There's just no way to clean barf out of a keyboard. I'm sure there are other people who unwittingly clicked on the goatse link and can confirm it.

Re:Off Track

I seriously believe that SCO might have hired a Russian spammer to do this.

SCO got more publicity today than it has in months at a time when their case was running out of steam.

Their stock also went up a couple of times today before the whole market took a dive.

Re:Off Track

Actually, the correct spelling is virii according to "Webster's New Collegiate Dictionary"

Bull freakin crap. I defy you to find a link to prove that. While you are at it, explain these:
http://www.yourdictionary.com/ahd/v/v0118100.html
http://dictionary.reference.com/search?q=virus

By the way... the worms rely on security holes to spread. If there were no security holes the worms wouldn't be able to spread

Bull freakin crap. The emails trick users into launching executables. What- you don't think that an executable running on a Linux machine can send 100 emails in 30 seconds to people in your kMail address book? There is no security hole being exploited, only dumb users executing untrusted code.

Re:Off Track

so you are saying that a script kiddie couldn't write a program to propigate itself when moron users run exe files inside a zip file? You either have a really high opinion of people who write this crap, or a really low opinion of script kiddies. I don't see why you think they cannot be the same.

Re:Off Track

[coopaq]

That idea has a big hole in it and it stinks!

Such an open site shouldn't be denied service.

Most of /. really don't want to stick it to bad to that site.

Bah dum bum!

Re:Off Track

[Obyron]

Because HE's a malware author, you insensitive clod!

Re:Off Track

[cubic6]

Wrong.

Re:Off Track

[The+Real+Chrisjc]

More to the point, how many worms such as this would spread through the Linux community with user-intervention? I mean, does your average geek run anything with out knowing specifically what it is?
You average user doesn't necessarily have the knowledge not to run an email attachment, or get enticed by Anna Kornikova picture?
What I'm trying to say is that there are probably more ignorant people running windows that end up spreading the virus opposed to the Linux community which is much more computer-literate than the windows community.

Re:Off Track

[Sj0]

The articles yesterday were in newsweek. If the average american didn't read that, odds are the word SCO means dickall to him as well.

Re:Off Track

[Sj0]

Hey moron, it's a freakin' BOOK. Would you like me to explain why you can't hyperlink to a book? It'll cost you 1000 bucks. Cash, not playpal, please.

Re:Off Track

[cujo_1111]

However, the average linux user would get enticed by a Natalie Portman picture... Especially if hot grits were mentioned in the email too.

Re:Off Track

[kkerwin]

But what the virus does do is shed light on the SCO v IBM controversy. Anyone heard anything about SCO on NBC? How about MyDoom? It's all over the place. While it certainly does little to aid our cause, and probably more to hinder it, it does make the general public aware of it. -- Kris

Re:Off Track

[Ironica]

Hey moron, it's a freakin' BOOK. Would you like me to explain why you can't hyperlink to a book?

I can link to all kinds of books. What's so difficult about that?

Re:Off Track

[LnxAddct]

Why is everybody looking at this so negatively? I've got tons of people finally talking to me about what this Linux thing is that they've heard me mention and that they saw in the news paper today. In the past 3 days I've gotten probably about 40 people interested in Linux who had never known about it before. Most are corporate types too. These are people that barely know what a harddrive is for, and here I am explaining not only what Linux is, but the whole Open Source movement and how great it is. This is great publicity! Didn't anyone ever hear "Any publicity is good publicity." ? The media finally has their story straight about what scum SCO is and I'm seeing Linux on the front page of my local newspaper ! This is great for the community. Linux is in the press and the media is making a mockery of SCO, and people are finally interested in Linux that never would have been before. And when you are talking to them about Novarg/MyDoom, don't forget to mention that it doesn't affect Linux.
Regards,
Steve

Re:Off Track

[Sj0]

I laughed when I read that, but it's so true....I'm scared. Even the geeks are blind these days. ;)

Re:Off Track

[rgriff59]

I'm not a Doctor, and I don't play one on TV, however, my wife is an RN and is working on a FNP. As such, she has lots of wonderfully definitive medical reference books. According to both Taber's Cyclopedic Medical Dictionary, 19th edition and The Merck Manual, 17th edition, it is absolutely and without doubt "viruses." If the medical community says so, that trumps Webster's and /.'ers.

As far as being off track (not unlike this virus plural rot in a story about a worm) wouldn't it be funny to have someone claim SCO's $250,000 bounty for a worm that never would have caused them harm?

Re:Off Track

[ticklemeozmo]

Choice quote from the analysis: "I have the new critter in a test environment where we conducted a preliminary and rudimentary functionality and threat analysis...I have played with the date, etc, but still no activity directed toward www.sco.com."

I love it! Not only does SCO not get DDOS'd.. but if there is any information for the arrest of the author gets back to SCO, they are out 250K!!! HAHAHA!

Re:Off Track

Just key stroke loggers?

Back during the summer there was a Wired article on a spam operation which claimed to be running a network of over 450,000 computers - on trojaned systems. They are/were used to send spam. They are/were used to host the spamvertized sites (most likely proxies fetching the pages from a central location). They are/were used to host the nameservers for the operation's domain names. They are/were used to run DDoS attacks against anti-spam groups (SPEWS, abuse.net, spamhaus, etc.).

At least one (Russian) operation is still doing this. Check where the nameservers for oem-sale.biz are. Check where the host www.oem-sale.biz is. All on home user machines.

Why do I say Russian? It used to be they hosted the spamvertized websites on trojaned home user machines, but used hacked commercial (not home user) systems for the nameservers. Usually only two (commercial systems are less easily taken over) and sometimes they went down and they were left with using their own nameservers (from which the others fetch the data) in Russia.

And ... try one of the purchase links at www.oem-sale.biz (pirate software - another vector, for if you get this operation's provided software, an operation running on trojaned machines, would you install it?). Say,
http://www.oem-sale.biz/cgi-bin/order.pl?iid =12&mi d=2
and watch carefully what happens.

HTTP/1.1 302 Found
Location: http://82.196.65.37/cgi-bin/c/check.pl?iid=12&aid= [varies]&mid=2

And that gets a new redirection:

HTTP/1.1 302 Found
Location: http://oem-sale.biz/cgi-bin/order.pl?iid=12&aid=[v aries]&mid=2&ipaddr=[victim's_IP_address]&ipaddrdc =[tracking_tag]

One bounces off, for a moment, a Russian site which logs the victim's IP address and changes the URL for the purchase to include that and their tracking tag.

Now, of course, if the registrars knew they were inserting the addresses of hacked systems in the root servers as nameservers for domains running on hacked machines they would ... what?

Continue to do so, as long as they get paid.

domaindiscover and directi.com are the registrars and complaints about their assisting on this attack on the internet, and complaints to ICANN about their registrars claiming that this support of hackers is "accredited" (by ICANN) activity since they are "accredited" registrars ... well, this has been going on for quite awhile. ICANN has been informed, directi and domaindiscover have been informed and on and on it goes.

(nameservers running on hacked systems in the domain morozreg.biz: registrar domaindiscover

oem-sale.biz, registrar directi.com

and they know, have been informed over and over and over and over ...)

If this is a professional spam operation which created MYDOOM, I would guess the goal is not so simple as key-stroke loggers but to have a bullet-proof network of their own, running on trojaned machines, which could only be stopped by actions by registrars who would block it along with ISPs who would be proactive in helping keep secure their users so those machines are not used to send spam, host spamvertized web sites, run nameservers for spam operations, assist in DDoS attacks, etc.

Once they have such a network, I doubt they will be satisfied only to use it to send spam or grab data with key-stroke loggers.

Folks over in news.admin.net-abuse.email are fed up with directi.com and domaindiscover knowingly assisting in this abuse of, and attack on, users and hiding behind their "accredited" status.

Re:Off Track

[gcaseye6677]

Maybe that would finally motivate everybody to install anti-virus software and keep it updated.

Re:Off Track

[Daengbo]

Have you ever gotten bitten by a goatse troll? If so, you obviously clicked on something with out(sic) knowing specifically what it is.

Re:Off Track

So just exactly how do you propose that this trojan would help SCO loose their court case?

Re:Off Track

[JPriest]

Yes, but have they provided any evidence yet? My opinion is that I don't have an opinion till I see the evidence from SCO.

Re:Off Track

[Sj0]

looks like a link to a website about books to me.

Re:Off Track

[swv3752]

They were some allegations on cnn.

Re:Off Track

[RML]

My mom is a molecular biologist who works on viruses for a living, and I've worked with molecular biologists before. Let me assure you that if you said "virii" in a scientific conference you would be laughed out of the room.

In my opinion it might be acceptable to use "virii" for computer viruses. If we can pluralize "box" as "boxen", why not. But it's definitely not the standard plural of "virus".

Re:Off Track

[TKinias]

scripsit vanyel:

Personally, I think the Open Source community should set up a fund to add to the reward SCO is offering because of the black eye it gives the community if he was.

Even if it really is a Linux zealot who wrote this, having the free software community offer a bounty would send a strong message than we unequivocally condemn this sort of behaviour.

Re:Off Track

[swv3752]

I have a Biotechnology degree, have actually genetically engineered virii. I will admit that "viruses" is thhe more common and accepted spelling. Though the term "phage" is used a lot too.

Re:Off Track

Some of us DON'T disapprove. Really, why should we care about honour, when SCO has none.

Re:Off Track

[swv3752]

Or maybe the Health Profession. I was at work (in an open cubicle farm) the first time I click that link. I thought I was going to have a heart attack as I was frantically trying to cllose the link before some one looked up and noticed.

Re:Off Track

I think the SCO court case is "loose" enough. This malware attack won't loosen it anymore. Nor will it tighten it any.

Please learn how to spell "lose" if that's what you mean to say.

And, yes. I AM an insensitive clod when it comes to mizspelinks of common words such as this.

Re:Off Track

[magores]

I propose the theory that a Linux virus would actually succeed quite well.

My reasons for thinking this are:

1) For every 100 linux users, I suspect that ~40% of them are people that are currently "dabbling" in linux. These users are as new to linux as "Grandma Gertrude" is to Windows.

2) Of the 100 linux users mentioned, I would guess that ~75% have never done more than glanced at the source code for any given program, much less the kernal. Give these users two pieces of code to run. They are just as likely to run the "bad code" as they are the "good code".

3) I think most would agree that the linux kernal is "safer" than a Windows system. But what about all the programs that get installed on top of (over?) the linux kernal? Many reports are released daily about buffer overflows, etc that effect these programs. Taking the hypothetical 100 linux users I mention above, I would venture that at most 25% of these people apply the patches in a reasonably short time frame.

4) Windows is targeted because it is common. The structure/implementation of Windows "probably" lends itself to the ease of compromising it. However, I venture the guess that a sufficiently motivated malware author (notice I didn't say hacker) could construct an exploit that would cripple many of the linux boxes owned by the people that I mention in 1, 2, and 3.

All I'm really saying is: The Linux Community should make sure it doesn't say, "Bring it on!" Because, the bad guys WILL.

Re:Off Track

[buttahead]

because without honor victory is anti-climactic, to say the least.

Re:Off Track

Maybe that will finally motivate people to install Linux and forget about all that mess. ;-)

Re:Off Track

[stfvon007]

Because if we dont, Then we are no better than they are.

Re:Off Track

[elveu]

This is'nt just about honor though. MyDoom is inconvincing and costing millions of people who are in no way involved with SCO, which if we encourage would make us worse then them.

Re:Off Track

[berzerke]

looks like a link to a website about books to me.

Alright, if you really want to get to get technical, here is a link to a book, Baby Mine by Margaret Mayo, chosen at random from project gutenburg. Happy Reading!

Re:Off Track

[coopaq]

Thanks. Everytime someone links to that lame 3 key
ctrl-alt-del keyboard they get modded as
+5, Funny As All Hell!

Re:Off Track

[caluml]

What would be pretty effective is if all the emails were sent from sales@sco.com. The return bounced emails, and the n00bs complaining would pretty much render that address useless as well as clog up their mail servers.

Re:Off Track

[LittleBigLui]

...free software community offer a bounty

I offer 15 lines of code. From System V. :)

Re:Off Track

[mpe]

It's entirely possible that the authors of this virus targeted SCO, simply to make it appear that Linux zealots were responsible...to throw off the law enforcement officials who might look for the culprit in the Linux community.

It's also perfectly possible that the authors are SCO or employed by SCO.

Re:Off Track

[tehcyder]

Didn't anyone ever hear "Any publicity is good publicity." ?

Brilliant! In other news:

"Linux responsible for SARS virus"

"Linus Torvalds is Antichrist, confirms Pope"

"Open Source developers are sheltering Osama bin Lade, says Pentagon".

Re:Off Track

And when you are talking to them about Novarg/MyDoom, don't forget to mention that it doesn't affect Linux.

Well it certainly affects Linux. I don't go near Windows, but my inbox has been inundated with crap.

I think it's better to state that it doesn't infect anything but Windows (Linux isn't a special case of immunity).

Re:Off Track

[idamaybrown]

You mean that there are no Russian Linux zealots who hate SCO and MS?

Re:Off Track

[Flingles]

Does this mean I have to pay double for a dual processor computer? Imagine a beowulf clust...

Re:Off Track

[horza]

Personally, I think the Open Source community should set up a fund to add to the reward SCO is offering because of the black eye it gives the community if he was.

You can. I'm not taking personal responsibility for millions of individuals because just because they happen to also be interested in writing software. I'll just let the police do their job.

Phillip.

Re:Off Track

[FortKnox]

You may have a technology background, but you apparantly failed english

Duh. I'm an engineer, not an english major.

And I just checked it, it is virii.

And don't say "YHBT" cause it just a cover for your own stupidity.

Re:Off Track

Sorry Steve, I have to disagree. This type of publicity is only going to re-affirm many people's belief that the OSS / Linux community is a group of anti-social extremist geeks, who don't mind using tactics like this to hurt their enemies.

Nothing good can come from this type of cowardly attack.

Re:Off Track

[Sj0]

A link to a text file?

Re:Off Track

[William+Tanksley]

Why would you use the pluralization virii, though? It's not an English pluralization, and it's not a Latin one either. In Latin the word virus is defectively plural; it's a mass noun, always used in an uncountable manner.

-Billy

Re:Off Track

You just checked? Where? Not a single dictionary out there agress with you. Or maybe you asked some of your friends on alt.sweatygeek.dumbquestions. Yeah, thats pretty conclusive.

Re:Off Track

[Syrrh]

I believe it. I'm guessing vulnerability-wise, Linux today is comparable to how Windows 3.1 was. Though a *nix virus would have trouble propagating as a worm or e-mail attachment, an old-fashioned trojan would work quite well.

As an added weakness to what you've mentioned, there's also a common failing among new users to read documentation when they have problems. As long as someone will hold their hand, they'll willingly do just about anything a 'mentor' asks. Install this RPM. Trust me.

Re:Off Track

[meznak]

Actually, Blaster was never pointed at Windows Update directly. Its target was windowsupdate.com which redirected to windowsupdate.microsoft.com. MS simply stopped the redirection for a while.

Re:Off Track

"Any publicity is good publicity."

Tell that to Hitler.

Re:Off Track

either that or you are a pervert

I knew it...

.. believe the worm was put out for criminal profit motives ..

So it was SCO!

McBride interview

[BWJones]

I'm looking for a serious apology (or at least a retraction) for the 'alleged' link between this ugly little nasty and Open Source / Linux users."

Of note: Darl McBride was on local (Utah) television last night with a stinging quote. "What we are seeing here is the dark side of the open source movement" or something very close to that. I thought, no dude, you have it all backwards. SCO is the dark side of the open source movement.

Re:McBride interview

[vladkrupin]

I think - No, dude, SCO is not the dark side of the open source movement. Aside from old Caldera, it has no relation to any side of the open source movement.

Re:McBride interview

[haystor]

Bah!

The virus is closed source and runs on Windows. It clearly has nothing to with the GNU/Linux.

Hehe, insert joke about BSD catching a virus...

Re:McBride interview

[Vagrant]

SCO is the dark side of the open source movement.
Darth McBride: "You underestimate the power of the dark side. If you will not fight, then you will meet your destiny."

Re:McBride interview

Hehe, insert joke about BSD catching a virus...

How could it? It's dead.

Re:McBride interview

[ananke]

Ironically, open source seems to be helping to stop that. Here's my story:

I use mailscanner [sendmail wrapper] with clamav [opensource antivirus engine]. Clamav was one of the first engines that had definitions for the first mydoom worm. We started catching mydoom around 4:00PM EST, and none have gotten through to our windows workstations.

Thanks to open source, we were able to prevent from contributing to the spread of this worm. So to sum it up: thanks to the clamav folks, and thanks to open source.

Re:McBride interview

"What we are seeing here is the dark side of the open source movement"

Oh yes, I see it's all the linux communities fault. This would mean that all the previous worms were written by "the microsoft community", afterall many were coded in VB which would only ever be learned if you were coding for windows. Obviously people who use Microsoft products are terrorists. Thanks Darl, it's all so much clearer now!

Re:McBride interview

stinging quote. "What we are seeing here is the dark side of the open source movement" or something very close to that.

Quoting someone (using quotation marks even) and then saying "or something very close"...

Which is it?

Re:McBride interview

Um, just because there are more important things in the world doesn't mean that the SCO situation is unimportant. Just because heart disease kills more people than any other disease, does that mean we should stop trying to find cures for those other diseases? (Yes, I know, IHBT.)

Re:McBride interview

[Pakaran2]

And here I thought the virus was being distributed in binary form only.

Does it contain pirated SCO Unix code? If it doesn't work properly, this is a possibility that we must consider.

Re:McBride interview

[kfg]

So, wouldn't that make Robert Morris the younger's UNIX worm the dark side of Closed Source/UNIX users?

The concepts simply have no logical connection. Of course most voting records demonstrate the willingness of the majority to accept such "logic," so Darl's statements might have some effect among those who don't note by his other pronouncements that he's a raving looney.

KFG

Re:McBride interview

[Popageorgio]

Darth: "I am your father."
Linus: "Hell no, you're just a desperate old fart who's jealous of my DNA and wants to take some credit for it."
Darth: "Shit."

Re:McBride interview

[ayden]

Choice quote from the LA Times (requires subscription)

"We have our suspicions" that a Linux enthusiast is to blame for MyDoom, Stowell said.

But Eric Raymond, a leader of the Linux movement, said SCO's suspicions were misplaced. "If one of our guys had written it," he said, "the thing would be much harder to track and much more devastating."

Re:McBride interview

BSD is not dead, its dying

Re:McBride interview

[muckdog]

aahh does SCO Linux ring a bell, How about SCO as a founding member of United Linux. They were a part of the open source movement. They turned to the dark side just like Vader in a search for more Money ^H^H^H^H^H Power.

Re:McBride interview

[AndroidCat]

According to the article, someone tried to coax MyDoom into action but was unable to: "I have played with the date, etc, but still no activity directed toward www.sco.com" It'll be interesting to see if it really will DDoS SCO February 1st or if it's a red herring. If Darl thinks he's being attacked by giant worms right now, perhaps it's just a drug reaction?

Re:McBride interview

[Unregistered]

Linus: If you strike me down i will become more powerful than you could ever imagine.

Re:McBride interview

[prandal]

ClamAV had the patterns for MyDoom at 22:00 GMT the day MyDoom appeared. McAfee's updates appeard on our mail gateway 6 hours later (we update hourly).

Furthermore, ClamAV detected the B variant straight away, McAfee needed tonight's 4320 DATs.

Well done, ClamAV team.

Re:McBride interview

because of the virus!

Re:McBride interview

[Drantin]

"meet your destiny" ?

destiny is supposed to be something inevitable, and it doesn't necessarily mean death, it just means something that's going to happen ...

Re:McBride interview

[Aguila]

Don't mention that to Darl McBride. Next we'll see a press release from SCO stating that Open Source antivirus software had virus definitions for mydoom up first, and the "obvious" (to SCO) explanation. Clearly, this proves the virus was written by the Open Source community, who included it into their antivirus engine when they released it. What else could explain Clamav having the definitions before the commercial antivirus companies?

Re:McBride interview

[BiggerIsBetter]

Yep. Amavis-New on Postfix with NOD32 and SpamAssassin for us.

Re:McBride interview

[Flwyd]

You may modify and redistribute this virus however often you like, so long as you include the source code. If you do not share the source code, you may not redistribute this virus.

Sounds like a pretty sweet deal to me. No wonder Linux systems aren't hit very often; viruses violate the GPL.

Re:McBride interview

[Mr2cents]

Due to popular demand, the MyDoom virus is currently being ported to linux and will be available as a loadable kernel module in the next kernel release. 8-)

Re:McBride interview

[thelenm]

This morning a local Utah radio station was playing McBride sound bites trashing the Linux community, too. And it was made painfully obvious that nobody had a clue what this whole thing is about, since immediately after the clips, a newscaster reported that "SCO is suing Microsoft because they say Microsoft copied a program called Unix and renamed it Linux". (pronounced LYE-nucks)

I've written to the station to point out the fact that almost every syllable in that report was incorrect. But I have to think that Darl loves this virus, since it gives him more opportunity to take unchallenged potshots at the Linux and Open Source community on TV and radio.

Re:McBride interview

[jwlidtnet]

I'm fairly new to this entire thing, but isn't the point that there was an "old" SCO, and this new company just happened to change its name?

Re:McBride interview

[vladkrupin]

United what?

Re:McBride interview

Darl McBride was on local (Utah) television last night with a stinging quote. "What we are seeing here is the dark side of the open source movement" or something very close to that. I thought, no dude, you have it all backwards. SCO is the dark side of the open source movement.

Yes, and what was it exactly you were seeing there on TV? Darl McBride, no?

Re:McBride interview

Yes, using anti-virus at the external smtp gateway is a good thing. *But* the external smtp gateway should be dropping emails with windows executables(.pif, .cmd, .bat, .exe, .scr, etc) as attachments(zipped or not).

My external gateway does that and it was stopping mydoom at 1300EST(several hours before any real news about mydoom was out). Note: only emails with .exe attachments get a bounce-back message but I've had to stop that because of mydoom.

doesnt matter.

[eyeareque]

we will neever see an apology from SCO.. they will be gone and bankrupt before too long.

Re:doesnt matter.

How about an apology for all the baseless crap (in addition to valid criticism) that gets said about them on /.? Same goes for MS, how about all the allegations that get hurled at them, with no notable retraction when they are proven to be false?

Re:doesnt matter.

That's different! Because...well....it just is!

It's another case against OS monoculture

[Eyah....TIMMY]

It was covered last week.

Basically, to limit the spread of a worm on a network such as the internet, we can only diversify to make sure not all machines go down.

Here's a presentation (sorry I could only find a PowerPoint version) that was made by Jonathan Wignall at DefCon last year about this topic. Same conclusion, diversifying is the necessary to combat worms.

Re:It's another case against OS monoculture

[Random+Guru+42]

Yeah. When you're running nothing but Windows, it doesn't matter how distributed or decentralized your network is. It'll die all the same.

But on the other hand, if everyone uses Linux exclusively, you know that people will find ways to make working virii and worms for it, too.

Re:It's another case against OS monoculture

[Trolling4Dollars]

Couldn't be more true. Where I work nearly everyone uses Windows on the desktop. When Blaster hit last year, a number of systems in my deprtment were hit. But being the oddman here who runs Redhat as my desktop, well... I didn't feel a thing. Even better, I was able to use my box to connect to our reouters and begin throwing down access lists and blocking the spread. I was also able to use open source tools to track down more infected systems outside of our deparment. Did anyone learn anything here? No. Windows is too easy for them, but that's going to change as we are becoming more and more Unix oriented on the servers. (Previously Windows and OpenVMS)

Re:It's another case against OS monoculture

[sheriff_p]

You can read a good rebuttal against the 'MONOCULTURE IS DEATH' argument here:

http://www.virusbtn.com/magazine/archives/200312/m onoculture.xml

written by someone who actually knows a little about malicious mobile code :-)

Re:It's another case against OS monoculture

[Pakaran2]

It's technically more difficult. Very, very few linux users run email clients that auto-execute macros, or read email with write access to all of their own executables. The closest equivalent would be reading email as root via some kind of command interpreter built into the client.

Almost all Win98 users do both of these things.

Also, if a virus was released for Linux taking advantage of some kind of known vulnerability, most users would fix the issue in question. Almost every distro allows you to set up an hourly cron job to update the entire system, often without rebooting. I'd like to see you do the equivalent of updating glibc without a reboot under Windows.

Yes, there have been worms for Unix - and I'm sure there will be in the future - but Unix is a much poorer "habitat" for a worm than MS Lookout.

Re:It's another case against OS monoculture

[WNight]

The difference is that unixes are designed with multi-user security in mind. If you have a system-level backup system a user-level worm won't be able to wipe out the data. You'll also be able to restrict user's ability to run apps at all, and what they'll be allowed to do. Compare to Microsoft where once you have a running app it's only a hair away from being admin where it can do anything.

Also, open source unix machines tend to be setup with security in mind - doing things that will limit the propogation of dumb-user-clicks-the-attachment worms. To target Linux you'll need an actual exploit. Not that they don't exist, but with the response time as low as it is, it'll be hard for a virus writer to respond before Linus does. The malware authors will have to discover the bugs instead of now how they simply read bugtraq.

Re:It's another case against OS monoculture

But the parent was talking about what would happen if everyone was running Linux. That would include the Win98 folks (of course, this is completely theoretical; anyone who is still running Win98 has no intention of every changing their OS or they would have already).

Re:It's another case against OS monoculture

[cens0r]

Of course it could be said that the reason that reason linux users use linux is so they can do those things. It may be that the average windows users like to do those things.

Re:It's another case against OS monoculture

[mcelrath]

Fallacy by misdirection.

That article merely demonstrates that viruses still spread quickly when there is diversity. But who cares how quickly they spread? The point of diversity is that the probability of any individual machine being infected is smaller (a prime concern for admins and companies).

-- Bob

Re:It's another case against OS monoculture

Nice copy-n-paste thinking, Unixboy, but this worm DOES NOT DESTROY DATA. A unpriveldged Unix user could do everything this worm does without any exploits.

Re:It's another case against OS monoculture

I think their SQL/Slammer example counters that

Re:It's another case against OS monoculture

[Oriumpor]

I've read this argument before, and I ran over it once more just to make sure, but what it says basically is in an environment where an infection would occur to a homogenous population that the fact that there is a significant number of systems diversified (OS wise) that the infection and subsequent overload of the network would not be affected in a marked way.

So... basically discounting the whole point of 90% of the discussion regarding monoculture this rebuttal doesn't discount the fact that my NAS never went down, or my qmail box hasn't been hit by a nasty network worm and needed to be reinstalled.... or my aging Alpha cluster running DNS has never been rooted.... --KNOCK ON WOOD-- The monoculture issue isn't solely a network health issue. Just as the Blaster worm is not solely a network health issue (as anyone having to remove the damn thing 120938123 times knows)

Re:It's another case against OS monoculture

[stor]

I thought that was interesting.

Not sure about the accuracy of the simulation though, for one thing the author states:

every infected machine would attempt to infect one other machine chosen at random.

Did they try this with machines attacking multiple targets at random? The results may be similar to what the author found (i.e. little difference between monoculture and diversity) but it would be a good idea to test that, yeah? Worms don't usually stop trying to infect other machines after one attempt.

He also states that the simulation modelled a "perfect network" that won't be congested by the virus. Sure that's cool but I'd also be interested in seeing the results when more accurate representation of a network is used.

While i'm at it, there's nothing about RECOVERY in that document. When a worm spreads we want a decent percentage of machines to not be susceptible while we work on fixing the broken ones. It is possible that key internet infrastructure could be rendered practically unusable for a period but it will be a lot easier to deal with spotfires than one huge bushfire.

Cheers
Stor

OT,but someone needs to make the [NO CARRIER] joke

I haven't been affected since I don't use Outloo=20 ]} } } }&..}=3Dr}'}"}[NO CARRIER]

For profit?

[spun]

You mean, a big bag of money showed up on some spammer's doorstep with a note promising much more if a DDoS against www.sco.com is included in the next release?

Completely untraceable, even if caught: the spammer wouldn't know who sent the money, and could even claim, "I think it was some Linux Zealot."

Re:For profit?

[Flavius+Stilicho]

You mean, a big bag of money showed up on some spammer's doorstep with a note promising much more if a DDoS against www.sco.com is included in the next release?
Completely untraceable, even if caught: the spammer wouldn't know who sent the money, and could even claim, "I think it was some Linux Zealot."

I'm sure they would just figure that their Nigerian friend finally got lucky.

OK, Deadmonk!!

Personally, I'm looking for a serious apology (or at least a retraction) for the 'alleged' link between this ugly little nasty and Open Source / Linux users.

We'll get right on that!

Sincerely,
The Mass Media.

In addition, not instead of

[allism]

The B variant targets both Microsoft and SCO.

Re:In addition, not instead of

[graniteMonkey]

Well that just reinforces my belief that it's actually a conspiracy by Microsoft and SCO to discredit the Open Source Movement(tm), just like everything else that gets Slashdot's attention.

Re:In addition, not instead of

contains the text string: "sync-1.01; andy; I'm just doing my job, nothing personal, sorry"
Maybe it is a confession of the author that he was hired by somebody?

Re:In addition, not instead of

[jrockway]

Nice troll.

Re:In addition, not instead of

[GundyRage]

Almost everything improves with age. ;)

Re:In addition, not instead of

[allism]

Anyone have any speculations on who 'andy' might be?

Re:In addition, not instead of

Anyone have any speculations on who 'andy' might be?

Mr. Tanenbaum is the main suspect. "Unixware is obsolete."

Am I the only one?

[CGP314]

place where nobody gives a wet slap

Anyone care to clarify what a wet slap is?

--
In London? Need a Physics Tutor?

American Weblog in London

Re:Am I the only one?

[Samuel+Duncan]

You hit someone on the unclothed buttom with a wet towel.

Re:Am I the only one?

[j0keralpha]

This is a reference to Hitchhikers Guide to the Galaxy, where this phrase is used in a number of places...

Ford:'The best cooks and The best drinksmixers, and they dont give a wet slap about anything else...'

Re: Am I the only one?

[Black+Parrot]

> Anyone care to clarify what a wet slap is?

It's like a dry slap, but done in the shower.

Re:Am I the only one?

[glubbs]

Anyone care to clarify what a wet slap is?

Whatever it is, we can be sure it's not coming from Russia.

Re:Am I the only one?

You know blogging about your moving to London is not very becoming. Especially with that ridiculous flag with your initials over it. Get some class man, seriously. I mean, when you sat down to make that icon, what in the hell were you actually thinking? "This will show everyone out there that I'm someone. I'm in Britian, and I'm going to advertise it!"
LOL!

Re:Am I the only one?

[Conspiracy_Of_Doves]

Umm.. Dude. I'm as big a Douglass Adams fan as the next guy, but he didn't invent every figure of speech in the english language. Some expressions (such as wet slap) did, in fact, exist before he first used them.

Re:Am I the only one?

[RatBastard]

Does the term "teabagging" mean anything to you?

Actually, I have no idea.

Re:Am I the only one?

[kfg]

Anyone care to clarify what a wet slap is?

Just hazzarding a guess here really, but is it, maybe, a slap, that's wet?

KFG

Re:Am I the only one?

[Snad]

Anyone care to clarify what a wet slap is?

Depending on your idiom of choice :

rat's ass
flying fuck
monkey's bollocks.

And several hundred other variations...

Re:Am I the only one?

Wah therecowboy... let's start slow here. What is this term "girl" you refer to?

Re:Am I the only one?

You totally lost all frame of reference for the geeks at "when a girl is aroused".

Re:Am I the only one?

point... hey, even karma whores can make mistakes...

Re:Am I the only one?

Spit on your hand and slap someone in the face. It hurts a lot worse then a dry slap.

Re:Am I the only one?

Isn't it where she shouts "I wish you'd stop playing on that damn computer" then slams the front door behind her?

Re:Am I the only one?

[Dutch_Cap]

No, Douglas Adams did invent the expression "wet slap", it's reality that's got it all wrong.

Re:Am I the only one?

[Sj0]

This time of year? The slap would turn to ice long before it hit!

Re:Am I the only one?

[BiggerIsBetter]

There's an odd thing...

Why is monkeys bollocks bad, but dogs bollocks is good?

English is funny.

Re:Am I the only one?

The presumably rather disconcerting sound coinciding with the impact point of a flying fuck. Though since no one ever supplies the latter, the former is mostly theoretical in nature.

Re:Am I the only one?

[caluml]

Dogs are always good. "Happy as a dog with two dicks" for example.

Re:Am I the only one?

[mikechant]

Iguanas, snakes, Koalas. They really do have two. So I guess they're all happy...

http://www.greenigsociety.org/glossary.htm
and look for 'hemipenes'

I wish all mail admins..

[grub]

.. would TURN OFF those blasted "Your mail has a virus!" auto-replies. They accomplish nothing but the generation of yet more useless traffic.

Re:I wish all mail admins..

[allism]

There was an article advising this on, I think, one of the major news sources (can't remember which one) - it said that since most email spreading programs spoof the return address, there's no reason to have the auto-replies.

I feel your pain - I have gotten almost as many auto-replies as I have gotten worms - and they're directed back at an email that I don't even have outgoing access to...

Re:I wish all mail admins..

[Random+Guru+42]

I agree! A lot of them ship the original message back, too, and with all the spammers pretending to be from my domain, it certainly helped fill up my allotted space on the server.

Re:I wish all mail admins..

[FrEaK7782]

If they did that, they would be reporting that every 1 in 6 emails was infected rather than 1 in 12!

Re:I wish all mail admins..

[cfl]

Here's an article discussing this problem from
The Age

Re:I wish all mail admins..

[PhuCknuT]

The best part is I've never seen one that send the headers back so you can see where the actual message came from.

Re:I wish all mail admins..

[Random+Guru+42]

Maybe the mail server authors are in league with the spammers! Ohtehnos!

Re:I wish all mail admins..

[theLOUDroom]

. would TURN OFF those blasted "Your mail has a virus!" auto-replies. They accomplish nothing but the generation of yet more useless traffic.

Actually, the right way to do it would be to turn it off only if that particular virus is known to forge the address.

Re:I wish all mail admins..

[forevermore]

would TURN OFF those blasted "Your mail has a virus!" auto-replies

I agree - I've taken to replying to them in person, telling them of all the useless traffic they're making. Then again, I've only received one so far.

On the other hand, I really wish that Amavis would respect its "locals" settings and when set not to reply to offsite addresses, NOT to respond to offsite senders. What the heck is an offsite recipient, anyway? If they're getting mail on my server, they're local. It's the senders that I care about being offsite, not the recipients.

Re:I wish all mail admins..

[BigBlockMopar]

I wish all mail admins.. .. would TURN OFF those blasted "Your mail has a virus!" auto-replies. They accomplish nothing but the generation of yet more useless traffic.

Well, now at least you know that the virus, running on the machine of an infected third-party acquaintance or friend, has spoofed your e-mail address for Reply-To.

Worrisome: someone who knows my e-mail address, whose machine is currently infected, is broadcasting it all over the Internet and perhaps eventually to spammers.

Re:I wish all mail admins..

Here's my personal favorite so far. There is no useful information in this bounce, most notably the sending IP address is not given. It advertises the MessageLabs service. Best of all, it even states that "some viruses forge the sender address":

The MessageLabs SkyScan Anti-Virus service discovered a possible virus
or unauthorised code (such as a joke program or trojan) in an email sent
by you.

The email has now been quarantined and was not delivered.

Please read the whole of this email carefully. It explains what has
happened to your email, which suspected virus has been caught and what
to do if you need help addressing the problem.

To help identify the quarantined email:

The message sender was
xxxxxxxxxxxxx@xxxxxxxxxxx.xx

The message recipients were
xxxxxxxxxxxxxxxx@xxxxxxxxxxxx.xxx

The message title was (empty)
The message date was Tue, 27 Jan 2004 xx:xx:xx +xxxx
The virus or unauthorised code identified in the email is
>>> W32/MyDoom.A in 'xxxxxxx_xx_xx-x_xxx__xxxxxxx.xxx=xxx.pif'

Some viruses forge the sender address. For more information please
visit the link to the virus FAQ's at the bottom of this page.

The message was diverted into the virus holding pen on
mail server server-xx.tower-xx.messagelabs.com (pen id xxxxxxx_xxxxxxxxxx)
and will be held for 30 days before being destroyed

Corporate Users:
If you sent the email from a corporate network, you should first
contact your local IT Helpdesk or System Administrator for advice.
They will be able to help you disinfect your workstation.

If you would like further information on how to subscribe to MessageLabs
SkyScan AV service, a proactive anti-virus service working around the
clock, around the globe, please complete our enquiry form.

Personal or Home users:
If you sent the email from a personal or home account, you will need
to disinfect your computer yourself. Please contact your anti-virus
software vendor for support.

You may like to read the virus FAQ's at:
http://www.messagelabs.com/page.asp?id=628
w hich will answer most virus related questions.

-------
This email has been scanned for all viruses by the MessageLabs Email
Security System. For more information on a proactive email security
service working around the clock, around the globe, visit
http://www.messagelabs.com
-------

Re:I wish all mail admins..

[fafaforza]

Customer calls tech support:

"Your server is broken! I'm not getting email from a lot of my coleagues! Fix it!"

"OK, sir. So the sending parties get any sort of an error message, or what is called a bounce?"

"No! I'm losing business because of you!"

"Well I don't really see anything wrong with the server..."

Of course the opposite is also a problem. People seeing those bounces and claiming out mail server is "hacked". But too much information is better than none at all when debugging things like email so I'm not turning off reporting.

Re:I wish all mail admins..

[Jhon]

While I *MOSTLY* agree with this, I have a few exceptions.

Our email scanner will ONLY send out alert auto-replies to files it flags but can't identify as specific viruses.

That way, it lets the schmendrick know that his resume called "myresume.version2.doc" was flagged and not delivered. Or that some lab equipment update file called "ags.20040128.exe" was flagged and not delievered.

It allows them to alert me and make sure the file goes where it belongs.

If the scanner ID's a virus, it just drops the load in to a quarentine dir and makes a log entry for my review.

Re:I wish all mail admins..

[BigBlockMopar]

I know that a TON of people i DONT know have my email address.. the down side of having a couple semi-popular web sites

Well, I have a couple which are displayed publicly and are aliased to my main e-mail address. My main e-mail address was known by less than 10 people, until one of them apparently decided to read the Unicode message with the .scr extension... [grrr...]

Now, my mailbox is flooded with online headhunters and HR departments: "Your resume has been received and will be kept on file..."

Re:I wish all mail admins..

[sacherjj]

Actually, the right way to do it would be to turn it off only if that particular virus is known to forge the address.

Which would include almost all viruses spread by email.

Re:I wish all mail admins..

Even better is these f'n antivirus programs don't even include the original header. At least if they are going to send you a reply from a spoofed address they could send the header so you *know* the originating ip is not from your domain.

I've sent out at least 30 replies to abuse/postmaster to companies who've spammed me 10+ times themselves.

Re:I wish all mail admins..

[droleary]

Our email scanner will ONLY send out alert auto-replies to files it flags but can't identify as specific viruses.

So? The fact that you bounce instead of reject is the problem. It's a question of where you run your checks (i.e., after accepting the message for delivery), not what checks you run.

Re:I wish all mail admins..

Worse than that, the headers are duitifully included in the auto-replies for diagnostic purposes (okay so far), and, in 5 seconds, it is obvious that the virus did not originate from my address (bad). Thanks for wasting my time.

People, the From: field and Reply-To: fields are almost always forged in these messages. Everybody knows that, right? So, get a clue -- if you can't take the time to at least manually verify the Received: headers make sense, or write a script sophisticated enough to check that out, then don't automatically send your helpful virus messages back to the (usually forged) From: address.

Sheesh. Last time the message supposedly came from here, somewhere in the .ca (Canada) domain, when the rest of the Received: header clearly indicated their server was chatting with an e-mail server somewhere in the Czech Republic. A little reverse lookup, and the inconsistency typical of forgeries would be obvious. Automating this is not so hard, so PLEASE DO IT, before wasting my time and contributing to net traffic with a bunch of false positives. The viruses/worms are bad enough without each one echoing uselessly back to forged addresses in the virus equivalent of a joe-job.

Re:I wish all mail admins..

[Jhon]

So. That's not a problem. The goal isn't to "bounce" questionable email. 21 out of the last 30 flagged files (that weren't ID'd as viruses) were legitimate files (updates, mostly resumes, etc). 3 of the 9 remaining were brand new zero-day viruses that weren't in our defs yet (mimail-k and mydoom-a). The last 6 were programs users sent to themselves to install on their workstations (dummies -- they should know by now).

We accept the "questionable" stuff because following a "better safe than sorry" philosphy regarding flagging has worked and it reduces turnaround time on potentially important transactions. The traffic generated has been historically minimal and the benefits have far outweighed them.

30 auto-replies in the last 3 months barely more than 1k each. Hardly a traffic jam. Only 3 went to "forged" email addresses. And that's for over 100 email users.

Re:I wish all mail admins..

[Kanasta]

Worse is "Your mail might have a virus!" auto-replies when you send legit zip files etc, forcing you to go signup on a link somewhere.

Re:I wish all mail admins..

[QuantumRiff]

On another Simple admin fix, is it really that hard to block outgoing SMTP connections (except from the mail servers) at the router or firewall? Not only is it quick and easy to see who has a virus (or spyware), its just being a nice net-neighbor in case you get infected with something...

Look, i'll make it easy for you for cisco routers:

access-list 110 permit tcp host 12.34.56.78 any eq smtp

access-list 110 deny tcp 0.0.0.0 255.255.255.255 any eq smtp log

where 12.34.56.78 is the ip of your Mail server, and list 110 is for your outgoing connection.

Re:I wish all mail admins..

[chriskenrick]

Worrisome: someone who knows my e-mail address, whose machine is currently infected, is broadcasting it all over the Internet and perhaps eventually to spammers.

It's going to get really interesting when some spammer decides to write an email-borne virus that just runs silently in the background, and harvests email addresses from incoming and outgoing mail, and transmits them back to the spammer.

Re:I wish all mail admins..

[sparkz]

Offsite recipient presumably means when your mail server is (legitimately) relaying email. Eg, forwarding alice@example.com to alice@australia.example.com, Bill@example.com to bill@brazil.example.com, etc. Maybe even charlie@example.com to charlie@hotmail.com. So it goes to their local mail relay.

Re:I wish all mail admins..

On the subject of Amavis, I've simply taken to setting $final_virus_destiny to D_DISCARD. Viruses with honest headers are few and far between these days...

Re:I wish all mail admins..

[Clovert+Agent]

SC Magazine recently criticised AV vendors for exactly this. From the Jan 2004 group test of how Exchange AV products handled an outbreak:

"...None of the products did what we would have liked, which is to detect an outbreak, and then take steps to adjust its reporting accordingly. Email, log-file and SNMP alerts are great, but not 10,000 of them at a time..."

Re:I wish all mail admins..

[droleary]

We accept the "questionable" stuff because following a "better safe than sorry" philosphy regarding flagging has worked and it reduces turnaround time on potentially important transactions.

It's not a question of what you accept inwardly, it's a question of what you send outwardly. I don't know why you won't see that.

The traffic generated has been historically minimal and the benefits have far outweighed them.

Benefits to who? How to I benefit when you send me someone else's email, or report to me about your system at all?

30 auto-replies in the last 3 months barely more than 1k each.

You should not be an administrator, especially of email. Spam isn't about the size of individual messages; HTTP traffic dwarfs SMTP traffic. The issue with spam is that my inbox comes directly and every message requires me to deal with it, and the volume will obscure valued messages far more than the size. Every user you'd care to talk to would say they'd rather get 1 250K spam a day rather than 500 .5K spam clogging their mailbox.

Hardly a traffic jam. Only 3 went to "forged" email addresses.

Not a traffic jam for you. Only 3 for you. Multiply your actions by hundreds of thousands of cluelessly administered machines and you're contributing to a huge problem. Just stop it! There is no justification for your bouncing.

Security could be easily enhanced

[Samuel+Duncan]

Two steps:

• Make bad system adminstrators personally responsible for the damages they create by not fixing security holes.
• Give physical punishment to the virus writers. Money charges won't usually do the trick (paid by parents/community), but a decent spanking will teach them a lesson.

Re:Security could be easily enhanced

[E-Rock]

Yea... In case you didn't pay any attention at all, this virus relies on the user to do something stupid. Any mailreader that supports attachments and has a user at one end is vulnerable. Also, these viruses already are illegal. They can't catch them to do anything at all to them.

Re:Security could be easily enhanced

[tommck]

but a decent spanking will teach them a lesson

If you could get Carmen Electra to dole out the punishment, I just might right a virus of my own! :)

Re:Security could be easily enhanced

[leerpm]

Make bad system adminstrators personally responsible for the damages they create by not fixing security holes.

I doubt this would increase security. But it would certainly increase the salaries of those in the security field. As fewer people would be willing to work in the field, because of the risk of being held personally liable, they would demand higher pay to compensate for this increased risk.

One of the many reasons why doctors are able to demand such high salaries, is because they all have to get liability insurance. This is why holding software vendors completely responsible for security issues is a bad idea. It may marginally increase the security of software, but it will drive up the purchase cost of software significantly.

In short, there is no easy fix to making systems more secure. It takes hard work, like educating both users and admininistrators on proper procedures and secure processes.

Re:Security could be easily enhanced

[gl4ss]

both of your steps suck, as they only adhere to the problem AFTER the damage has been done, nobody thinks that they're going to get caught or that their system will be broken into and used to ddos the rest of the internet into oblivion.

and from what I gather getting lock up in federal does include spanking(with a meat stick)..

and for large parts the authors do remain free..

oh and the mega problem of that the users don't care, you could just send them messages that said "this exe has a virus, please send it to 10 people you know!!" and people would do it.

Re:Security could be easily enhanced

[Flower]

*sigh*

No patching would have prevented this worm. Look, when MyDoom comes in as a zip file the user has to open it once to access the actual payload. When you open the thing in WinZip it shows up as [random].[doc or whatever] but has the wrong icon. WinZip then identifies it as a pif file and in the screen says DOS executable. After all that, the user has to execute it again to deliver the actual payload.

MyDoom has nothing to do with bad sysadmins. Nada! At work we have the desktops locked down and Outlook is setup to not permit autoexecute. Most executable attachments are dropped at the mailserver. The reason I say most is because we do allow Word documents and the like because surprise, surprise we have to actually run a business. Our signature files are updated daily and if a new virus comes out I do my job to make sure we're at the proper rev and run a manual update if we're not. The one thing I can't do is play Big Brother to a 1000+ employees scattered over the state 365/7 and smack them everytime they try to open some random shiny thing.

And more importantly, how can a sysadmin stop some random Joe User on a home cable connection from executing the stupid worm or patching his damn system?

That soundbite of yours starts getting a little hollow now doesn't it?

Re:Security could be easily enhanced

Give physical punishment to the virus writers. Money charges won't usually do the trick (paid by parents/community), but a decent spanking will teach them a lesson. Unless it's somebody like Dan Farmer, in which case... he'll probably enjoy it!

Re:Security could be easily enhanced

Give physical punishment to the virus writers

But how long before we get suicide virus writers :-)

Re:Security could be easily enhanced

In case you didn't pay any attention at all, this virus relies on the user to do something stupid.

Given that I received thirty+ of these within the first HOUR, that's a depressing indication of just how stupid many of the people that know my email address are.

Proof of who's lying

[Saven+Marek]

I have the new critter in a test environment where we conducted a preliminary and rudimentary functionality and threat analysis...I have played with the date, etc, but still no activity directed toward www.sco.com." The link also includes disassembly and analysis of the worm code."

So basically, SCO being down right now is Yet Another Big Lie from SCO. Nice to see them shown up as spreaders of misinformation yet again. I'm sure the FBI will love to hear their excuses as to why they're pretending to be down, especially if they're attempting to blame the worm. Fascinating

Re:Proof of who's lying

[advocate_one]

"So basically, SCO being down right now is Yet Another Big Lie from SCO."

Wow... they jumped the gun a bit there... someone tell Darl it's not the first of Feb yet...

Re:Proof of who's lying

[LearnToSpell]

Netcraft's got an interesting idea - Journalists reporting on SCO and people interested in the www.sco.com site can now subscribe to receive alerts when the site is unavailable.

Re:Proof of who's lying

[owlstead]

That's just all the slashdotters checking if the worm does indeed do any harm.

Re:Proof of who's lying

[interiot]

This is not Another Big Lie. An HTTP request header with www.sco.com is clearly contained in every Novarg worm anyone has gotten. It's semi-easy to verify.

• Grab a copy of the worm from your mailbox. I don't know what to do if you think there's a conspiracy about how that copy got to your mailbox, but if you have hundreds sitting there, I believe at least the first version released all had the same MD5sum, so check with your neighbors or whatever. At some point conclude you have an "in the wild" version of the virus.
• Get the zip from the email and uncompress it. Sometimes it's called text.exe, sometimes others, but let's just call it text.exe.
• Download UPX. Run "upx -d text.exe" (the worm was upx-compressed to save some additional space, as you can tell by running strings on the original version and seeing "upx" show up at the front)
• In unix, run "strings text.exe | perl -ple 'y/A-Za-z/N-ZA-Mn-za-m/' | less"
• What do you see? This:
  • 
    GET / HTTP/1.1
    Host: www.sco.com
    www.sco.com

So an HTTP GET request that's hardcoded to sco.com is now distributed across millions of machines.

I think it's clear that there's SOME funny business targetting sco there. Look at the disassembly so far, there's code attached to it to that does SOMETHING. Who knows, the code might never be called or whatever (which would be pretty odd for a 32k worm that's been compressed multiple times), but even at this point, it's still reasonable to conclude that SCO is threatened, regardless of what the PR department says.

Please Remember!

[Bruce+Perens]

Excerpted from perens.com/SCO/DOS/, this bears repeating.

It is likely that this virus has been assembled for the purpose of defaming the Linux developers by spammers, SCO, or others. Your behavior will influence whether or not it succeeds in this mission.

Thus, I urge all persons who have sympathy for Free Software, Open Source, and Linux:

• Do not cheer on attacks on the SCO site. By doing so, you falsely implicate our community in the attacks, in the eyes of outsiders who read your words. Our community believes in freedom of speech, not silencing our opponent's speech through net attacks. We will defeat SCO using the truth, not by gagging them.
• Publicly deplore the attacks as an attempt to defame us, and not an effort of our community. Show others this notice.
• Continue to fight SCO, using all legal means at your disposal. Show others the analysis of SCO's ongoing fraud at Groklaw.net and elsewhere, and explain to them your own experience as a participant in the Free Software community.
• Continue the visible presence of Free Software as a force for good in the world by producing excellent original software for everyone's free use and deploying it wherever possible. Promote these projects to the press and public as you carry them out. Do what you can for other public-good projects such as schools and non-profit organizations. FreeGeek.org is an excellent example of how to carry this out.
• Show others by example that our side always takes the high road. When they see a low-road sort of action like denial-of-service, spam, or stock fraud, they'll know who to blame.

Remember that your actions count. You are ambassadors of our community.

Re: Please Remember!

[Black+Parrot]

> Do not cheer on attacks on the SCO site.

Not even a <nelson>Ha, ha!</nelson>?

Re:Please Remember!

I want to congratulate whoever wrote this virus, if it is indeed directed at SCO. SCO NEEDS TO BE TARGETED with lots more evil viruses for taking on Open Source. HURRAH FOR VIRUS WRITERS! I LOVE LINUX!

Re:Please Remember!

[rokzy]

I like Linux and OSS.
I'm glad that SCO got DDOS'd, they're bastards and deserve it.
There's nothing wrong with this imo.

What I think IS a problem, is you trying to make it seem like OSS is one big community where everyone has the same opinions and they all move in the same direction.

I should be able to say "fuck SCO" all day long and it have nothing to do with the fact I use OSS. but then you start making it seem that liking OSS is some kind of religion that governs all my actions.

I use Linux cos it has the tools I need. I use Firebird because it's a fantastic browser. I say "fuck SCO" cos they're full of BS. Get over it.

Re:Please Remember!

Yeah, I'll have to agree on that.

Re: Please Remember!

[Flower]

I probably rank right up their with all the other SCO haters. I'm on GrokLaw everyday and chip in when I can by transcribing documents but I'd never cheer on MyDoom. The stupid thing, because of the damage it's doing (and it is damage), brings an emotional reaction to the SCO debate which undermines all the good arguments the community has developed. Even if it was developed in Russia, cheering it on because it will DDoS SCO just provides SCO and industry analysts more junk to bring up rather than focusing on the real issues.

I totally agree with Bruce on this one and just wish more "advocates" had the maturity and insight to realize this isn't a joke.

Re:Please Remember!

Your modding this as flamebait proves rokzy's point. But then, irony and self awareness were never hallmarks of /. Double the lads' karma, you toads!

Re:Please Remember!

You are ambassadors of our community.

That seems to be why, despite wonderful technical achievements, OSS fails to make in-roads onto the average home user's desktop. Think about it before you wet slap me down.

Re: Please Remember!

[Black+Parrot]

> I totally agree with Bruce on this one

Fine by me; you and Bruce are entitled to your views, and to lobby for them on Slashdot.

However, my view is that it's perfectly OK - perhaps even laudible - to laugh your ass off at the karmic misfortune of a dickhead. I'll save my bleeding heart for those who get something they didn't deserve, not for those who deserve worse.

Re: Please Remember!

[Flower]

The problem is this worm may or may not actually DDoS SCO but is hitting some companies mail servers so hard it is bringing them down. Yesterday, our ratio of email-to-MyDoom was 1:1. That's right. For every valid email there was one worm. We managed but others haven't.

My place of work has no SCO servers, does not conduct business with SCO afaik and my co-workers thought I had good points about SCOs claims. Now? It's all about this "Linux weapon of war."

Yes, you're entitled to your opinion but from where I'm standing you are flat out wrong. The only reason to cheer is if you abandon consideration of the current consequences and focus on the purely self-absorbed emotional satisfaction that this could DDoS a company you hate. If it floats your boat, fine. I'd rather advocate doing something constructive.

Hmm

...the only activity I can get it to perform related to www.sco.com is to
resolve the name. In fact, it seems very unhappy if it cannot resolve www.sco.com.

there's a simple solution then,
everybody set their DNS servers to drop SCO off,
worm propegation stops!

Re:Hmm

[nil5]

Umm that wouldn't fly. Then I couldn't pay my linux licensing fee.

It's interesting

[nil5]

if this is not a more effective form of economic terrorism, I don't know what is. These worms seem to cost US companies millions if not billions of dollars, and they're probably not so difficult to develop either.

With such a hugely damaging effect for such little cost, wouldn't you say that is almost the perfect weapon?

Re:It's interesting

wouldn't you say that is almost the perfect weapon?

No i'd say some people are too stupid to be allowed to use a computer. People who infected themselves with this virus are not computer literate. Much as I disagree with the principle, the reality is that paladium cannot come soon enough for these average Joes or the rest of us!

Re:It's interesting

There is no such think as "economic terrorism" .. what does that mean, thousands of economics professors died when a bus bomb when off?

Terrorism is TERRORism. It means huge spectacles, death, terror.

Some worm going around sending extra emails, and only affecting one particular brand of computer OS, is hardly "terror".

The most terror I experienced with MyDoom was to temporarily hold all messages with attachments until the AV vendor got the signatures updated, about 5 hours. Yawn.

Re:It's interesting

[nautical9]

Actually, I see it as an economic boon - thousands of sys admins and consultants around the world are called in to "fix" or patch these various viruses, which means more money to tech jobs.

Sure, the money isn't spent directly towards a value-add product, meaning it's ultimately likely to increase the cost of whatever end-product said company is producing, but that means just more money changing hands == good for the economy.

Ok, a little simplistic, and perhaps misguided, but my point is that the millions/billions spent on each of these doesn't just evaporate - it's just spent in a different spot than it would have.

Re:OT,but someone needs to make the [NO CARRIER] j

[allism]

That would be funnier if the worm needed Outlook to spread. Unfortunately, it's got its own SMTP engine.

getting sick of this shit...

how about we write a worm/virus/whatever and have it look for spamming machines. then use the open ports on the compromised machines and just blow them away....wipe out C/D/E/F drive, / or whatever else gradually (say one file every hour or so) until all the spamming machines die.
anyone want to volunteer for this ?

Re:getting sick of this shit...

[spydir31]

Good idea, but then 90% of windows machines will be dead

Re:getting sick of this shit...

[wilko11]

And the downside is?

Re:getting sick of this shit...

[PhuCknuT]

If you ask me, a virus that does some damage to the person who runs it is just what we need, all these pansy viruses we have now just spread and do stupid shit like ddos sco. If there were some viruses around that nuked some critical files after spreading, people would quickly learn (some of them anyway). It would also give mailserver admins more incentive to filter attachments.

Re:getting sick of this shit...

[BigBlockMopar]

how about we write a worm/virus/whatever and have it look for spamming machines. then use the open ports on the compromised machines and just blow them away....wipe out C/D/E/F drive, / or whatever else gradually (say one file every hour or so) until all the spamming machines die. anyone want to volunteer for this ?

It should also DDoS any URLs mentioned in spams sent by that spam drone. ie, take out activerx.biz, bastapharma.biz, hell, the whole .biz TLD.

When the writer of such a worm is caught by the FBI and appears in newspaper photographs, I promise I will cut out the photo, frame it, and hang it on my wall with my other heroes (Edison, Newton, Einstein, etc.).

Re:getting sick of this shit...

[twistedcubic]

If a destructive virus were written, then all affected people would have to update their machines, thus ending the fun for all virus writers around the world. This looks like spammers and scammers prepping computers for their crimes. It is kinda surprising that no one has done the "rm -rf" virus for Windows, but it looks like the people with these sophisticated tools are just looking for profit, not fun. Capitalism at its best.

Not to condone writing worms....

[phaetonic]

Wouldn't it be ironic if a worm were to DDoS slashdot.

Re:Not to condone writing worms....

Wouldn't it be ironic if a worm were to DDoS slashdot.

Only if the source was slashdot.

Re:Not to condone writing worms....

[allism]

Don't give them ideas...although it WOULD be interesting to see what kind of load /. can handle...on Sept 11, it seemed like it was the only site up, so it can handle quite a bit, but I guess the question is - which is greater - /.'s load handling or the number of stupid Windows users?

(Not trolling by saying stupid Windows users - it could just as easily be written as stupid computer users who happen to be using Windows - but....anyway, I'm rambling, I will shut up now.)

Re:Not to condone writing worms....

[pyros]

don't you realise that slashdot is a DDoS worm?

Re:Not to condone writing worms....

[jonadab]

> Wouldn't it be ironic if a worm were to DDoS slashdot.

No, ironic would be if a worm locked down various security holes in the OS,
installed a firewall, disabled known-vulnerable software (e.g., Outlook),
and so on and so forth.

Re:Not to condone writing worms....

[Flower]

Work productivity gains alone would be staggering to behold.

Heh.

[Black+Parrot]

My Slashdot story page has a MS ad for an "earlybird" special. If you're not getting YourDoom fast enough, that's the ad for you!

I don't find the fast reactions unbelievable...

[Coocha]

... here at Virginia Tech, the virus has had our pop/smtp servers down since sometime last night. Apparently it infected our financial aid listserv, which caters to 51,000 email addresses, most of them in the vt.edu domain. Not to mention 8000 of the not-so-savvy on-campus undergrads whose systems have been infected. In the 4+ years I've been here, this is the longest downtime for our email system yet, even considering the downtime a couple routine server rebuilds caused. I'm sure other institutions, agencies, and businesses are experiences unheard-of downtimes as well.

Re:I don't find the fast reactions unbelievable...

[djward]

Yep, been here even longer and same story. Never seen the email system down for more than ~6 hours. I think they just turned off the mail system to halt spread of the thing, more than the servers melting - the POP server still responds instantly to a ping but it's not allowing connections.

Re:I don't find the fast reactions unbelievable...

[McAddress]

on the good side, big mac has not gone down yet.

Re:I don't find the fast reactions unbelievable...

[kyoko21]

This isn't as bad as back in 1996. Email was out for about almost two days. But then again, people were still using SLIP to connect and those of us who were hammering on the good old 19.2kbps ROLM phones were doing just that... hammering away and waiting in queue.

Re:I don't find the fast reactions unbelievable...

I have to ask the stupid question...How, if this only spreads if someone actually opens the attachment, did your college's mail servers become infected?

Re:I don't find the fast reactions unbelievable...

[spikev]

Don't they tell students not to open unsolicited email attachments?

That said, and knowing how stupid people can be, I'm surprised we haven't seen massive network slowdowns at the small private college I go to.We had trouble for two weeks with Blaster, because it got behind the firewall when students came back to school.

Re:I don't find the fast reactions unbelievable...

[DarkOx]

See, that makes no sense at all. I attend a small college as well and I can tell you that the sys/admins (whom I have met) would ssh into the swich and kill your port if your box is emiting tons of packet. They would then ask if you have a friend or roommate who could download the patches for you and copy them to CD or have one sent over then let you back on the network.

Re:I don't find the fast reactions unbelievable...

[mrpuffypants]

I'd say that that big cluster of Macs could handle it....Have you tried running sendmail on that cluster?

Re:I don't find the fast reactions unbelievable...

He was talking about the last 4 years. If you really want to go back, I remember when the entire internet went down for days. It wasn't fully connected again for weeks. That was a UNIX worm.

Re:I don't find the fast reactions unbelievable...

[Neurotensor]

So you're telling me that somebody executed an attachment on a critical machine running windoze?

I think your cluebat should come out of retirement ASAP. Preferably all the sysadmins dealing with the downtime should get five minutes alone with the luser(s) responsible.

Re:I don't find the fast reactions unbelievable...

[kyoko21]

Yes I realize that. I went to Virginia Tech... just trying to shed some history with the new generations of hokies on campus :-)

Re:I don't find the fast reactions unbelievable...

[back_pages]

Or some tiny cog in the beaucracy with an old copy of the mailing list ran the attachment. It's probably very difficult to say at this point. I know that I should be on the financial aid listserv that has apparently been comprimised, but only since last fall, and I've only been sent the virus about 30 times. Most of those were from individual's email accounts (which could have been spoofed) but still it sounds to me like some luser had a copy of an old mailing list otherwise I would have received many more emails.

Some VT students who have been here longer said they've received the virus on average twice per minute for the last 36 hours. Ouch? Dumb user, no doubt, but I wouldn't yet conclude that it was some mission critical machine that was comprimised.

Re:I don't find the fast reactions unbelievable...

You mean your system administrators don't even have the email system locked down and configured properly? Sad...

NO executable attachments get thru my servers - all attachments must be archived. All incoming mail (including mine) passes a mime-executable blocker, 2 anti-virus utils (updated hourly) and a spam blocking system that includes (but isn't limited to) Pyzor, Razor2, 2 different block lists, and markers for executable code. And everything looks inside any attached archives. and every single winblows workstation has Norton antivirus running, with automatic updates enabled, on it, as well as a little custom code of mine that checks signatures of certain files and directories every single day against a master list.. And I physically remove outhouse express before the machine leaves my office.

Sitewide - 600 users, 4 locations. NEVER had a virus. Get about 1 piece of spam every 2 weeks. The mail system handles 2 dozen messages a second without a strain. You just need to set it up properly.

What the world needs are more competent hard-assed system administrators and fewer end users calling themselves system administrators. There'd be a whole lot fewer worms and viruses.

Re:I don't find the fast reactions unbelievable...

[scrotar]

There is a world of difference between a mail system designed to handle 600 users and one to handle the tens of thousands at vt.edu, or any decent sized campus. Universities are especially difficult due to internal politics. I am suprised their anti-virus software didn't kick in sooner, but they may be hand pruning virus emails already delivered to the 70k+ mailboxes they support. I haven't talked to their mail admins in some time, but last I did they were serving real inbox space to alumni, not just address forwarding. While not affiliated with vt.edu, I have the utmost respect for their security and systems programmers who give much back to the community through lecture and publication.

Re:I don't find the fast reactions unbelievable...

[ananke]

Yeah, it's pretty bad. What saves some of us, is when our respective departments/institutes run seperate domainhere.vt.edu mail servers. Thank god we do, otherwise our windows admins would have have a major headache. My institute was saved by clamav, but it could have also been very nasty.

Re:I don't find the fast reactions unbelievable...

That's because it's in boxes around the country at this point.

Re:I don't find the fast reactions unbelievable...

[spikev]

I never said our sys/admins were intelligent.

Re:I don't find the fast reactions unbelievable...

Who would be so stupid as to run Outlook and read
mail on a *Windows mail server*?????

You deserve what you got, some clueless admin running an insecure program on a server clicked on a trojan/"virus"

Secure your admins, don't use a server for anything other than it's intended purpose.

Re:I don't find the fast reactions unbelievable...

[generationxyu]

Is VA Tech running Windows servers?

That would bring great sadness to me, that the school who built the Big Mac cluster has Windows servers.

Still no updated virus defs

[j-turkey]

Definitions are available currently

According to the official site (at 5:00 EST) there are still no ClamAV defs available for the .b variant of this worm (affectionately known as Worm.SCO.*).

Does anyone know where I can grab (and submit) a signature...or a copy of it (without waiting for it to trickle into a user's mailbox)?

Re:Still no updated virus defs

[emptybody]

new ClamAV defs are up!!!
(someone want to point me to a quick start to integrate when .forwarded through procmail and spamassassin?

ClamAV database updated (2004.01.28 21:38 GMT): daily.cvd, viruses.db2
Version: 111

Submission: 830-web
Sender: Poinsard
Virus: false positive of HLLP.5926
Added: n/a. False positive signature removed.

Submission: 833-web
Sender: Tony Hoyle
Virus: unknown
Added: No. Unreadable format message.

Submission: 838-web
Sender: Hardtarget
Virus: unknown
Added: No. Empty file. Sender contacted.

Submission: 839-web
Sender: Alin-Adrian Anton
Virus: possible MyDoom worm
Added: No. Worm.SCO.A found in the attachment.

Submission: 840-web
Sender: Don Brown
Virus: W32.Novarg.A@mm
Added: No. Just a short textual list of infected files.

Submission: n/a
Sender: Tomasz Papszun (THR)
Virus: Worm.Mydoom.B
Alias: Worm/MyDoom.B2, Worm/MyDoom.B4 (Hbedv), W32/MyDoom-B (Sophos)
Alias: Win32.HLLM.MyDoom.48128 (Drweb), W32/Mydoom.B@mm (F-Prot)
Added: Worm.Mydoom.B
Added: Worm.Mydoom.B-dll

Re:OT,but someone needs to make the [NO CARRIER] j

Thanks for the info. Someone mod +5 inform=20 ]} } } }&..}=3Dr}'}"}[NO CARRIER]

Huh?!

[pclminion]

Of course, there could be evil spammers who also like Linux (or don't like SCO), but until someone's caught, or fesses up, it's impossible to say.

What the hell would it matter anyway? Evil spammers probably also use toothpaste. Does that make everyone who uses toothpaste evil?

The fallacious logic here astounds me. Wait, no it doesn't.

Re:Huh?!

Just because it's from Russia doesn't mean it's not a Linux enthusiast or a "member of the open source community".

You argument against evil toothpaste is far too broad to be applicable -- you might as well ask people not to categorize.

Even beyond that, your categorization is wrong. Darl is clearly trying to paint Linux USERS as evil (or members of a group that has evil elements) -- not that Linux itself is evil (well, he is trying to do that, but not in that statement).

It's like saying evil spammers use toothpaste, and so they're part of the "dark side" of the "toothpase using community". Which would be true.

Re:Huh?!

[iminplaya]

"Evil spammers probably also use toothpaste. Does that make everyone who uses toothpaste evil?"

No, it just means we must ban toothpaste.

Re:Huh?!

[fishbowl]

"Evil spammers probably also use toothpaste. Does that make everyone who uses toothpaste evil?"

No... The object must be something the accusers do not themselves use or engage in. They aren't Open Source developers, but they probably use toothpaste, or at least have friends that do.

Re:Huh?!

[Blue+Eagle+26]

I think they already have in Great Britan...

Re:Huh?!

[moltar77]

As a malicious virus writer, I'm quite offended that you would categorize us with evil spammers. Yes we use toothpaste too, as do spammers I assume, but ummm.. please don't categorized us with spammers .

Disclaimer: I am no virus writer. That was merely for the sake of making a joke, so put down your phone and don't go calling the FBI. ;)

Re:Huh?!

[Un+pobre+guey]

The fallacious logic here astounds me. Wait, no it doesn't.

It's a sign of our times. The Straw Man is every public bulshitter's best friend. Like yesterday's Bushism to the effect of "but then after 9/11, we knew we couldn't trust Saddam Hussein." Not unlike "but then, after MyDoom, we knew we couldn't start deploying OpenOffice on everyone's desktop."

Re:Huh?!

[sporty]

Only to cavity causing bacteria :) So yes, we all have a little evil in us.

Re:Huh?!

Of course, there could be evil spammers who also like Linux (or don't like SCO), but until someone's caught, or fesses up, it's impossible to say.

What the hell would it matter anyway? Evil spammers probably also use toothpaste. Does that make everyone who uses toothpaste evil?

Why is this insightful? He took a quote out of context and assumed that it was painting the OSS crowd as evil. It wasn't, yet his blazing intellectual defense to a non-existent slight is Score:4, Insightful?!?

WTF is wrong with slashdot these days?

Re:Huh?!

I can statistically prove that dentists kill people. Everyone who goes to one dies.

Innocent domain owners

How about domain names (fake e-mails) that are being sent out by the worm because your ISP happens to proxy your connection (and allows un-secured windows users) and logs your e-mails being sent from your "unavailable to the world and NOT open for relay mail server".

Will the blocking zealots block everyone......or will we have some sense of control in this scenario.

Being able to use my own mail server is one of the many reasons I use open source!

Linux users

[gid13]

From the post: "Personally, I'm looking for a serious apology (or at least a retraction) for the 'alleged' link between this ugly little nasty and Open Source / Linux users."

I don't know what it is with people trying to represent such large groups. Every group has nasty people in it! Since Linux is generally more efficient once set up (IMHO, anyway), then OF COURSE people will use it to do nasty things like serve spam and make DOS attacks and so on. I don't get why people are so patriotic all the time... "He's American! No AMERICAN could be evil!" Sigh...

Re:Linux users

[Raster+Burn]

Exactly! I'm sure there are some malicious Linux users out there just like there are malicious Windows users. I find it funny that the Slashdot readers are covering their ears and yelling "la la la I can't hear you, so it can't be true!"

"But this was a Windows virus, not a Linux virus!"

Of course it's a Windows virus - more people use Windows, more people leave Windows unpatched, and more machines mean more power for a DDOS attack. I think there may be more than a handful of Linux users that also use Windows who could also program a Windows virus if they wanted.

Re:Linux users

[mattgreen]

Rather amusing that people are so thin-skinned. "Our precious community is so hurt by these events!" Who actually gives out apologies these days? Geeks, of all people, should know that, that is especially true on this site. One minute everyone is flaming each other, then all the sudden they are sensitive when picked on by big bad Microsoft/SCO/(evil corporation). Nobody admits they're wrong, they just move on and ignore past mistakes.

It is rather presumptuous to expect big media to come out and say, "we are very sorry for insinuating that OSS had a connection with this event." Get over yourselves.

It's a conspiricy!

[techno-vampire]

The worm was obviously written and released by a Windows fanatic, and designed both to harm SCO and give Linux a black eye!

Does Andy work at SCO

[jaymzter]

A report covering F-Secure's work on the virus reveals this interesting comment imbedded in the virus:

Buried in its programming code -- and only readable after it has been decrypted -- was also the message "Andy; I'm just doing my job, nothing personal, sorry" from the creator

My tinfoil hat says it's some poor guy at SCO!

Re:Does Andy work at SCO

There was an Andrew Sharpe who worked for Caldera. Dunno if he's still with them.

Re:Does Andy work at SCO

[Zocalo]

A couple of thoughts leapt to mind about that. Firstly the comment is in English, and the name is in English (Andre[i] would be the Russian equivalent) which kind of implies an English speaking author, despite the first capture being in Russia. Using compromised box(es) to initiate the spread of the worm would be a fairly obvious step to cover ones tracks.

Secondly, since "andy" is one of the email addresses spoofed by the worm I'm guessing that the worm's author was a) commissioned to write the worm by parties unknown, and b) included a colleague's email in the spoof list, perhaps by mistake.

So the question is, will Andy, whoever he is, get pissed off enough to turn his colleague in for the $250,000 reward posted by SCO and turn over a new leaf? /tinfoil Assuming he's not working for SCO of course. /tinfoil

Re:Does Andy work at SCO

[cheekyboy]

If hes living in russia and getting paid loads of cash and everything there is much cheaper, USA cant touch him. If he is from SCO, he probl copied all of their internal email staff list too (i suggest everyone do that) .

If more downsizing happens in usa, there will be more and more programmers out of work that will run out of cash and will have 2 options, A) live in the basement at moms and live like a student again, or B) work for the bad guys and get rich and pay zero taxes and be rich again.

You cant turn out millions of smarties in a boom, then expect them to work at $4/hr cleaning shitty jobs forever without some result.

Re:Does Andy work at SCO

[WareW01f]

Googgling Andy and sco I found this juicy tidbit:

"SCO understands that for any operating system to be commercially viable, especially Linux, it needs a well-defined roadmap from a trusted supplier, who is committed to and capable of supporting it," said Andy Nagle, director of SCO Linux products.

The question is, is this saying "sorry Andy" or "this is Andy and I'm sorry" (Either way it's a quote worth framing. :)

Again, were I big on tinfoil...

Re:We've gotta do something about Russia

[plams]

In Soviet Russia something happens to YOU!

Re:We've gotta do something about Russia

[corbettw]

However, the Russian gov't needs to wake up and do something about all of the criminals it harbors.

Bwa-ha-ha!!! Considering how many criminals are in the Russian government*, I don't think anything's gonna change any time soon.

* Yes, yes, I know this is true for most governments, but the line between organized crime and government power seems blurriest in Russia at the moment.

Bravo!

[Dman33]

Not to mention all of the scared users calling the helpdesk insisting that they are infected.

"Dude, you are using PINE! You are NOT infected!!!"

Re:Bravo!

[sketerpot]

What sorts of scared users would be using pine? I would think that all the pine users would be knowledgeable enough to know that pine isn't susceptible to email viruses.

Re:Bravo!

[Zane+Edwards]

Pine is default for some universities, for students emails.

Re:Bravo!

[The+Tyro]

My university used pine long after more-advanced clients were available...

Developed a soft spot in my heart for that little proggie...

Re:Bravo!

[AvitarX]

A lot of Universities have people telnet to Pine.

And setting up outlook is too hard for them.

by a lot I mean 100% of my sample group of one University.

and about 50% of the halof dozen or so students I have seen check their email.

Re:Bravo!

"hello, i've never had a real job or gone to a school where maybe just maybe not everyone is a wannabe CS major, but hey use pine there anyway for the system-wide email system"

Re:Bravo!

*shrug*
I always get scared when I try to use pine.

close

[doug]

SCO is the back side of the open source movement.

Re:close

[Pakaran2]

SCO is the back side of the open source movement.

But that particular site has already been taken down. Apparently there was a gaping hole of some sort.

Re:close

[Adriax]

So would removing them be considered an Assectomy? If so, does that mean the judges in all the SCO cases have to go to medical school before they can rule against SCO?

If I've said it once . . .

[Leroy_Brown242]

I've said it a thousand times.

1. Mutt
2. Spamassassin
3. Greylisting
4. Profit!

If it weren't for /., I'd have never noticed.

Re:If I've said it once . . .

...until the .c variant DDoSes you.

Re:If I've said it once . . .

[Greg+Hewgill]

That's exactly how my system is set up. (Well, except for the "Profit!" part.) But this one has a typical spamassassin score of only 3.0 and walks straight through greylisting. Read more on my blog.

Re:If I've said it once . . .

[Leroy_Brown242]

Try my user_prefs file.

4244 lines of spam killing fury!

Re:If I've said it once . . .

[YetAnotherDave]

noticed an error in said file - you forgot to 'score' a few:

score HARDCORE_PORN 10
HOT_NASTY 10
BEST_PORN 10
score NASTY_GIRLS 10

Re:If I've said it once . . .

[Leroy_Brown242]

Fixed
Thanks :)

Re:If I've said it once . . .

i know! i can't believe the rest of the world didn't listen to Leroy_Brown242!

can this officially be the last time someone starts a post with "If I've said it once..."

Re:If I've said it once . . .

[moggie_xev]

Okay so our mail relays run a Unix like operating system, but the internal world is an exchange server.

I havn't seen a single problem with this and the first I really knew about it was a member of higher management telling me that they had had 3 virus cleaned today which was quite a bit and commenting on an email that the university had sent him Maybe trend and exchange work relatively well. Okay lets say trend isn't a bad virus scanner.

Re:If I've said it once . . .

[HSpirit]

Here's a custom set of SA rules I've used to filter out most of the Mydoom crap [hopefully without too many false positives]:

###
# Custom antimalware tests and measures
###
# treat all messages containing Microsoft executables suspiciously
score MICROSOFT_EXECUTABLE 5.0
#
# test for W32.MyDoom malware
body MYDOOM_FAKE_SMTP_ERROR /Mail transaction failed. Partial message is available./
body MYDOOM_UNICODE_BINARY /The message contains Unicode characters and has been sent as a binary attachment./
body MYDOOM_7BIT_BINARY /The message cannot be represented in 7-bit ASCII encoding and has been sent as a binary attachment./
body MYDOOM_TEST /^test$/
describe MYDOOM_FAKE_SMTP_ERROR Fake SMTP error message typically sent by W32.Mydoom malware
describe MYDOOM_UNICODE_BINARY Techno mumbo-jumbo typically sent by W32.Mydoom malware (1)
describe MYDOOM_7BIT_BINARY Techno mumbo-jumbo typically sent by W32.Mydoom malware (2)
describe MYDOOM_TEST Message with 'test' on single line typically sent by W32.Mydoom malware
score MYDOOM_FAKE_SMTP_ERROR 5.0
score MYDOOM_UNICODE_BINARY 5.0
score MYDOOM_7BIT_BINARY 5.0
score MYDOOM_TEST 5.0
#

Re:If I've said it once . . .

[Reteo+Varala]

What, no "???" ?

Re:If I've said it once . . .

If it weren't for /., I'd have never noticed.

Slashdot and the entire internet slowing down.... You can just keep pretending a worldwide problem doesn't affect you.

Not here either

[nocomment]

MyDoom doesn't accomplish its stated goal of DDOSing SCO at all!

I've done some testing here either. I have yet to see 1 single packet move from the infected machines. I had some infected yesterday, and after checking my squid logs (ALL port 80 traffic gets forced through the squid proxy) I saw not 1 not 2 but ZERO traffic generated by the virus (mass emailing aside). Maybe it's busted? Was all the hype for nothing?

Re:Not here either

simple

the ddos has an activation date which has not been reached yet

Re:Not here either

[gnunick]

Ummm.. it's not even supposed to start until Feburary 1. Are you living in the future, or too busy to read the news?

Re:Not here either

[nocomment]

in case you are too busy too read the post you replied too, it says "i've been testing". So while I have not been living in the future, the test machines have. :-)

Re:Not here either

[gnunick]

Cool. I read your post carefully and all that seemed clear to me is you hadn't spotted any port 80 traffic via your proxy, which didn't surprise me in the least. Thanks for the report.

Re:Not here either

[nocomment]

Cool. I read your post carefully and all that seemed clear to me is you hadn't spotted any port 80 traffic via your proxy, which didn't surprise me in the least. Thanks for the report.

This doesn't mean much it just means my preliminary (i use preliminary liberally because I'm not going to test further) tests show nothing...but who knows maybe the PC's are busted (they are windows don't ya know!) --hehe

Open Source Virus Scanner caught it

[prandal]

ClamAV, the Open Source virus scanner, caught it on our email gateway this afternoon, whilst McAfee's uvscan with the 4319 DATs didn't find a thing.

A big thanks to the ClamAv team.

Phil

The new payload is to DDoS MS

[dupper]

All right, it's clearly one of us. 'Fess up, J. Random Slashdotter.

Also, you forgot to make an RIAA variant, dumbass!

Re:The new payload is to DDoS MS

Why are you so certain it's someone from /. ???

Spammers use Linux?

[EvilGrin666]

If you were a spammer wouldn't it be in your best interest not to be using Windows? You can't spam very well if your getting spammed/virused to death.

Reality Check

[benna]

OK listen. I hate SCO as much as any of you. This is a clear pump and dump. However, I am getting sick of people saying SCO or someone wanting to discredit the open source community wrote this worm. I can think of A LOT of linux supporters that would have done this in a second if they had thought of it. The chances are, it was a linux supporter. I'm not saying whether I support the people that did this or not. I'm really not sure but I am also getting tired of this "holier than thou" attitude of people who say its not good because it makes open source look bad blah blah blah. I'm beginning to think we must fight fire with fire. We must fight these tacticts of SCO, tactics that may even be illegal under RICO, with tactics that are less than legal. Maybe it is time we start doing things designed to bring down SCO, just as they are trying to bring down linux. The legal process will take years. SCO will probobly do alot more damage in that time than some worm written by a linux supporter. So we must do something. WE MUST FIGHT!

Re:Reality Check

moron.

Re:Reality Check

agreed parent sounds like 14 year old moron

Re:Reality Check

[Raster+Burn]

So we must do something. WE MUST FIGHT!

Obviously, another conspiracy from Darl to discredit the Open Source Community!

Re:Reality Check

[Blue+Eagle+26]

What do you suggest then, braveheart? Bring down their website? It will be back up in a day or two, and when it goes back up the first news story on the site will be about how the nasty commie Linux hoards attacked them. It will HELP THEM. This is a PR (public relations) war we are fighting, not the beaches of Iwa Jima. We are fighting SCO on two fields, In the courts and in the minds of the people. In the courts we have titans for allys. We have IBM. Big Blue. Do a google search for "IBM court losses" (With the quotes) and see what you get. Not to mention redhat, mandrake, and all other linux vendors. Now there is matter of public image. This is where you fight. You fight with knowlege here, not immature pranks. Share with everyone you know, everyone you meet, the fact that SCO is full of shit. Shout it from the rooftops. There is your fight, friend.

Re:Reality Check

[benna]

Well im all for hiring a hit man to deal with darl but thats just me.

Yahoo! Frames!

[belgar]

Silly Messagelabs, using frames. What a treat to see the internet circa 1998. And, it doesn't work in Safari.

Re:Yahoo! Frames!

Doesn't work in Mozilla either. Here's an AV-company promoting software monoculture. Speaks for their insight into the problem.

We have you now...

[RobinH]

Of course, there could be evil spammers who also like Linux (or don't like SCO), but until someone's caught, or fesses up, it's impossible to say.

That sounds like terrorist speak to me. Thanks to recent legislation, anyone running Linux can now be 'detained' indefinitely without evidence. God bless Micro^H^H^H^H^H^H America.

Of course it wasn't some malicous Linux user

[bogie]

This was some criminal capitalizing on the Hot topic of the Linux vs SCO debate. If this worm has targeted the whiteshouse.gov site you've have the same idiots saying terrorists did it. These criminals just used Linux as a scapegoat. I try to avoid reading articles about this worm because I just can't stomach reading all these posts about how the OSS community should "tread lightly" etc. Get a clue people.

Re:Of course it wasn't some malicous Linux user

[DarkOx]

>>you've have the same idiots saying terrorists did >>it.

I would classify this as terrorism. Its economic terrorism. I work in IT at a technology company and these things cost us money and if we can't keep our servers form melting and filter the crap form or slaes reps mail fast enough then few others can, and that could be lost of lost dollars. These worms especiall code red, nimda, and blaster most likely are impacting the national economy. The authors should be held responsible and treated like the terrorists they are, ship them off to camp X-ray. As much as I hate to say this its not fair to blame M$ either, they are simply enablers its irresponsible users that are at fault, with a good security policy, proper firewalling, and systems management even windows servers and desktops can be secure. People should be ticketed for running un pached unfirewalled systems and opening unkown binary attachments, In the same way you are ticketed for your headlights being out on your car or running a red light.

Re:OT,but someone needs to make the [NO CARRIER] j

OK, that WAS funny...

Port Blocking

[narfbot]

Cox HSI already blocks port 25. The only way to send outbound email, even if you have a legitimate remote server, is through them -- It's really cruddy.

Cox also blocks other ports which are obviously because of windows worms. Port 80, for example, was blocked because of Code Red. Port 25 could have been blocked for the same reason, but spam is definately another major reason for it.

Cox also prohibits, bandwidth usage now, supposably.

Reread what I just said with the tone that the rampant Cox TV advertisements use, and find out a service you really get for progessively HIGHER prices. The only other viable broadband ISP is Qworst, and I've already seen what it is like there.

So thank you Windows worms for ruining my ISP access even when I used Linux on the connection! Those Windows problems every time!

Re:Port Blocking

I'm a cox sucker also.. i mean cox user

anyway have you tried port 2525 instead? some mail hosts use that as an alternate.. or maybe some other port, try asking

Re:Port Blocking

[narfbot]

Possibly. But what if you want to use the local sendmail MTA? Yeah sure I can make it send through another MTA, but what if I want to send an email directly? Most sites expect port 25, so there is not one general solution for secondary ports.

Though it is still irritating, because before, I was sending and receiving email from my machine. No, I was no open relay either.

Re:Port Blocking

[cayenne8]

Not if you have a business acct. I just switched from Mindspring/EL...they'd slowed my speeds there to like 720/124. I'm on the 3Mbps/256 Cox system now...and no blocked ports, etc. Also, static IP. All this for about $5 difference from the DSL connection that was going crappier with every day.

It doesn't cost that much...just tell them you want a business acct...is only like $69/mo for me....worth it so far...

Re:Port Blocking

[narfbot]

Thanks for the info. I'm sure it's worth it compared to DSL. But what about bandwidth limitations? Are they gone?

Though none of this occured during the early period of service and none of this was listed in the agreement (no blocks, no bandwidth usage limits, static ip !). It was $30/month. It wasn't anything promotional either. Now it's $40 with a bunch of limitations. To me, it has just been an attempt to make extra bucks. Maybe $30/month didn't cover their costs, and that I can understand, but I haven't seen any real indication so.

I guess I could go with DSL if I wanted to be cheap. Less than the business account with Cox, but more than regular Cox. But I don't want the pain of DSL, and it's faster too anyway =)

Re:Port Blocking

[narfbot]

To me, it has just been an attempt to make extra bucks. Maybe $30/month didn't cover their costs, and that I can understand, but I haven't seen any real indication so

Actually, I take that back. Code Red probably wrecked havoc on their network, and caused bills and many headaches. And the first of the restrictions occured after this ended, and the rate increase. It's probably why @home seemed to crash so hard.

Re:Port Blocking

[inode_buddha]

Heard from family that Adelphia is starting to do the same thing. FWIW.

Re:Port Blocking

[MrBlue+VT]

Yeah, it really sucks. You can't send any traffic outbound on port 25. Luckly I had another server on another network, so I could set up a VPN tunnel to get the mail out. They do not (currently) block port 25 inbound, so you can run a mail server if you want to receive mail.

Kinda blows that they cut off port 80 after Code Red, makes it hard to run a webserver.

Re:Port Blocking

[narfbot]

Port 25 is blocked inbound for me still. It's been blocked since Aug 2002.

This goes to show the ports are blocked because of windows worms:
Cox port blocking

Re:Port Blocking

[cayenne8]

Sorry late..but, I was with Mindspring/Earthlink for like 5+ years. About a year ago..I tested and had about 1.2Mbps/380 Kbps....and recently for no reason I could tell...they had dropped it to less than half of that. About the same time I noticed that Minspring was offering a new small business acct. with those advertised speeds....

As far as I know..and I asked...I have no bandwith caps or usage limits. I asked specifically...and looked to see if on contract...but, no is the answer I have so far on both...

HTH, cayenne

Darling

[nnnneedles]

On a related note, I found this on urbandictionary.com:

(remove the spaces that /. adds)
http://www.urbandictionary.com/define.php?t erm=dar l&f=1

http://www.urbandictionary.com/define.php?term=d ar l+mcbride&f=1

http://www.urbandictionary.com/define.php?term=m cb ride&f=1

It seems the search engine on urbandictionary.com is so smart, you don't even have to add a definition to get the right search results!

The current definitions:

No definitions found for "mcbride."

Suggestions:

jackhole
8 votes

a dumbshit

Fucker quit being a jackhole!

tea bag
40 votes

(v). To lower your body as to dip the testicles into her mouth as the woman is tounging the scrotum.

Hey man, you should have seen the look on that bitches face when I tea bagged her.

I suggest not to mess with the definitions as these suggestions are even funnier than the real thing. Thanks! :)

How to filter the worm:

[Saint+Aardvark]

From a posting on the SecurityFocus Incidents mailing list:

------- Forwarded message follows -------
From: lsi <stuart cyberdelix net>
To: focus-virus securityfocus com
Subject: how to filter the Novarg virus
Send reply to: stuart cyberdelix net
Date sent: Wed, 28 Jan 2004 17:35:57 -0000

I have devised a near-bulletproof Novarg filter.

The following regular expressions trap this virus dead, no matter
what subject line, message body, or filename it uses:

If expression body matches "UEsDBAoAAA*" Move [virus folder]

If expression body matches "TVqQAAMAAA*" Move
[virus folder]

This is because the worm is in fact the same program with many
disguises. However the program looks the same when encoded with
MIME. Therefore, the above are basically 'MIME sigs' which work just
like a virus signature in a regular virusscanner.

So to find it we merely filter on the MIME strings above, which are
the first 10 bytes of the MIME content section.

For users without enterprise-class content filters (such as me),
these two regexp's work like a silver bullet.

(That two different sigs are required suggests there are two versions
of the virus in circulation.)

No silver bullet for auto-notification messages, unfortunately :(

Stuart

------- End of forwarded message -------

Re:How to filter the worm:

[pb]

(A) Some of the attachments are zipped, some are not. There's your difference.
(B) How many false positives do these very small strings generate? Each of those matches consist of less than 8 bytes of information, and I doubt they're entirely random either...

Re:How to filter the worm:

[TwinkieStix]

In the last myDoom article I posted this, but it seems relevant in this thread too. Here is a procmail recipe that will work on any Linux Mail server that uses procmail, including postfix sendmail etc. Just add it to your /etc/procmailrc file (may be a different folder, but this is pretty standard). It seems to have stopped all of the myDoom messages from coming in:

:0 B
* ^UEsDBAoAAAAAA...OzDKJx\+eAFgAAABYAA
/dev/null

Re:How to filter the worm:

[curious.corn]

Watch out! Someone must have patented it... ... a method for preemptively filtering malicious content on a computer system based on server side computer system... computer system... HEY IT'S COMPUTER... gimme money!...

bah... sorry

Re:How to filter the worm:

[rabidcow]

That's not really a good idea if you don't understand the format of Win32 executables and zip files.

"TVqQAAMAAA" = 4D 5A 90 00 03 00 00 0x

The first two bytes are "MZ", which will be the same on every dos and windows executable (except .com files). Matching against that part gains you nothing. You might as well just block by file extension.

The rest are just bits of the header, which are hardly specific to this program. It would be better to check against part of the file that was actually code.

"UEsDBAoAAA" = 50 4B 03 04 0A 00 00 0x

Again, the first two bytes are a signature, in this case "PK", which identifies it as a zip file. The 03 04 is then a marker to tell it what sort of record follows, best case you're only matching against 3.5 bytes that are actually relevant.

The ultimate call for group think.

I'll laugh at SCO if I want to thank you very much.

I personally like to see SCO denial of serviced to kingdom come.

Free software is neither good nor evil. SCO are evil.
It depends on the people who run the stuff.

Look a whole group of people obviously didn't write this virus. There isn't a sourceforge project named MyDoom.
If the media or public can't figure that out then screw them.

SCO can kiss my arse.

Re:The ultimate call for group think.

[Krow10]

I personally like to see SCO denial of serviced to kingdom come.

The problem with that is it doesn't hurt SCOX at all. Look at their business; look at the SEC filings with their financial numbers -- SCOX is not getting any revenue from their website, but they do get some sympathy every time some jackhole pulls a DoS on their pathetic site (of course, in the lab tests show that MyDoom.a doesn't actually execute the DoS code.) Yeah, SCOX can kiss my arse as well, but so can the spammers who coded this and anyone else who puts SCOX in the news for something other than their impending bankruptcy and fraud investigation.

Cheers,
Craig

Re:The ultimate call for group think.

[jrockway]

I'll laugh at SCO if I want to thank you very much.

I personally like to see SCO denial of serviced to kingdom come.

Free software is neither good nor evil. SCO are evil.
It depends on the people who run the stuff.

Look a whole group of people obviously didn't write this virus. There isn't a sourceforge project named MyDoom.
If the media or public can't figure that out then screw them.

SCO can kiss my arse.

This is right. Just because Bruce is "important" doesn't mean he can tell us what to think. If you agree with him, great. If you're laughing your ass off at the fact that SCO.com is down, that's fine too. Think for yourself. As some troll said, "You are not ambassadors of your community". He's right. Bruce is. You aren't. You need not act mature on behalf the Linux community (you might want to be mature if you plan on spreading your genetic material, but that's another story).

Patch patch scratch and lose

[djupedal]

OS X....works for me...all go to the trash.

Oh what a relief it is :)

Re:Patch patch scratch and lose

It doesn't matter what mail client/browser/OS you use if you're going to be stupid enough to open attachments or download 22k executables from kazaa.

Re:Patch patch scratch and lose

[djupedal]

It doesn't matter what mail client/browser/OS you use if you're going to be stupid enough to open attachments

Certainly it does. Those 'attachments' only run on Windows.

Mac OS X (etc.) is simply not a breeding ground :)

Re:Patch patch scratch and lose

Step 2: port virus to OS X
Step 3: Profit

Any ideas

[maztuhblastah]

The following comes from
http://www.channelnewsasia.com/stories/afp_w orld/view/68440/1/.html

"Buried in its programming code -- and only readable after it has been decrypted -- was also the message "Andy; I'm just doing my job, nothing personal, sorry" from the creator, Hyppoenen said."

I think that this message refers to Andy Nagle, the director of the SCOx project.

Re:whoever made it

I like your sig. You could change it to "Europe, Proving Americans Wrong Since The Spanish Inquisition" Just kidding.

Block port 25?

[dubious9]

Why block port 25? How much of that 25 traffic do they know is SPAM? If I were a spammer, I could just get a co-location somewhere in asia (or just about anywhere else), ssh over, and do my dirty work from there.

The only people they are hurting are people that like to run their own mail servers.

People like me. And I am not a spammer.

Why can't people understand that you can't block certain kinds of traffic by blocking ports? All it takes is another computer outside the blockade to ferry them along. The only way this would be effective is that if every ISP everywhere blocked port 25, and co-located servers had to register to use port 25. But since that will never happen, then one ISP doesn't make a difference.

Re:Block port 25?

[dubious9]

Ok, now that I think about it, it wasn't spammers that they were tying to stop it was peoples own e-mail clients. But AFAIK, don't e-mail viruses use thier programs default SMTP server, which for most of the users would be the ISP anyway!? How stupid. And I'll refrain from answering myself for a little while.

Re:Block port 25?

[Sandman1971]

No, most viruses run their own SMTP engines. The smarter ones do an MX lookup for the host domain (based on reverse DNS) and use that as the MTA. Smart ISPs, however, split inbound and outbound MTAs to block this.

Re:Block port 25?

[RT+Alec]

Actualy, most of the recent viruses/worms/pick-your-term have their own, built in SMTP engine. This allows the infected workstation to look up the MX records of the recipient (the next potential victim, that is), and connect directly to thier incoming SMTP server.

The responsible thing for ISPs and businesses connected to the internet is to block egress port 25 traffic. There are a number of ways to still use external SMTP servers, such as SMTP+AUTH+SSL, which idealy is configured to use a port other than 25 (465 and 587 are the most common with such a configuration).

Re:Block port 25?

[RatBastard]

They are blocking port 25 because of infected machines acting as zombie spam machines. The spammers are using zombies to get around the black lists. Not all solutions are optimal for all concerned.

Re:Block port 25?

[PhuCknuT]

That's a good attitude, if you can't solve the whole problem don't do anything at all...

This isn't about blocking every spammer. Blocking port 25 outbound will stop infected PCs from sending the virus out to other people. Legit mailservers will have no problem, they just have to relay through the ISP's mailserver, which is simple in any MTA.

So, they aren't hurting anyone. They are stopping viruses from spreading. What exactly is the problem?

Re:Block port 25?

[cpghost]

Relaying through the ISP's MTA is not always possible, esp. if you have some virtual domains of your own on your machine.

Re:Block port 25?

[mabu]

Why block port 25? How much of that 25 traffic do they know is SPAM? If I were a spammer, I could just get a co-location somewhere in asia (or just about anywhere else), ssh over, and do my dirty work from there.

Feel free dude. I think that's a great idea. It would make my life so much easier:

CONNECT:210 550 piss-off non-whitelisted network
CONNECT:218 550 piss-off non-whitelisted network
CONNECT:61 550 piss-off non-whitelisted network

I can filter all your IPs with great ease and then choose which relays I want to allow. It's a lot easier than trying to block you from the IP mess in the United States.

Re:Block port 25?

[mabu]

I've seen many worms that aren't even that sophisticated. They don't even bother with the MX record, they just grab the IP for the hostname and assume there's an SMTP server there. More often than not, they're right.

Re:Block port 25?

[cpghost]

Operating a mail server carries special responsibilities with it. You have to make sure that you're not operating an open relay (even inadvertantly), you must monitor your outgoing mail(logs), to make sure that your server is not being abused as a spam source, and you should react to problems such as mail-loops etc., e.g. by assuming the role of postmaster.

While most of us /.-ers are technically savvy enough to do this, a whole lot of Windows-PC owners are not. Their machines are constantly being hijacked by viruses, and then they become spam zombies from hell. I can understand why ISPs are reluctant to keep port 25 open to such people. OTOH, I don't like this collective punishment meted out by some ISPs who don't discriminate between responsible and irresponsible users.

It is quite common for ISPs to block port 25 for dial-up users, but they won't do so if they assign to you a static IP. In most cases, people with static IPs are more responsible (and technically savvy) than Joe Sixpack, and there's often no need to block them. Of course, in an ideal world, the ACLs on ISPs routers would be configured dynamically for every user who logs in. It is easy to implement a whitelist/ blacklist of users and block only those who don't act responsibly, open everything for users who have a good history of fixing bugs or keeping a tight ship, and giving everyone else the benefit of the doubt.

Re:Block port 25?

[Tsuzuki]

Why block port 25? How much of that 25 traffic do they know is SPAM? If I were a spammer, I could just get a co-location somewhere in asia (or just about anywhere else), ssh over, and do my dirty work from there.

The only people they are hurting are people that like to run their own mail servers.

There are currently a handful of broadband providers Australia-wide, and Optus is one of the two huge companies providing cable internet. Since Optus doesn't permit you to run your own mail or web server in their terms of use (unless you buy a fixed IP address), I would assume that most, if not all, traffic going out through port 25 of a residential Optus user is spam.

Re:Block port 25?

[Tsuzuki]

Port 25 of the user's computer, that is. Go, me! 8)

Re:Block port 25?

[PhuCknuT]

I've never seen an ISP who both forces you to use their relay and restricts you to their domain.

Good for Optus!

[RT+Alec]

Kudos to Optus for blocking egress port 25 traffic. They can be assured that their customers will not be part of the problem for anyone else! Other ISPs, and any business that provides internet access to any internal workstations-- please take note, and block egress port 25 traffic. Otherwise, you are part of the problem.

Re:Good for Optus!

[benna]

This is nothing new and im not really sure why its considered news. ISPs have been doing this since before worm.SCO.A. Look here

Re:Good for Optus!

[Tackhead]

> Kudos to Optus for blocking egress port 25 traffic. They can be assured that their customers will not be part of the problem for anyone else! Other ISPs, and any business that provides internet access to any internal workstations-- please take note, and block egress port 25 traffic. Otherwise, you are part of the problem.

Agreed.

Optus, mail from your network is now welcome on my servers. Consider yourselves unblocked.

Are you a residental broadband provider that doesn't block port 25? Guess what? Your mail bounces, because it's all spam, no ham. That's you I'm talking to, Comcast.

Comcast, you and the rest of 24.0.0.0/12 and 68.32.0.0/11 can take your "Irect-ee-le dysfuncshion" and your "CAL1SS" and your "C1al1s" and your "\/ia-gra" and your "Wee-agra" and stuff it right back up your SMTP server. Choke on it, bitches.

Re:Good for Optus!

[decaying]

They block port 25, but do not relay email, therefore I cannot send email from my non-Optus email address
It is a major pain in the arse, luckily my mailhost is looking at opening another port for us ...

btw: 2004-01-28 10:07:31 Australian ISP reacts to MyDoom virus. (articles,internet) (rejected) : funniest rejection I've ever seen... [:

Re:Good for Optus!

[mabu]

Hooray!

If only the number one spamming, virus-propagating piece-of-shit ISP in the country: COMCAST would do the same, we likely wouldn't have this problem.

Re:Good for Optus!

[hayds]

Most people wouldnt notice the block, they just use Optus's mail server.

If you have your own mail server (like me) you just set Optus's server as you SMTP and it all works ok. No problem there either.

The problem I have is that I use a laptop and my own email server, which supports SMTP auth. So I used to be able to go home, work, clients, etc and send and receive email. Now I have to keep switching SMTP servers in my mail client everywhere I go. Not the end of the world, but its still a real pain in the ass.

Re:Good for Optus!

I'm sure Comcast is heartbroken that the mail server in your basement isn't accepting their traffic. Unfortunately, those running mail service for real customers don't have the option of arbitrarily blocking entire networks and the false positives that would entail..

~~~

Re:Good for Optus!

[RT+Alec]

Have your mailhost take a look at SMTP+SSL+AUTH for initial mail submission. That's how my mail server is set up (I am the admin), and we provide mail services to many customers. None have any problem, regardless of their ISP, WISP, hotel, etc. they might be using for access.

Re:Good for Optus!

[RT+Alec]

Better option: block all Comcast IP addresses except their mail servers.

Even better option: deploy SPF::Sender and you won't need to deal with Comcast changing the IP address of their outgoing mail servers (I know-- not quite a working option today, but it will be).

Re:Good for Optus!

[RT+Alec]

Configure your mail server to accept initial mail submission on port 587, and you can use it from anywhere. Even better, add TLS for encryption.

Re:Good for Optus!

Can be done better. My ISP, for one, does NOT block port 25. They are liberals :)

What they do instead is they probe customers every once in a while for an open relay. They also provide information on their website about how to secure your mail server or open relay server.

In the case they find your mail server to be an open relay the block port 25 and give you some time to fix it. When it ain't fixed they shut you down IIRC.

They also provide BSMTP, Virus scanning, and Spam checking all this included as well as SSH access to their shell servers for mail access (mutt). So you can outsource the Spam and Virus checking to BSMTP, then allow only the real traffic (BSMTP, POP3S) which is healthy for your home server load or traffic.

Who said cable access in the USA was cheap compared to a decent, quality proven DSL provider in the Netherlands?

http://www.xs4all.nl (i'm not affiliated, just a happy customer)

Re:Good for Optus!

[jonadab]

> please take note, and block egress port 25 traffic. Otherwise, you are
> part of the problem.

I don't block port 25 traffic from my network, and my network is *not* part
of the problem. (Of course, I don't allow Outlook on my network either...)

Re:Good for Optus!

[muzzmac]

You go girl! I bet Comcast is shitting in its boots!

Re:Good for Optus!

[Tackhead]

> Better option: block all Comcast IP addresses except their mail servers.
>
> Even better option: deploy SPF::Sender and you won't need to deal with Comcast changing the IP address of their outgoing mail servers (I know-- not quite a working option today, but it will be).

The sad thing, of course, is that Comcast's shifting of its IP addresses of its mail servers is designed to prevent people from "blocking all but their mail servers".

Comcast's behavior is consistent with a company more interested in getting its customers' hijacked boxes' spam out than its legitimate mail. The most reasonable compromise I came up with was to jack up the DNSBL weightings in SpamAssassin and hope that the DNSBL maintainers can do a better job of tracking Comcast's IP-shifting mail servers better than I can.

SPF looks very interesting. It's remaining on my radar too.

Purdue's got it

[Raynach]

The network was down a little last night, and I'm getting bombarded with emails from it from people with the purdue.edu domain. The university's put people on alert, but there's still people stupid enough to open up random executables at school.

Apparently college doesn't weed out the idiots.

Eventually, that might not help.

[qortra]

Many worms nowadays are capable of traveling along multiple protocols and containing multiple payloads. Of course, worm writers generally don't bother because there are indeed far more copies of Windows out in the wild than anything else. However, if we began to see a more substantial plurality of OSes, I suspect multiple-architecture worms would become more common place; just pick your favorite exploit from each os, and make a separate payload for each. The worm might double or triple in size (depending on the number of architectures supported), but authors won't care.

Further more, universal binaries like those associated with Java or .NET/Mono might eventually make it so worm writers don't even have to include multiple payloads; just multiple exploits.

Maybe diversifying will help a little for a short while, but the real solution to this problem is to write better code.

Re:Eventually, that might not help.

[Net_Wakker]

Maybe diversifying will help a little for a short while, but the real solution to this problem is to write better code.

In the case at hand, better code won't help a bit. Mydoom is a *trojan*, not a worm. It asks people to ACTIVELY CLICK on it. Diversification in this case would have made it more difficult for the trojan to spread this fast.
Of course, better code is something that's seriously needed as well.

Re:Eventually, that might not help.

I suspect multiple-architecture worms would become more common place; just pick your favorite exploit from each os, and make a separate payload for each.

The problem with that idea is that you need the backdoor to be in place already before you can send your worm in, or you'll never be able to get the privileges to run "make install".

Re:Eventually, that might not help.

[NixLuver]

The significant issue that your post raises is that in most *nix environments, the worm would be limited to the behavior of the execution environment; java, perl, php, etc. On my workstations, all you would be able to affect (if you persuaded me to run it) is *my files*, not the core OS files.

I know that the Windows "supporters" will consider it a pointless troll, but no matter how politically incorrect some may feel that it is, there *is* a difference between Operating Systems, and that difference is clearly illustrated in situations such as this.

Re:Eventually, that might not help.

You seem to assume that Windows users run as a member of the Administrators group. I certainly don't.

But, lets be honest, people in my department chuckle at the pain I go through, because I am routinely logged in as a regular user, not a member of the Administrators group. But, I do it as a point to practice what I preach; also, to test how much trouble this is under MS-Windows. I will tell you one thing, I have surely gotten quick at typing "runas /user:mymachine\myadmin mmc" !

Unfortunately, there are some GUI tools that I don't know how to get to from runas (such as the LAN adaptor config dialogs).

spammers?

[trb]

in order for worm/spammers to profit from spam, they have to put some link back to themselves in the spam, don't they? doesn't that make them a bit easier to track down than 1337 4ax0r worm writers who don't use real return addresses or phone numbers?

I know that the spammers who use the worm-enriched mailers aren't necessarily the worm writers, but they are paying someone to send the spam, so there's still a (worm) trail.

Re:spammers?

[mabu]

in order for worm/spammers to profit from spam, they have to put some link back to themselves in the spam, don't they? doesn't that make them a bit easier to track down than

How many spammers have you tracked down lately?

Spammers will use the same IP forwarding and misdirection techniques to install software on an infected machine. So far, none of the authorities seem to be able to catch any of them.

Re:spammers?

[jonadab]

> in order for worm/spammers to profit from spam, they have to put some
> link back to themselves in the spam, don't they?

To themselves? Directly? No. They have to put something in there that has
to do with whatever they're selling, but that likely can be traced to a
*customer*. A customer who can deny having anything to do with it or any
prior knowledge. ("Yeah, *someone* has been sending out this mail that
mentions us; we got some of it too. But it wasn't us that sent it.) It in
theory is possible to get enough information out of one of these customers
to trace it back to the spammer, but then you still have to prove it.
There's also of course the approach of using packet logging to watch an
infected system and see where the control messages that result in the spam's
being sent are coming from. However, they're probably coming from another
compromised system. Ultimately they come from the spammer/cracker/loser,
but tracing it back can be hard.

I'm not saying they can't be tracked down, only that it's probably not as
easy as you make it sound.

Re:OT,but someone needs to make the [NO CARRIER] j

[Cosmik]

That's the point of the parent post. He doesn't use Outlook but got infected anyway via other means.

Court case in the U.S.?

[Fjord]

AFAIU, SCO's claims of IP ownership are global, and countries like Russia and China have more to gain from linux IP being free than an MS saturated U.S. market.

I did it

Dear SCO

I did it. I admit it.
Please send me a check for USD 250.000.

Thank you.

PD: Slahsdot readers:
Any lawyer out there who'll defend me for USD 200.000?

Who cares?

[jason.mitchell]

Wow.. who really cares? How is this news to us? We didn't make the virus stop telling us every little detail that's going on; we don't care about SCO. Every day I see a post about some worthless SCO news; it is just drawing SCO more media coverage, what they want. I urge /. to stop giving SCO the respect by actually posting there worthless case that will not go anywhere. --jay

Crank up the tinfoil hat

[Mr+Z]

It could be a reverse-psychological attack: Make Linux users look bad in an attempt to boost SCO's chances against Linux and as a result get more Windows users that are susceptible to their profit-generating viruses...

--Joe

Re:Crank up the tinfoil hat

Thank God for you. Yours is the first post that actually made sense.

Re:We've gotta do something about Russia

I don't have anything against Americans; I've never met one. However, the USA gov't needs to wake up and do something about all of the criminals it harbors. They send most of the spam, distribute drugs, and distribute weapons. It's bleedin obvious where all the problems come from, it's time for something to happen.

Can Someone Explain Forensics?

[mgrassi99]

How do they dissect the virus code? How does it help determine country of origin? How can that lead to finding the writer? Do virus writers have their own signatures? And are they not smart enough to just not include that in the virus that they distribute?

Re:Can Someone Explain Forensics?

[Conspiracy_Of_Doves]

I don't think that has anything to do with the code. I think that has more to do with following the infection trail back to its source.

Re:Can Someone Explain Forensics?

[Flower]

Atm a bit beyond me, but this might provide a little insight. One of the authors has a site.

HTH

Re:Can Someone Explain Forensics?

[jonadab]

> How do they dissect the virus code?

You take the machine code executable and disassemble it into crude, low-level
assembly language. (There is a one-to-one correspondance between individual
low-level assembly instructions and machine code.) Now, you still have a
mess because you don't know right away what's code and what's data. (The
disassembly process pretends it's all code but puts the actual numerical
value of the instruction as a comment in case it's data.) So now you step
through execution either with a debugger or by hand (the latter is called
"desk checking" and takes a while), starting at the beginning, going step
by step. Whenever the code pulls data from a certain location, you mark
that location as definitely data; when it jumps to or otherwise executes an
instruction, you mark that location as definitely code. (Unless the thing
was written by Mel, the Real Programmer, no location is likely to be both.)
Gradually you puzzle out what the thing is doing. (It's not easy.)

> How does it help determine country of origin?

That's another kind of fornesics, wherein you pick some places that got the
thing and figure out where they got it from. If you trace a number of
infections from well-separated places around the internet back several steps
each and most of them got it from the same general area, it's likely that
the thing came from somewhere near there -- though it's hard to be sure.

> How can that lead to finding the writer?

That's harder, but the basic idea is to trace back until you find where the
thing was originally introduced into the wild.

> Do virus writers have their own signatures?

Some may; others may not.

> And are they not smart enough to just not include that in the virus that
> they distribute?

I suspect that in some cases the virus gets loose into the wild before the
writer intends to release it, while they're still testing/revising it.

big fat apology?

and WHO is the person that's supposed to make that apology?

Re:whoever made it

[FlashBuster3000]

These are times where M$ schould be promoted by the Open Source Community.
Perhaps everyone who gets the Worm should forward it to all the people in his Adressbook that use Outlook :-)
Help the worm!
On the other hand.. sco will destroy itself, so sit back and enjoy.

(I have never seen the worm, thanks to spamassassin)

Open Source Bounty

The only way that the open source movement is going to avoid the stick of being virus makers is for it to match SCO's offer of a $250k bounty for anyone identifying the criminal concerned in creating the virus.

I believe that the OSDL (for example) should organise a collection of $100 each from 2500 open-source advocates (including myself) and hold this in trust as a reward for catching the criminal.

That might get the criminal caught and would certainly make it clear that, as much as we reject everything that SCO has done over the past year, we agree with them that DOS attacks are unacceptable.

Re:Open Source Bounty

why did you post AC - you deserve mod points!

MyDoom victim

[superpulpsicle]

No joke. I know one person who is infected with this virus. He's making zero effort to patch fix it cause he hates SCO too much.

Since this virus is such a favorite I can imagine a mydoom2. Though mydoom3 will probably get delayed cause John Mccarmack said so.

Re:MyDoom victim

[mabu]

Your friend is a moron.

The SCO DDOS is nothing compared to the fact that the worm opens up a back door which allows other people complete control over his computer.

I say to the virus writers...

[leftie_hater]

FUCK YOU!! I've gotten THOUSANDS of the god damn 32K emails.

Re:We've gotta do something about Russia

[drinkypoo]

Distribute drugs? No. We consume drugs. We certainly are quite the arms dealers, though.

Comment removed

[account_deleted]

Comment removed based on user account deletion

Re:We've gotta do something about Russia

and I suppose the solution would be to accuse them of hiding weapons of mass destruction then going in and bombing the shit of them ?

RTE News

The way the item was reported on www.rte.ie (Ireland) it makes SCO look like the good guy, could SCO come out of this better than they went in.......

Isn't It Ironic - Don't You Think?

[BigBlockMopar]

Here's a presentation (sorry I could only find a PowerPoint version) that was made by Jonathan Wignall at DefCon last year about this topic. Same conclusion, diversifying is the necessary to combat worms.

How ironic is that? Someone who allegedly knows something about network security, who insists on providing presentations in a format which:

• promotes the very monoculture about which he speaks (noting that Microsoft doesn't offer a PowerPoint reader for Linux)
• allows the embedding of executable content which could be (and has been) used to carry malicious code

Fine, use PowerPoint for the presentation. But damn well save the slides as HTML, Acrobat, plain text, etc. for public downloading and consumption.

At my university, the only department which saved all lecture notes, etc in proprietary format (and continues to do so!) was the very one which should know better: Systems and Computer Engineering. It's really pathetic.

Re:Isn't It Ironic - Don't You Think?

[Eyah....TIMMY]

DefCon should have provided some other format. I looked elsewhere but couldn't find that presentation. Well, don't use it if you don't want to. I think the material in it is far more valuable than the fact it's in PowerPoint though.

Re:Isn't It Ironic - Don't You Think?

[ClosedSource]

"Fine, use PowerPoint for the presentation. But damn well save the slides as HTML, Acrobat, plain text, etc. for public downloading and consumption."

I completely disagree. The fact that PowerPoint was used is really a counter-argument and shouldn't be hidden. Diversity has it's value but it also has it's costs. If the goal is improvement, both sides of the argument need to be explored.

Re:Isn't It Ironic - Don't You Think?

[spacecowboy420]

For fucks sake, you don't use OO?

Why whine when you can just as easily read it without a MS app on linux doing it for you? The tools are there, just use them. In fact, it could be that he made it in OpenOffice and wanted you to be able to read it on linux and windows - thus he saved it in PowerPoint format - which is compatible on both. Yes, there is the html/pdf argument - but it isn't a hassle to use this format.

Re:Isn't It Ironic - Don't You Think?

[cheekyboy]

Maybe google will convert powerpoint to html like it does for pdf/rtf at the moment :)

Come on google, you are king!

Re:Isn't It Ironic - Don't You Think?

[Ironica]

(noting that Microsoft doesn't offer a PowerPoint reader for Linux)

It's a symptom of the monoculture that you only thought to look for a PowerPoint reader from Microsoft.

HTML isn't at all suited to a discrete page format. Acrobat makes some sense, but is getting worse with every new version. Neither can reproduce animations that were created in a presentation application, which are sometimes useful or necessary to convey meaning (sure, they're massively abused, but you can really communicate by covering up one image with another, bringing in the answer after you've asked the question, etc.) *.ppt, however, thanks to a certain OS project, is pretty much universal.

what makes you think that people in Russia

[meshko]

do not follow the SCO lawsuite?
Fuck, I'm pissed of more than usualy about Slashdot editors.
If you were to read www.linux.org.ru you would notice that the site follows the suite pretty closely, sometimes more so than Slashdot.

Re:what makes you think that people in Russia

[swb]

In pleasant terms, the editors are concerned that the respect for international conventions, especially the rule of law and criminal justice in Russia isn't exactly strong.

In unpleasant terms, the editors think Russia is dictatorship run by the mafia and the security service with zero concern for international law or control over its criminal element.

It's usually portrayed that way in the US news (which for me is the New York Times regularly and the Economist occasionally -- I'd do better, but that's about the best I can do reliably and conveniently here in Minnesota). Putin's moves against the chairman of the oil company certainly look dictatorial and evidence of his KGB pedigree.

Russia's problems with organized crime are well known, and while the impact on every day citizens may be less than we think, it really does have the appearance of being out of control.

Re:what makes you think that people in Russia

[meshko]

This analysis is not completely off the mark, I suspect, but it doesn't mean that the regular guys there who use/develop Linux do not know about the lawsuit. Hence it is possible that the virus indeed originated from Russia.

Am I the only one?

[wahgnube]

Who read the headline as "More MyDoom Gloom" and plunged into extreme depression for the 30s it took to re-read and realize it's just an extremely large scale crippling virus. Pfft.

The game is still on track for a speedy release! :)

Re:We've gotta do something about Russia

[Eudial]

Actually, doesent east asia account for 99.985% of all viruses?

video ? Re:McBride interview

[narfbot]

Do you have a video of it?

Not to sound too paranoid, but...

[GeneralEmergency]

Couldn't this worm be Darl McBride's next rock from his "hump and dump" bag?

I mean think about it. He offered up that quarter mil reward awful fast considering no one has yet found any credible evidence that it actually DDOSing SCO. He then gets to stand up in front of the world again and scream "All those nasty OpenSourcers are picking on me!".

Methinks Darl has hit upon a new business model here.

Re:Not to sound too paranoid, but...

[gcaseye6677]

I wonder if the dumbasses at SCO are still going to pay that reward if someone's caught.

Comment removed

[account_deleted]

Comment removed based on user account deletion

Blocking port 25

That's nothing new. My ISP only allows SMTP traffic through it's SMTP server. This is unsurprising to me, and even though it really sucks, there's not much we can do about it. There are people who abuse the system, and the best way is to close of smtp servers. The good thing about SMTP is that you can still retain your email address, so if the ISP is asking for the server load...

Only issue is it's almost IMPOSSIBLE to do mass mailings; we maintain a mailing list for our small business, and we use SMTP email for it. Since we don't send it to many people (less than 1000) it's not too bad; only our ISP doesn't allow emails with more than a certain number of recipients; I'm still not sure how many. So I have to break up the contacts who will receive the email into about 3 or 4 groups for it to go through, otherwise it gets refused.

I was going to do a majordomo mailing list, but I can't figure out how to do it (maybe it's really easy, but I'm kind of an idiot when it comes to these things, and I don't have much time).

the virus dies if www.sco.com dies

From the article:

"only activity I can get it to perform related
to www.sco.com is to resolve the name. In fact,
it seems very unhappy if it cannot resolve
www.sco.com. Once it can, it happily scans
local files for anything that can be construed
(very loosely) as a domain and tries to resolve
mail servers based on these."

So, rather than being a DDOS, this worm/virus
essentially says "take down www.sco.com or else".
Taking down www.sco.com is Darl's responsibility.
Will he do it to stop the worm? If he doesn't,
can be be said to support the worm?

Re:the virus dies if www.sco.com dies

[netsharc]

Would this result in DNS-admins removing www.sco.com from their servers? Sure it's a kludge hack but it would save some trouble. Heehee.

Next week on Daytime-Court-TV: SCO vs. ISPs of the world!

Re:the virus dies if www.sco.com dies

[Sj0]

Since this virus is an act of cyber-terrorism, could it be said that he's supporting the terrorists? Can we finally bomb utah?

Parent

Sound very Dubyaist in its thinking.

Re:We've gotta do something about Russia

Yeah, what about the american gov't and the criminals it harbors?

Re:We've gotta do something about Russia

Actually Russia has improved in the corruption perceptions index (scroll down for the table) in the last few years. It is still pretty far down the list, though...

As for the grandparent, it definitely sounded like either a troll or personal bias. "All the problems" coming from Russia? Russia has lots of internal problems, it exports some of them to some places, but it can hardly be blamed for all of the worlds problems.

easy way to stop this: don't accept port 25 DUL

[mabu]

I keep saying the one way to stop this is to have all the major ISPs filter port 25 traffic from any of their dial-up or broadband (non-business) customers to any IP other than their designated SMTP relays. If they do this, not only will they stop the spread of these worms, but they'll also stop about 99% of all the spam.

Until the ISPs get responsible, if you run a mail server, you can make an active effort to blacklist all SMTP traffic from DULs. There are a number of RBLs that do this.

As an added bonus, if unauthorized SMTP traffic were filtered out, spammers and worm-writers would have to resort to sending e-mail-spreading-worms through larger ISP gateways, which could more efficiently identify the earliest sources of these rogue scripts and help catch the perpetrators.

Re:easy way to stop this: don't accept port 25 DUL

Except for the incorrect lists that don't take into account that Business and home user IP's are pulled from the same IP pool. Some of the lists misidentify my Business account IP as part of the DSL account list and bounce the servers messages.
On top of the annoyance is that this actually breaks Internet functionality just to take an easy route to didging spam. I agree that spam needs to be addressed, but this is a baby and bathwater solution that will only get worse as DSL is adopted by more businesses.

Re:easy way to stop this: don't accept port 25 DUL

That would also stop all of my outgoing legitimate email.

Most ISPs cannot keep an smtp server up well enough for users to depend on it.

Due to the nature of the internet, plans to fix problem X and Y by only have a collection of special authorities do something don't work. All this would do is cause more people to join the class of "designated SMTP relays". I, for example, would upgrade to business class, and probably offset part of the cost by hosting some small websites for a few of the small businesses I contract for.

Think about what would happen if you made a list of all smtp servers that were elite enough for you and shut off everyone else's port 25 gateway across the whole internet. Would this solve the problem ? No, because just as I use a perl script to get yahoo mail automatically into my spool file, we would rebuild the same chaotic mail system but with a bunch of hand offs and relay on different ports. Even if you made everyone in the world use web mail, nothing would change.

Re:easy way to stop this: don't accept port 25 DUL

[Scott+Hale]

I keep saying the one way to stop this is to have all the major ISPs filter port 25 traffic from any of their dial-up or broadband (non-business) customers to any IP other than their designated SMTP relays. If they do this, not only will they stop the spread of these worms, but they'll also stop about 99% of all the spam.

...and put us one step closer to the corporate controlled, content-provider Internet and take us one step away from the way things were actually designed to work.

Re:easy way to stop this: don't accept port 25 DUL

[mabu]

...and put us one step closer to the corporate controlled, content-provider Internet and take us one step away from the way things were actually designed to work.

Gotta love idealism. Cherish it while you can.

We're already in a corporate-controlled world. Most of the major ISPs and corporations are rifling through peoples' mail. My ISP doesn't do any of that, which is why I am seeking a non-content-related solution: to protect peoples' privacy.

I think it's better in the long run, and more in the spirit of the Internet, to regulate where mail is coming from, as opposed to what's in the message.

Re:easy way to stop this: don't accept port 25 DUL

[mabu]

That would also stop all of my outgoing legitimate email.


If you are running an SMTP relay from a recognized DUL IP block, you're already having thousands of systems block your mail. There are more than a dozen DUL RBLs out there that are compiling these IP blocks to restrict SMTP traffic.

When?

[geekoid]

To paraphrase Blazing Saddles:

Business community: "A company don't produce anything, and sues like that, is going to die."

Linux community: "When?"

The only company that has taken longer to die is Apple!

Re:When?

No. IBM is taking a lot longer!

The only site up on Sept 11?

We all know that /. is the first place to go for really relevent world news, right? That's why so many people were trying to access the site on 9/11!

(Sheesh!)

Get real!

Re:The only site up on Sept 11?

You werent here on 9/11 then

all the major news sites were down, msnbc, cnn, foxnews, bbc, and other UK news sites

slashdot was the only site that worked, and they had a thread where people would post news real time.. it was way better than watching tv and wondering whats going on, you were able to talk to people in ny and all over.. check the hall of fame

http://slashdot.org/hof.shtml

What I think is hilarious

[Azureflare]

Is that the worm probably doesn't even target SCO at all! It just "seems" like it will.

This stinks to high heaven of a certain company trying to make itself look better by engineering a virus that is purportedly made by it's enemies.

Is SCO REALLY that stupid?

Well, I think that's kind of rhetorical, given their recent actions in court. I vote we impeach SCO.

Oh wait, we can't do that...Damn. What can we do?

Re:What I think is hilarious

I vote we impeach SCO.
Oh wait, we can't do that...Damn. What can we do?

For some reason cheesegraters come to mind.

take the high road

"take the high road" != unsubstantiated accusations of "stock fraud"

Re:take the high road

[Bruce+Perens]

What? You haven't been to groklaw to read the evidence? Perhaps you should do your homework.

Re:take the high road

Is groklaw an appointed judge? An appointed jury? Have the accused been given a chance to defend themselves? Hmmm? No? ... Then shut up eh?

Face it Bruce, you're a hateful biased old geek who's full of shit. Stop trying to impose your ugly attitude on those of us who are here to live in peace.

Re:take the high road

I want to have your babies.

Re:OT,but someone needs to make the [NO CARRIER] j

Good thing then that I don't download my mail to my Windows machine, nor run KaZaA on it, and only run Internet Explorer to contact Windows Update.

And it stays off the majority of the time. But then so do all my machines.

Apology?

[Rostin]

Give me a freaking break. I see politicians and the like smeared from here to the moon on a routine basis because of what amount to conspiracy theories, and then someone should apologize because they have the gall to suggest the possibility that disgruntled linux users may be responsible for a DOS attack on SCO? I mean, how could they? Everyone here on /. sure seems to love SCO. There's no motive at all.

I want to preserve this one and bring it out the next time some moron starts carrying on about how the US is involved in Iraq because of some vague connection that the Bush administration has with oil companies.

Re:Apology?

[borgheron]

Motive does not constitute proof.

Re:Apology?

[Rostin]

Obviously not. I don't think anyone is saying that it does.

Comment removed

[account_deleted]

Comment removed based on user account deletion

Re:Off Trek

[NanoGator]

"It's entirely possible that the authors of this virus targeted SCO, simply to make it appear that Linux zealots were responsible..."

I wouldn't rule out Romulan involvement.

Clueless Newscaster.

[cant_get_a_good_nick]

A couple days ago, a local televisions station (Fox 32 Chicago) had a 20 second blurb on the worm. It said there was a new computer virus around. The picture? Apple iMac. At least it was the newer iMac, I'm surprised they didn't put a IIci on there.

The blurb had no information on what to do. Didn't say it was an MS virus, didn't say to go to any website to see what you could do. Just announced "another virus". Waste of time.

Re:Clueless Newscaster.

[mabu]

Wow, and you say this came from a FOX affilliate?

Imagine that.

but there's an open source version of the virus...

[commodoresloat]

Greetings. You have been infected with GNU/MyDoom, a destructive anti-SCO virus brought to you by members of the open source community. In order to get this virus to infect your system properly, you will need to use wget to download mydoom-config-2.4.6 from one of the usual mirrors. Be careful; this version of the virus is not compatible with versions of mydoom-config prior to 2.4.4. After you have downloaded the config tools and issued the usual incantations (./configure; make; make install), you can configure the virus from any directory simply by typing sudo mydoom-config -ort [your login id] [your current IP address] [full path to your email client] [interval since last kernel rebuild in seconds]. This virus is licensed under the GPL. If you have any questions, be sure to RTFM, the docs are installed at /usr/share/info/mydoom and all your config files are stored at ~/.mydoom.

p.s. yes, it's an old joke, but still, you know you laughed....

Is this unique to Mimail?

[wsanders]

I'm using this filter too, nuking about 10000 per day. I just wonder if I'm nuking any legitimate zip attachments.

The actual Postfix recipe, in body_checks: /^UEsDBAo/ DROP "550 - Looks like Mimail"

The bodies of the mime encoding are all slightly different:


UEsDBAoAAAAAAA+CPDDKJx+eAFgAAABYAAAIAAAAdGV4dC5w aW ZNWpAAAwAAAAQAAAD//wAAuAAA,1
UEsDBAoAAAAAAA+EPDDK Jx+eAFgAAABYAAAHAAAAZG9jLnNjck 1akAADAAAABAAAAP//AAC4AAAA,1
UEsDBAoAAAAAAA+EPDDK Jx+eAFgAAABYAAALAAAAbWVzc2FnZS 5jbWRNWpAAAwAAAAQAAAD//wAA,1
UEsDBAoAAAAAAA+FPDDK Jx+eAFgAAABYAABSAAAAYm9keS5kb2 MgICAgICAgICAgICAgICAgICAg,1


I'n no mime encoding expert, would the mime encoding get re-munged slightly each time the attachment gets relayed by an infected host? (The MTA would not change it) Or does the virus itself generate the mime-encoded text?

Re:Is this unique to Mimail?

[wsanders]

Clarification - those are the first lines of 4 different infected emails' mime-encoded payloads.

Re:We've gotta do something about Russia

It's bleedin obvious where all the problems come from, it's time for something to happen.

Yeah, they come from Europe. Had your fill of genocide yet this decade?

False facts

Again with the bias.
"A place where nobody gives a wet slap about a court case in the U.S. Personally, I'm looking for a serious apology (or at least a retraction) for the 'alleged' link between this ugly little nasty and Open Source / Linux users."
1) It is entirely possible that a russian plays american stock markets, and could benefit from a hit on SCO.
2) It is entirely possible that a gpl fanatic lives in Russia.
Your article is full of shit and should be modd'd to -5.

Comment removed

[account_deleted]

Comment removed based on user account deletion

McBride is cunning

Oh and I just realized. The reason why SCO could seem to be so stupid:

Disgruntled SCO Employee: This company is going down the tubes. If I stay here much longer I'll never find work again! I quit! *slam*

Darl McBride: Damn! We just lost our last programmer! What are we going to do now?

Grand Vizier: *rubbing hands together* Well, now I suggest we go to the very salt of the earth...To the spammers!

McBride: Wha? What the hell are you talking about?

Mr. Burns: Obviously our only course of action is to utilize the dark side of the force. We must make those young linux whippersnappers look bad by making a virus that seems to target our own servers!

McBride: Brilliant! We'll make it look like those linux communists are trying to destroy our legitimate business! Make it so!

Mr. Burns: Eeeexcellent.....

Thus goes the story I heard from a passing lunatic...

Re:McBride is cunning

[Douglas+Simmons]

This company is going down the tubes.

I'm not sure why everyone's under this impression. SCO's stock price is right in the middle of its three month high and low, which is roughly 1500% higher than its price a year ago.

Not to mention its price to earnings ratio is an impressive 45, which will support a tech stock from "going down the tubes." All this Slashdot excitement has generated no apparent volume of SCO trading on Wall Street.

I'm not a fan of the company, but let's avoid talking out of our asses about a company's financial situation.

Re:McBride is cunning

[unixformat]

As i said yesterday, could also have been a SCOX holder or someone who missed out on the big SCOX ride. Maybe someone made a loss on SCOX and want to get back at the crappy company.

Re:McBride is cunning

[PetiePooo]

Please, by all means, invest in them then.

Stock Evaluation 101:
Blindly evaluating a business's statistics won't give you a complete picture. If you look at SCO's current business, they have no viable product. Their earnings are based entirely off of their much bally-hooed "IP portfolio." Since that portfolio is on such shaky ground, if their allegations prove false or their IP is unenforcable, we have every reason to believe the "company is going down the tubes." This community has a particularly insightful view of the strengths of their claims (as opposed to Joe CEO, or Jim Finance). So, Mr. AC is likely not talking out of his ass.. he's making an informed (although colorful) assessment of his belief of SCOs future earnings potential.

Re:I wish all mail admins.. -bah!

[Havokmon]

.. would TURN OFF those blasted "Your mail has a virus!" auto-replies. They accomplish nothing but the generation of yet more useless traffic.

A nice guy on the FreeBSD Mail-Toaster list put out a good script..

I now grab all the IP's out of infected emails, and put them in my etc/tcp.smtp file:

123.123.17.50:allow,RBLSMTPD="-VIRUS SOURCE Please check your computer for infections"
IP obfuscated to protect the guilty

How about that? You only get your mail bounced, with a virus warning if your IP (sure dial-up _could_ be hit - but I'm a standalone email provider) sent a virus through my system in the last day.

Why is this an issue?

[KalvinB]

I updated McAfee which squishes the e-mails on sight at the mail server (Mercury Mail) level. I never get one of this virus laden e-mails in my e-mail anymore

I also found a string of text unique to the virus e-mails and put in a rule to delete any e-mails that contained it. So if McAfee doesn't get it, basic Virus fighting techniques applied to the standard rule file will. Most likely the rule file will be killing off this new version before McAfee has an update itself. Unless the new version has the same string I block from the previous version in which case I'm covered.

I got home yesterday and had a large quantity (dozens) of these virus e-mails and shortly after made it so I'd never get them again. I lot of mail servers bounce with the virus attachment. I don't recieve those anymore either.

Why is this so hard for other people to do that this virus is actually getting through to their clients?

I killed it in 15 minutes yesterday. Why is it taking everyone else days?

Just take a nice chunk of the 64-bit encoding of the virus to make sure it's unique and add it to a kill file rule. Done. Simple. When McAfee gets around to adding the signiture then it can take over for the killfile rules.

I think people are just thinking a little too hard about this problem.

Ben

Re:Why is this an issue?

[mabu]

Why is this so hard for other people to do that this virus is actually getting through to their clients?


1. Nowadays your average computer user is a moron.

I'm sure you and everyone else knows some hopeless PC user who uses Outlook, can't help but click on some attachment, believes everything they read online, or does not patch their Windows on a regular basis. All it takes is a few of these n00bs to make life miserable for others in one form or another.

2. Filtering on the client side doesn't really address the larger problem of these scripts consuming *tremendous* amounts of bandwidth, network and system resources.

If you're an end-user, you can't appreciate how much fun it is to manage a server that is getting hammered with this crap. Even if you block it out, you still have to deal with reduced performance and limited bandwidth available to all your users because of yet another unpatched MS hole or irresponsible ISP.

And of course, whenever there's another announcement of a "virus" every person with a PC who can't get it to work right is convinced that the "virus" is the culprit.

Re:We've gotta do something about Russia

[geekoid]

somewhere in to dark and dingy russian governmment office:

Comrad 1)"Comrad, Some guy on Slashdot says we should DO something about all the criminals."
Camrad 2) "He's a GENIUS! we should have thought about that years ago!"

1954:
They are godless, opressive governmant with and aggressive military.It's bleedin obvious where all the problems come from, it's time for something to happen.

2004:
They write all of the major viruses, distribute drugs, and distribute weapons. It's bleedin obvious where all the problems come from, it's time for something to happen.

Post is misleading

The fact that the worm has more nefarious purposes does not change the fact that the initial target of the worm is SCO. Therefore, it is still likely that a linux user is the perpetrator.

Don't hold your breath...

[canfirman]

Personally, I'm looking for a serious apology (or at least a retraction) for the 'alleged' link between this ugly little nasty and Open Source / Linux users.

Don't hold your breath on this one. When has Darl or SCO even apologised for anything? Let's face it, accusations come quick - retractions are almost never.

Social engineering for Sysadmins

[ericspinder]

Throwing the authorities off-track might have been the idea, but I think that it JUST MIGHT have been an attempt at social engineering aimed at the sysAdmins and virus hunters.

Just think, you are one of the first hunter to see the virus. You examine the code, and "Damn, their going after SCO, COOOOOOOOLL, I hate those bastards, I'm not reporting it". Or a sys admin at an email gateway. Most guys are real pros but maybe, just maybe a few took a little extra time...

They say that it's one of the fastest spreading Virus to date, perhaps targeting SCO was the bump it needed.

Re:Social engineering for Sysadmins

lemme guess, you failed you social engineering exam?

Ingenious my arse

[Chuck+Chunder]

Didn't blaster target the wrong address for Windows Update?

DDOS a website that probably gets about 10 interested visitors a day anyway?

Personally I'm surprised at the lack of damage these things do. Our systems and people are apparently wide open to these things. Blaster and MyDoom should be viewed as warning shots. It's only going to be a matter of time before someone writes something that infects, spends 2-8 hours propagating itself and then nukes the system it's living on, causing real widespread damage rather than minor annoyances.

Re:Ingenious my arse

[ericspinder]

I used that address all the time which would you rather type?
http://windowsupdate.microsoft.com
or
http://windowsupdate.com

Re:Ingenious my arse

All the links in Windows point to the microsoft.com address, so MS just temporarily removed windowsupdate.com from DNS. Had they used the primary address, it would have been a real problem.

Re:Ingenious my arse

[zcat_NZ]

and then nukes the system it's living on..

Why does everyone seem to think this is the -worst- thing that could happen? Restore from backups, business as usual the next day. Sure, a lot of businesses would be fucked over, but anything really important is backed up.

Now imagine a worm that spreads fast (flood-scan the local /16 plus a few random IP's outside that with tcp syn packets, infect anyone that syns) and then immediately goes dormant. Over the next month or so it quietly makes alterations to all the files it can access. Changes numbers in databses and spreadsheets, swaps words around in documents. By the time anyone starts to notice this thing has rendered all of the current data and at least a month of backups unusable.

That's the worst virus I can think of.

Re:Ingenious my arse

[zoney_ie]

Shhhhhh...

Re:Ingenious my arse

[Krafty+Koder]

"and then nukes the system it's living on, causing real widespread damage rather than minor annoyances." If you start nuking systems, you are looking at a) all of Corporate America being pissed off and telling the FBI to do something b) the FBI getting seriously cheesed off because of a) c) the Courts getting seriously cheesed off because of the FBI pressure to make you "go down"... you're looking at a minimum of 50 years behind bars because of a+b+c. Lesson : cause mayhem on the networks, but dont EVER touch the corporate data. It's its a "network problem" Mr. CEO isn't too concerned - he can use the phone. Now, wiping Mr. CEO's hard drive is a different thing altogether. If I were a virus writer, i wouldnt even venture into that deadly territory. Much easier (and more profitable) to set up a spam zombie network.

Re:Ingenious my arse

[drsmithy]

It's only going to be a matter of time before someone writes something that infects, spends 2-8 hours propagating itself and then nukes the system it's living on, causing real widespread damage rather than minor annoyances.

You're stuck in the old and busted virus writer thinking of causing damage once. The new hotness is armies of zombie machines for DDoSing annoying people of IRC. In that context, propogation and then destruction is pretty pointless. Far more useful to have a machine that can be used multiple times against arbitrary targets.

Re:Ingenious my arse

people smart enough to make virii that can do these things effectively and spread so rapidly usually don't want to cause widespread destruction... they're smarter than that =P. Maybe i'm wrong.

Re:Ingenious my arse

[vsprintf]

Why does everyone seem to think this is the -worst- thing that could happen? Restore from backups, business as usual the next day. Sure, a lot of businesses would be fucked over, but anything really important is backed up.

Well, I can imagine things that are worse, like malware that overwrites the CMOS and/or finds some EEPROM it can flash with trash or perhaps even more malware. Just a "restore" isn't going to do it. And I agree, your slow-acting virus is even more dangerous than that.

Re:Ingenious my arse

[zcat_NZ]

I think they're _stupider_ than that..

nimda was supposed to attack whitehouse.gov, but used a hard-coded IP address and tested it first. The admins changed the address from (iirc 198.137.240.91 to 198.137.240.92, trivially avoiding the DDoS.

sobig attacked www.windowsupdate.com, an almost totally useless 'typo redirect' on a completely unrelated subnet, not windowsupdate.microsoft.com, the site where everyone gets their windows updates from. To avoid the 'attack' Microsoft just switched the DNS for windowsupdate.com off, and nobody even noticed. They also akamai-cached all of microsoft.com at the same time, although this was likely planned a month or so beforehand and completely coincidental. It certinly wasn't necessary, since the DDoS attack was never aimed anywhere near microsoft.com. And it totally confused most of the press who had no idea that "windowsupdate.com" was NEVER the actual windows update site.

Early analysis of MyDoom suggests that it resolves www.sco.com but doesn't try to connect, even when the machine clock is set forward. Not even once. That makes for a fairly unimpressive DDoS.

Re:Ingenious my arse

[unixformat]

yeah that is true and i think MyDoom is the start of something that could be very big, imagine a DDOS on all the antivirus companies at the same time with a large number of new and different style viruses being released.

This one?

[ebbomega]

To: Luser (whoever@blah.com)
From: Hax0r (jeffk@somethingawful.com)
Subject: *nix virus

This is the only known Virus that works on all *nix systems. Please forward this to everybody on your list and delete all the files on your harddrive. Thank you.

(Or something to that effect)

Re:This one?

[lordrich]

I'm sure you could write something in perl. You'd just have to get people to run it, which judging by MyDoom, is quite easy.

Re:This one?

[shaitand]

Except the people you con into running either have to be smart enough to call it as an argument of perl to do that or be smart enough to chmod it executable... because by default, it's just a text file on a *nix system buddy, even if it ends in .exe

Re:This one?

The first version of this worm had a small bug. It read: This is the only known Virus that works on all *nix systems. Please delete all the files on your harddrive and forward this to everybody on your list. Thank you. Infection rate was reported to be very low.

My Exchange organization barely got touched

[alen]

One of our VP's opened it and got infected. Otherwise the exchange 2000 anti-virus software is set to update itself hourly and found all the infected emails. Most of the file types that it travels in are already blocked by us and we only had to add zip's to the list. I did lose a few hours scouring smtp logs trying to figure out the source of the internal infection though.

Anyone who runs servers that only support POP3 and IMAP is crazy since it's up to the users to update their AV software. You need a SMTP gateway in this case to scan all traffic for viruses.

Re:My Exchange organization barely got touched

[dougnaka]

I agree completely. We dont allow port 25 except through our mail server, and it scans every peice of email, and updates its definitions hourly. It's qmail and uses the free clamav. It caught the SCO/MyDoom virus.

For people scared of things like a virus protected, spam filtered, web based, high performance, free email server there's the easy route, and that's to use Matt Simmerson's Mail Toaster & FreeBSD Here's a link

Re:We've gotta do something about Russia

Idiot. The US government is already after them.

As to weapons: ever heard of Carlyle? The US gov plays the same game my friend, except those that's hidden and kept in silence and is done by a "company" instead of "criminals".

As to drugs: though we're generalizing here (i didn't start, but i take it you're against alcohol), drugs are not necessarily bad. Stop being brainwashed by your government. It takes responsibility from the user. Who is the government to dictate a user can't handle it? Well? Those who can't stand the heat [..]

Could SCO stop the worm?

[JackZ]

the only activity I can get it to perform related to www.sco.com is to resolve the name. In fact, it seems very unhappy if it cannot resolve www.sco.com. Once it can, it happily scans local files for anything that can be construed (very loosely) as a domain and tries to resolve mail servers based on these.

Does anyone know what very unhappy means in this context?
Does it stop spreading?

Jack

What Microsoft and SCO have in common

[Angry+Prick]

SCO keeps promnising to sue Linux uesers but never does. Microsfot keeps promising to improve security of its products, but never does.

Re:What Microsoft and SCO have in common

God DAMMIT. I knew I should have invested more heavily back in the tinfoil-hat market back in '02.

I would rule you all.

Re:I wish all mail admins.. -bah!

I now grab all the IP's out of infected emails, and put them in my etc/tcp.smtp file: 123.123.17.50:allow,RBLSMTPD="-VIRUS SOURCE...

This might be useful if the virus respected SMTP and generated a message on the user's machine. But it doesn't. In fact some analyses I've seen state that the virus retries if it can't deliver, so the above tcpserver trick does nothing but take extra bandwidth. What's your point?

SCO bluffing again

[Fig1a]

>some people have reached the conclusion that MyDoom doesn't accomplish its stated goal of DDOSing SCO at all!

So when on Feb 2nd, SCO complain their sites are down again with a severe DDOS attack, we'll *know* they're bluffing this time.

So -- did SCO actually write this worm?

Mod this up!!!

Mod this up!! +1 Insightful!!

Stawin-A Trojan

[sharp-bang]

Sophos has intercepted a new trojan called Troj/Stawin-A that installs a keystroke logger, captures data related to financial institutions, and sends it back to a Russian e-mail address.

Re:Stawin-A Trojan

[johnmc]

Make that Troj/Stawin-A..
There was a typo in the URL

Re:Stawin-A Trojan

[sharp-bang]

McAfee has a writeup, too. Sorry about the Sophos typo.

Re:Stawin-A Trojan

[Dwedit]

Wow, typoing URLS on informative posts, then replying with the correction is an excellent way to effortlessly build your karma score. I've got to try that sometime.

Re:Stawin-A Trojan

[YomikoReadman]

If you had enough brains to check the user that posted those, it was done by two different people you twit.

A million zombied machines for anyones use

[codepunk]

Read the following....extremely scary....

Listens on port 3127; accepts a maximum of 3 connections
at a time. If the first byte of the recieved data is
0x85, the DLL skips the next byte, then compares the next
dword read to 133C9EA2h; if this is true, it accepts
the executable from the sender, downloads it to a temp
file/directory and runs it.

Re:A million zombied machines for anyones use

[mabu]

As soon as this information was known, the FBI should send agents to Worldcom, Sprint and all the other backbone providers with instructions to log all port 3127 traffic immediately.

Unfortunately, I have a feeling somewhere, some authority is typing "virus writer's home address" into Google.

Re:A million zombied machines for anyones use

[SysKoll]

Now, this offers a nice way to actually do something. An ISP could try to systematically launch a probe on port 3127 for all its subscribers. If the probe succeeeds, just download an exec that displays a modal (always on top) dialog box warning the user his machine is contaminated and urging him to go to a certain web page to remove the worm.

I shudder at the thought of other spammers/bandits using that download feature to plant their own code in MyDoom-contaminated machines.

Re:A million zombied machines for anyones use

Thanks! Now we're all off to DL BackOrifice.

Well, of course. Who saw this comming?

[Saeed+al-Sahaf]

The whole SCO angle has been used and abused by both sides. Most script kiddies and run-of-the-mill virus writers have no interest in ideology, and this itself was a big clue. Virus writers that work for Spammers will often try to obviscate the true purpose of the virus. What amazes me is that with any run-of-the-mill internet conx, anyone can set up a mail server and serve up a few million spams before anyone gets a clue, so I'm not sure why Spammers really need open relays and fake email addys. Hell, a pocket full of free AOL discs, and the world is yours.

Stopping MyDoom

[thrillbert]

thanks to the clamav folks, and thanks to open source

I'm glad to hear that. Personally, I use MyMail wrapper with SpamAssasin.. but funny enough, I've yet to receive even a single email with the virus.. could be related to my friend filter, which unfortunately, I cannot share the source code to that.. ;)

---
You have the capacity to learn from mistakes. You'll learn a lot today.

Screw it, let the virus run wild

[nurb432]

Yes, i realize what im saying, and what damage to bandwidth, etc. that would cause.

But perhaps, just perhaps if 80% of the comptuers on the face of the planet freak out and go up in smoke due to a virus, something might actually be done about it...

Something other then line the pockets of anti-virus makers like it does now....

I'm tired of this...

[verbatim]

I'm getting hundreds of these cute "you've got a virus" warning from mail servers around the world. They're all the same - We've found an infection in an email from you... except when you look at the headers of the original e-mail, it is plain as day that the e-mail never went through my mail server and just forged the e-mail address.

A header from the most recent example:

Received: from [200.223.39.59] (helo=writeopen.com)
by mailforward.freeparking.co.uk with esmtp (Exim 4.24)
id 1AlqLU-0007Hx-48
for brian@dwrees.co.uk; Wed, 28 Jan 2004 09:07:08 -0500

RAWR. I mean, seriously. RAWR. (writeopen.com is 69.0.209.130, btw).

I'm being flooded by this crap. I've managed to get a filter going that catches them, but it's still traffic that I have to endure. And I'm getting them from ISPs all over the planet. RAWR.

Re:I'm tired of this...

Thankfully, POPfile has caught all of these and my inbox has been spared of this garbage.

If more people ran POPfile, these kinds of outbreaks wouldn't happen.

Do yourself a favor and install the octopus
http://popfile.sourceforge.net/

Re:I'm tired of this...

[Indy1]

i had the same problem back in august 03 when the worm of the month was running loose. My solution: a harsh and heavy handed firewalling of any dumbass mail server that sent me "gee we're stupid fucks" type messages. Strangely, 90% of my "gee we're stupid fucks" bounces were coming from norway, so for about 2 weeks i denied all traffic from there.

In this day and age, its fucking pointless to do virus based auto larts. It just wastes bandwidth and pisses off proper bastards like myself who have an up to date av on their mail server (thanks cron!) and block almost all attachments in any case.

Re:I'm tired of this...

[generationxyu]

I especially like getting emails telling me I'm infected with a Win32 worm when I'm running BSD on PowerPC hardware... they're just for shits and giggles then.

now targeting MS?

[theCat]

That was predictable

I hope we've not been giving the enemy any ideas.

Standalone DisInfector!!!!

[prandal]

I know, but ClamAV got it anyhow - impressive!

Stinger 1.9.9, McAfee's standalone disinfector for this and the other most common "out there" viruses is now out.

I'm betting that Martians are behind this

[Snork+Asaurus]

Earth has really been pissing Mars off lately:

1) Earth landed a multi-ship advance scouting party on Mars this month

2) An earth leader with a track record for aggression speculated in a speech about the resources that might be plundered from Mars

3) Earth announced that it was preparing a full scale manned invasion of Mars by 2050

4) SCO sent a letter demanding payment to Martian citizen Marvin, just in case he uses Linux in his Space Modulator

Re:but there's an open source version of the virus

[rjelks]

mod the parent up, a virus with dependancy hell, that's great.

-

Criminal Profit?

[npistentis]

How exactly... did they buy large quantities of SCO stock short or something? Are they a UNIX competitor?

Re: your sig is apropos

[pyros]

If Darl is Ed and Tux is the teacher.

Where Nobody Gives A: (+1, Patriotic)

"Russia. A place where nobody gives a wet slap about a court case in the U.S."

BFD: I live in the United States of Fascism and I don't give a wet slap about a court case, too.

Put that in your bong and get arrested.

Thanks in advance,
Kilgore Trout

Re:Where Nobody Gives A: (+1, Patriotic)

[cscx]

I didn't know Kurt Vonnegut read Slashdot.

8am ET Monday morning is pretty early...

[caferace]

...I starting getting them Monday at ~2pm PST, and I though I was l337.

Who Said It'll Attack SCO? & A FUDworm?

[DynaSoar]

Zeriel writes "After much discussion on a mailing list discussing trojan horses, some people have reached the conclusion that MyDoom doesn't accomplish its stated goal of DDOSing SCO at all! Choice quote from the analysis: "I have the new critter in a test environment where we conducted a preliminary and rudimentary functionality and threat analysis...I have played with the date, etc, but still no activity directed toward www.sco.com." The link also includes disassembly and analysis of the worm code."

If it turns out that the DDOS payload is inert:

Who was it that FIRST said it WOULD attack SCO, and how did they determine this? And who else quoted them without checking? (Not including normal media outlets, who'll quote anyone that can form a coherent sentence, if it'll fill white space.)

If this thing doesn't perform as advertised, what we are seeing is the first (purposeful or not) FUDworm. It definitely is spreading virus-like and causing traffic problems, but also it's spreading FUD, and using all of us as vectors. We will all have been infected with a socially engineered disease. If this is the case, it's a master stroke of psyops. If not, considering its success so far, its example will be repeated for this purpose.

Re:Who Said It'll Attack SCO? & A FUDworm?

[interiot]

Okay, let's go over some of the facts:

• The idea that the payload is inert comes from a single post on the internet by some random guy, and is now being quoted all over slashdot without anyone checking or verifying. It may turn out to be true, but either you should personally verify it, or at least wait for ONE other person to verify it before you start conspiracy theories.
  
  
• Norton Antivirus believes the payload to be an active DDOS against www.sco.com. So does F-Secure. So does McAfee.
  
  
• You can look at the worm yourself and verify that it contains references to www.sco.com. Combine this with the fact that the worm is fairly small and is UPX compressed, you can conclude that the worm author took up space with the reference for a reason, either to create conspiracy theories (which would be unprecedented for a worm/virus I believe) or it's actually to DDOS a website (happens all the time with worms/viruses).
  
  
• The partial dissassembly that people have posted so far indicates that the worm does use the www.sco.com address while creating a thread, opening a socket, and send some data.

So please, Please, PLEASE, would slashdot posters and moderators stop with the conspiracy theory stuff until someone posts a full disassembly on the internet, and lots of people verify that the analysis is correct. Until then, trying to come up with flamboyant conspiracy theories isn't going to do anything.

Re:Who Said It'll Attack SCO? & A FUDworm?

[DynaSoar]

interiot (50685) sez: "Okay, let's go over some of the facts:"

Yes, let's.

"The idea that the payload is inert comes from a single post on the internet by some random guy, and is now being quoted all over slashdot without anyone checking or verifying."

It's the sole instance apparent here of someone actually testing it. It's a case study with hard data which can be verified.

"Norton Antivirus believes ... So does F-Secure. So does McAfee."

Believes. That hardly indicates results of empirical investigation. Did they test it? Is there anything they've done that can be verified? If not, I'll take "just one guy's" statements rather than that of companies who make money from these things.

"You can look at the worm yourself..." and "The partial dissassembly that people have posted so far indicates"

Yes, I've looked at it. I can see what it appears it's supposed to do. What I cannot see is evidence it's actually going to do it. I've seen one statement that it doesn't, and several that make claims without specifiying whether they tested it.

Worst yet, I've seen The Register claim in headlines the B variant "Attacks Microsoft.com" as though it were doing it already, and in the body of the story claim it's going to without saying anyone's tested it.

This is the fault of UNIX servers, not windows

A new email virus called MyDoom is spreading rapidly across the Internet through UNIX mail servers, bringing with it a dangerous attachment that, when opened, can give attackers access to users' computers through an electronic backdoor.

Apparently in their zeal to deflect criticism, they are ignoring, or don't read /. where a more plausible explanation as to the origin of the virus has been posted, and as to the motives behind it.

Too bad (for the site) their own readers don't fall for it.

Double-standard check please

So you are against blaming the victim. So I'm sure you'll agree that Windows users that don't patch their systems and MS are not to blame for viruses - just the virus writers are?

Re:Double-standard check please

[Cipster]

Entirely different situations. If you run an insecure OS you should patch your system, run a firewall, an anti-virus and don't fucking click on on .exe attachment.

Clueless users do make the internet a shitty place.

Re:Double-standard check please

[Cat_Byte]

Why do people on here think that is the only way for a virus to spread? The vulnerabilites I've patched on Linux had nothing to do with email. Most of the time it was an exploit run from the remote end to gain access to the system.

If you run an insecure OS you should patch your system

There is no such thing as a secure system. If you can get into it, so can someone else.

Mydoom generates it's own recipients

[Net_Wakker]

Email for my domain is wildcarded, so it really doesn't matter that much what's in front of the @ and I'll get it.
The past 2 days I've received a shitload of Mydooms, and there's something funny going on. Mydoom will put common names in front of the @. I've started receiving viruses for brian@ and bill@ and claudia@ and fred@ and jerry@ and george@ and smith@ and and and. I even received one for debby@. What, she's doing my domain now?
I've also noticed that some of the "senders" are constructed the same way.

Re:Mydoom generates it's own recipients

[emptybody]

I am tracking and sorting the hosts and addresses used. When I received one message directed to a completely different address I searched my mail files for references to the offending relay server.

I found the culprit, sent him a seperate email from my swamped email address.

He cleaned his system, removed the virus, and so far I have not seen any more going to that address.

I am expecting to see some come in but have not yet.

my conclusion - some names are generated, others are pre-determined.

Re:Mydoom generates it's own recipients

[tgrigsby]

I too have a vanity domain, one in which email going to any name @ my domain comes to me, and I've also see various names in front of the domain. I have a theory about this: I would imagine that the virus not only scans your address book, it scans your folders for old mail. And if you're like me, you've had spammers send messages with emails with spoofed headers using your domain and various user names. In that case, there are thousands/millions of people around the world with messages in their Trash folders from spammers which contain your domain name.

Just a thought.

Possible test version hitting me. Anybody else?

[John+Walker]

In the discussion cited in the main article, the observation is made from disassembly of the payload:

Nicolas Brulez:
-----
from my quick and dirty analysis, its a thread that does the DDOS.
It has below normal priority, and it just does a GET.

GET / HTTP/1.1\r\nHost: www.sco.com\r\n\r\n"

This is very interesting, because my site has been under a broadly based but inexplicably benign apparent DDoS attack which is bombarding my site with precisely such requests (obviously www.fourmilab.ch, not www.sco.com) at a rate of just one hit from each IP every four minutes. (This rate is not absolutely consistent, and some seem to be running multiple copies of the requester, each hitting every four minutes.)

I've been watching this and running analyses since it became obvious something was up and have posted an incident report page on my site which I'm updating as things develop. Bottom line, the apparent attack appears to have reached equilibrium with a total of 2894 different IP addresses hitting my site since the outbreak, with the hit rate following a diurnal pattern (there's a chart in the incident report) which peaks at around 20,000 hits per hour from on the order of 1000 different hosts at 20:00-21:00 UTC every day.

I'd previously concluded this probably had nothing to do with MyDoom. Although a few of the hosts hitting me are listening on the MyDoom remote control post, most aren't. (Of course, a test version may use a different port or none at all--I discuss in the document.) But the fact that the hits are precisely the same--a simple request to the home page--makes me wonder. All of these sites hitting me request only the "/" page (which at my site is just a <frameset> container, which any browser would follow up with hits on the content frames).

Has anybody else seen this kind of traffic hitting their sites?

Re:but there's an open source version of the virus

[IdleTime]

You must be using one of those old and technologically outdated Linux distros as RedHat, SuSE or Debian.
All I do is emerge sync && emerge mydoom and I'm good to go. Ebuild is currently in Portage, just sync your systems :) Oh yeah, forgot to mention, Gentoo baby. LOL

needs re-thinking

[aca]

In my opinion, I don't think it was a Linux fan that caused it.

Firstly, he attack was not technologically sophisticated, in that it required exploiting a weakness in the operating system. The style of the attack was conceptually sophisticated, it was a worm not a virus. Which means that the attack relied on 'social engineering' or 'human weakness' to succeed.

The exploit however was quite creative. It was multi-faceted, even doing a DDOS on 'www.sco.com'.

Personally, I suspect that the creator and the executor of this worm may be two different persons altogether. Most importantly, the one ultimately responsible for the worm's spread and impact on the internet is not a Linux fan.

Linux users, ones that are capable enough to create such a worm, would more likely be above average intelligence. They would know very well, the consequences of DDOS'sing SCO's web-site, and that these consequences will most definitely be extremely detrimental to Linux. They would also know very well that a DDOS of SCO's web-site is almost a trivial thing to fix, and doesn't help in reducing SCO's position in any way.

Other than making SCO spend some money to rectify the DDOS, and preventing some of SCO's limited customer base from accessing SCO's web-site, it doesn't do relatively much harm to SCO (as compared to finding a back-door or hole into SCO's internal network). There is no real motivation for a Linux fan to carry out a DDOS on SCO's web-site.

I think the REAL reason for this worm, was for a 'frame-up'. It coincides with the conceptually sophisticated thinking as evidenced in its style of attack. I think the real reason was to *help* SCO and Microsoft, because both of these entities have the most to gain from it. Even with the recent 'b' variant of the worm targetting Microsoft. I still think the original motive remains the same.

Either that, or we're dealing with an extremely shallow and stupid 'Linux fan', which I very highly doubt.

People reading this may start having this thought of 'oh, another conspiracy theory...', but I would ask readers to carefully think about the obvious and carefully consider the occurence of this worm. Industrial espionage has been around for a long-time, and we know that it happens. What's to prevent it worms or viruses being used in industrial espoinage? Especially when the internet is a lot more relevant to businesses today.

Re:needs re-thinking

Inconceivable! Never mess with a Sicilian when Linux is on the line! ah-hahahahahhahaha.

Re:whoever made it

[ColMustard]

(I have never seen the worm, thanks to spamassassin)

I agree, spam assassin is loved by all.

Cisco has your answer

[Sycraft-fu]

The Cisco Security Agent. Awesome software that really, honestly can preempt these things. doesn't need a signature update or anything, it tracks down worms by what they do, and caught this one as soon as it came out. It really is cool, and we are looking at getting it for campus to plunk on every computer we can. It's not cheap, but it's feasable for an organization as alrge as yours sounds. Might want to check it out.

http://www.cisco.com/en/US/products/sw/secursw/p s5 057/index.html

Not saying I agree with the orignal poster or anything, just giving you a solution that could actually help you stop people from opening shiny things. Oh, and it sends you a log of who does so you CAN go hit them with a stick :)

Version 2 commentary

[WebGangsta]

By now you probably have heard that there's a new version (MyDoom.B) that is also making it's way across the Internet, this time supposedly targeting Microsoft.

According to Symantec, this version now modifies your HOSTS file to try and disable the user from being able to reach antivirus websites.

Among other entries in the HOSTS file are Doubleclick, FastClick, and some other advertising-related companies. Should I be concerned or happy that the virus may make surfing the web a little bit better by doing this?

Re:Version 2 commentary

[Chatmag]

I had submitted that piece of information at about 3pm EST, and see it was not included in the original story. Sophos has an alert, including all of the sites mentioned.

Doubleclick is a public company, and I would imagine that the FTC is going to be getting involved in tracking down the person responsible for MyDoom B. Anything that interferes with a public company gets more attention than an attack against a small privately held company.

I can understand the rationale for blocking the antivirus sites, but still have not quite figured out what a person would gain by blocking Doubleclick.

Watch MyDoom in Action!

[pfifltrigg]

If you would like to watch MyDoom's effect on www.sco.com as we near February 1, have a look at a little tool I cooked up.

linux, windows, i don't care

[manon]

I don't care whether it were Linux users or Windows users hacking together this virus. I use linux and so far I haven't had a linux-virus infection. This doesn't mean that I hate it when a (windows-) virus strikes. My mail got flooded with 100+ mails with the virus as attachment. I got to the point to see those spreads as spam. If there is anything I hate, it's spam in my mailbox.

Damn

[ClosedSource]

Those "it's" should have been "its"!

Most resource-efficient way to deal with this

[mabu]

I recommend that other ISPs do what we're doing to deal with this. The problem with using content-based filtering is that it constantly needs updating and still costs you bandwidth and system resources.

The propagation of this worm is not unlike the propagation of spam. The ISPs are doing a piss-poor job of regulating the smtp traffic of their non-business customers.

My solution to this is very simple, and all I ask is that the large ISPs separate their DUL IP space from any legitimate mail relays they operate.

For example, we're seeing a ton of spam originate from Videotron in Canada. An IPWHOIS shows that this is one of their major blocks:

Le Groupe Videotron Ltee VL-2BL
24.200.0.0 - 24.203.255.255

The easy thing to do is put 4 lines in my /etc/mail/access file to block those 4 class Bs, and bingo... I've shut out more than 250,000 IPs from sending me spam or worms. I modify the error message to redirect inquiries to a web page with a form that legitimate users can use to whitelist their IP/relay.

Using this method, I take the burden off my network. If you are selective about the IP blocks you ban, you can really whittle this down to almost no bouncing of legitimate mail.

Many ISPs are using DUL RBLs to accomplish the same thing, but the problem is that this requires more resources and huge databases of every possible IP. If you know that an ISP has allocated a large number of IP space to customers who shouldn't be operating their own SMTP relay, you can bypass this and just cut them off.

Generally speaking, I employ this method primarily with Asian and Middle-Eastern IP blocks where I don't normally expect any mail traffic in the first place, so the collateral is minimal if any.

Now if you have DSL or Cable and you've hung your own SMTP relay on your home network, yes, you might have some problems with this method, but it only takes a few seconds to request whitelist authorization and then it's done. Spammers aren't going through this trouble and if they do, I can track them when they try to make these requests.

If more ISPs employed this technique, it would be very effective. I am convinced that many large ISPs, including AOL are already doing this in one form or another: being very picky about accepting certain types of traffic from certain IP blocks.

The next evolution of RBLs will probably involve something like what I'm doing... which is the ultimate movement to a whitelist system where you deny the most-henous sources and make them request acceptance. It's a lot easier to maintain a small list of authorized SMTP relays among a very large blacklisted DUL IP space.

Re:but there's an open source version of the virus

[jrockway]

You must be using one of those old and technologically outdated Linux distros like RedHat, SuSE, or Gentoo.

All I do is apt-get update && apt-get install mydoom and I'm good to go. All the dependencies are retrieved for me, and I don't even have to wait 36 hours for them to compile! Oh yeah, forgot to mention, Debian baby. LOL

Heh, the parent probably uses vi, too. *sigh*

Re:but there's an open source version of the virus

[walt-sjc]

Yeah, your right troll. So much easier than apt-get install mydoom or the same with up2date... I'll be running while you are compiling for the next 3 days...

The Spammer Theory

[dahamsta]

This whole theory that the media are propogating about worms being released by spammers to create a network of zombies they can use for spamming strikes me as illogical. I mean, if you were a spammer, would you announce the zombies to the world with a DDoS attack?

adam

Optus is not an ISP

[Chexsum]

Optus is an Internet Content Provider no matter what they say. Optus implement port blocking, port throttling and transparent proxying which affects your Internet connectivity.

Optus provide a very fast service but its a pain to use and I prefer dialup now because its real connectivity [I can connect to anything and host a service even if its at 5Kb/s].

I will always make sure port blocking/throttling/caching is avoided by any ISPs I sign up with in future - thats all 'content control'.

the reason is kindof obvious

[laugau]

Many virii and spam mails relay on GUI mail clients like outlook. Get people against linux and you force some people on these platforms which are easily infected.

1) Get people to use crappy, easily exploitable mail program
2) ???
3) Profit

Procmail recipie with antivirus signatures

Here's a really cool procmail recipie I came across today which includes virus signatures for email bourne payloads...

http://freshmeat.net/projects/yavr

Works like a charm

"High Road" my ass

"Show others by example that our side always takes the high road. When they see a low-road sort of action like denial-of-service, spam, or stock fraud, they'll know who to blame."

If this is what you call the high road, you must live in a region quite a long way below sea-level. The "high road" means do the right thing without being unfair to ANYONE. Using insinuating phrases like "they'll know who to blame" and war-like phrases like "We will defeat SCO" is not taking the high road.

Speak for yourself Bruce! My goal in the community is to produce good software and improve the software industry, NOT to get into childish war of words with some moronic company. High road indeed... try "total hypocricy!"

Different code might have helped.

[qortra]

I'm really not sure if "better" code is what is needed here (because I think the existing code is technically correct), but people are generally considering this a hole; apparently, the executable is able to display a deceptive icon in order to fool the user into opening it. Anyway, I think it will be patched, so it goes without saying if they had written the code differently (the way they'll write it for the patch), then the trojan wouldn't have been so effective (and fewer trojans is always better, right?).

There is no doubt that in this case and most other cases, deversification would have helped; my contention is only that when the world does become diversified, diversity will probably not help as much as people think (cross-platform viri, etc).

Hey hey?

Since when did stock price mean the company was doing well? NOW who's talking out of their ass? Come on man, we all know this is a huge pump-and-dump deal.

SCO has no viability, and they know it. They're sunk as a company, unless they succeed in their business model of "Litigate, litigate, litigate!"

Re:Hey hey?

Not to mention its price to earnings ratio is an impressive 45, which will support a tech stock from "going down the tubes."

If you're going to disagree with a post, don't selectively ignore parts of it please.

MX records

Quote:

Once it can, it happily scans local files for anything that can be construed (very loosely) as a domain and tries to resolve mail servers based on these. In fact, right now it's trying to resolve 'mx.makewin.rsp'. "Makewin.rsp' is a file referenced in the help files of my DigitalMars C++ compiler on a test machine, so it's not a very smart worm.

How interesting. Earlier this month I was updating my DNS server and removed a few extraneous MX records. Currently there are just A records pointing to my main server, since that is the only machine running SMTP anyway.

The odd thing is that in the last two weeks I haven't gotten a single open-relay probe! I thought that was pretty strange, since I used to get them all the time. Maybe the probes were all coming from worms looking up mx.(anydomain).com?

Pretty strange how many spammers I avoided just by changing my DNS a little.

Totally OT

[back_pages]

when I was an undergrad, a fun way for my friends and myself to amuse ourselves was to get really drunk (this makes it more amusing) and then cruise the schools intranet for dopes who had shared their entire hard drives on the network. We would do all sorts of bad things, but the best was defacing a person's Internet Explorer wallpaper.

In Win98, I believe the wallpaper filename was stored in win.ini (it doesn't appear to be so in Win2k and this seriously isn't interesting enough for me to look it up at the moment.) We would grab that file and take a peek. If they had an image suitable to be defaced, we would draw mustaches on everyone and draw little cartoon baloons saying stuff like, "UR COMPUTAR HAS EBOLA!!11" and then overwrite their copy of the file. If they had a stupid background, we'd find something funny to give them.

Between the sorely juvenile humor and the liquor, it was completely hilarious to us at the time. I was even called by the school's Computer Support Desk at one time to see if I knew anything about the rare computer virus the student computers had. And before anybody points out how childish and potentially criminal this was, let me say that it was childish and potentially criminal. We just screwed with people's wallpapers but we could have remotely deleted their entire hard drives. Educating the masses about computer security is a difficult task, but goddamn if drawing mustaches on people isn't funny.

Re:Totally OT

[sharkey]

In Win98, I believe the wallpaper filename was stored in win.ini (it doesn't appear to be so in Win2k and this seriously isn't interesting enough for me to look it up at the moment.)

It's in the registry:

HKCU\Conrol Panel\Desktop\Wallpaper
HKCU\Conrol Panel\Desktop\TileWallpaper
HKCU\Conrol Panel\Desktop\WallpaperStyle

Re:Am I the only one? [OT]

[sparkz]

http://www.urbandictionary.com/define.php?term=tea bagging Not very work-safe.

SCO connection is a red herring

[budgenator]

The linked mailing-list at,Math.org reports the preliminary disassembly show that the worm only resolves the name SCO.com, and is unhappy if the name doesn't resolve. My guess is that have the name resolve shows the worm that an active internet connection exists, with out tipping it's hand too badly. In test environments the worm didn't attact SCO.com no matter what the computer's date was set to.

Re:SCO connection is a red herring

[jamesh]

The obvious solution then is to demand that sco remove the sco.com domain. It's the only decent thing to do.

MyDoom & Message Labs.

[fragzilla]

The really cool part of this is that message labs uses ".asp" pages so I can't scroll down the main message using Firebird. Gotta use M$ Aiee! if I want to see the entire page. LOL.

Let me guess....

[Kjella]

Personally, I'm looking for a serious apology (or at least a retraction) for the 'alleged' link between this ugly little nasty and Open Source / Linux users."

...you were going for +1, Funny? I mean this is SCO, the company that never ever makes unfounded allegations, assume there is evidence of a crime where there isn't, deny the facts when they go against their claims or otherwise do anything shady. Of course they'll apologize.

That'll be the day the temperature in hell goes sub-zero - on the Kelvin scale.

Kjella

You're Telling Me

[waldoj]

Apparently it infected our financial aid listserv, which caters to 51,000 email addresses, most of them in the vt.edu domain.

It's not so apparent: On Tuesday, between 5:43pm and 9:40pm, I got sent it 10 times by flashmail@vt.edu over the FINAID-INFO listserv. You'd think that they've have a web-based verification system to authorize all messages being sent out to major mailing lists. This is common sense these days.

The bastards won't give me a penny of financial aid, but they will give me a freaking virus. It's like asking somebody for a warm bowl of soup and, instead, they piss in your face.

-Waldo Jaquith

Re:We've gotta do something about US

I do not have anything against Americans, I is one. However the American Gov needs to wake up and do something about all the criminals it harbors. They patent all the major code then sue, they distributed drugs for guns ( remember Ollie ? ) they are a major consumer of drugs . It's bleedin
obvious where all the problems come from, it's time for something to happen.

Wouldn't it be ironic...

[Ingenium13]

You know, with all the stunts SCO has pulled lately, wouldn't it be ironic if they created this worm themselves or were somehow responsible? According to the article it doesn't DDoS SCO, but even if it did, isn't this in a way what they want? They can now point the finger at the Open Source Movement. They can draw negative media attention toward Linux which may, in their minds, help their court case. If people become under the impression that Linux and Linux users are "bad" than they will be more likely to sympathize with SCO.

This is of course an unlikely situation since if it was discovered SCO was behind the worm then it would all be over for the company. However, it is an interesting thought...

+1 for gentoo

[commodoresloat]

yeah but since it's a virus, that means he'll have three more days of uninfected uptime!

Way OT

[zelphior]

Why is the plural of virus viruses? One octopus and many octopi. One cactus, many cacti. Why not one virus, many virii? Virii seems to have caught on with many people, and fits the ending that we use for most words ending in -us in the singular case.

Re:Way OT

Then it should be viri not virii. I didn't spend 3 years in high school Latin and 1 year in college Latin to watch you people fuck this stuff up in some lame attempt to sound smart. I think people who say virii, boxen, its-cracker-not-hacker, and AOLuser are just as bad as the 1337-speakers and the 12 year-olds neophytes with their "a/s/l? r u up 4 sum cyber?" type stuff.

Anyway, why is the plural of goose geese, but the plural of moose moose? Why is the plural of mouse mice but the plural of house houses? Their viruses. Get over it.

Re:Way OT

(hanging head in shame) I mean "They're viruses". I never had this problem before Slashdot. I think it's proof that bad spelling is contagious.

Re:Way OT

[AJWM]

Why is the plural of virus viruses? One octopus and many octopi. One cactus, many cacti. Why not one virus, many virii?

Then why spell it with two 'i's? "Viri" would be correct by your example.

However, in the original latin, "virus" is a collective rather than singular noun (eg "snow" vs "snowflake", although the original meaning is more like "slime".) Perhaps whoever first applied the word to the infectious microscopic critters should have used "virum" as the singular (like "bacterium") in which case the plural would be "vira", but s/he didn't, so we're stuck with "virus" as the singular and an argument over "viri[i]"/"viruses" as the plural.

Personally I think it should be "viruses". You wouldn't say "many doofii", would you? It's "one doofus, many doofuses".

Re:Way OT

[cubic6]

There've been lots of slashdot posts debating this, and I think it has something to do with the Latin roots for virus vs. other languages. Either way, English is pretty fucked up.

Re:Way OT

There is no us->i rule. Don't believe me? Check out the plurals for status, hiatus, genus, corpus, mandamus, and rebus.

Plus, if the us-i rule did apply here, we would have viri instead of virii. However, viri already exists as the plural of 'man'. Virii would be the plural of virius, and since that word doesn't exist, I suggest you avoid using it so you don't look retarded.

If you are going to just start adding i's to the end of the word, why stop at 2? Why not viriii?

Re:Way OT

One octopus and many octopi. One cactus, many cacti. Why not one virus, many virii?

Methinks you didn't do very well on the SAT in the section to find patterns. (hint: according to your rules, it should be viri. Why the extra i?)

Re:Way OT

[SlightOverdose]

/me double checks what language he speaks

"English"

oh. Wow. English != Latin.

Just because a word is wrong in latin doesn't make in wrong in english. New words are made up every day and accepted into normal speech. Most of these words don't have latin roots.

More specifically, a word is only a phonetic way of transfering information. if a significant number of people use a word and know what it means, that word has correctly transfered this information, and therefore is correct regardless of whether some anal language nazi thinks so.

I always have and always will say Virii. Most people I know say Virii. Therefore, Virii IS a valid word, even if it is only slang, like Boxen or scr1pt k1dd33.

Thank you and goodnight.

Re:Way OT

[Hellsbells]

One octopus and many octopi.

The plural of octopus is octopuses.
It is derived from a greek word, not latin.

Re:Way OT

[Zixia]

However, in the original latin, "virus" [...]

Personally I think it should be "viruses".

You, sir, clearly know no Latin. With reference to this jargon file entry for 'ascii' it should be clear that the plural of 'virus' is, indeed, 'virii'.

You wouldn't say "many doofii", would you? It's "one doofus, many doofuses".

Of course I wouldn't say that. Even I know that it is 'one doofus, many doofes'.

Re:Way OT

[Jarlsberg]

No, just because you or your friends use it doesn't mean it's correct. You are free to use the word virii as often and as much as you like, but viruses is and will always be the plural form of virus.

Re:Way OT

Actual Latin AC here. Fine. You speak English. So why don't you speak fucking English? In English "viruses" is correct. Make up words and that automatically means the rest of us have to take you seriously? I don't think so. If you want to try to sound smart by using words that sound like Latin instead of using the accepted English versions, be my guest. But when you can't even do the pluralization correctly I'm going to continue to insist that you sound like a moron. Even the octopus example contradicts the use of "virii" in favor of "viri". Here is a plural I just made up: shitheez (plural, shitheads). As in "you people who use the word 'virii' are shitheez". See how stupid I sound? Thank you and good morning.

Re:Way OT

If all you know about Latin comes from a Jargon file entry then you are the one who should rightly proclaim to "know no Latin". Usually when a word ends in -us in its singular nominative form the plural nominative ends in -i (example: "amicus" -> "amici", friend). There are cases where third declension nouns may end in -us, but they are not pluralized by adding -ii to the stem (example: "opus" -> -> "opera", work). To achieve a word like "virii" the singular would have to be "virius".

Re:Way OT

Make up words and that automatically means the rest of us have to take you seriously? I don't think so.

Made up words are perfectly acceptable in the modern American educational system. The important thing is whether or not the student is effectively communicating and to correct the student to force the use of 'proper' English would potentially cause irreparable damage to his/her self esteem. Given this modern educational philosophy, why are we surprised to see it becoming common in everyday use?

Re:Way OT

We also would have accepted octopodes.

Re:Way OT

[HiThere]

This was common "humorous" usage 30 years ago. If not longer.

That is was seen as "sophmoric" even at then didn't keep people from doing it, whether freshmen or seniors. I didn't run into many people outside of high school using the terms, but nobody ever thought (well, mentioned) that they were improper for informal use.

Re:Way OT

[dheltzel]

You wouldn't say "many doofii", would you?

I dunno, doofii sounds kind of right.
I think this could be a great great name for a fraternity, Doofii Doofii Pi.
Or maybe the name of a band, "The Orange Doofii".

Re:Way OT

I always have and always will say Virii. Most people I know say Virii. Therefore, Virii IS a valid word

i toat alley agree as long as pee pole under stand u u r speeking good english!

Re:Way OT

[msi]

Why do we talk about boxen and mices but when somone says Virii all the spelling nazis pounce?

Re:Way OT

Nope. Sorry. You are still wrong. The plural of ascus is asci.

So why do we use the word 'ascii'? Its an acronym, dumass.

Re:Way OT

If you say those, you are retarded too.

Re:Way OT

I always have and always will say Virii

You always have and always will be a retard.

Most people I know say Virii.

Most people you know are also sweaty and pear shaped.

Therefore, Virii IS a valid word

While you are looking up the plural of virus in a dictionary, try looking up 'non sequitur'.

Re:Way OT

[AJWM]

I'm hoping that that was intended to be funny. I know British humour is dry, and I'm of British birth myself, so I'll take it that way.

Just on the off chance that it wasn't, however:

You, sir, clearly know no Latin.

I took three years of it in high school. Admittedly, two of those were the same one twice. (sigh)

With reference to this jargon file entry for 'ascii'

You do know, of course, that that entry is a joke. That's not the real explanation for the name of the American Standard Code for Information Interchange, which adopted the name as an acronym for A Set of Characters for Exchanging Information, except that everyone kept trying to prounounce ASCEI with a soft 'C', and "assy" was deemed in poor taste.

Re:Way OT

HA HA HA HA HA!

First of all, the word 'ascus' has greek etymology, not latin. And it doesn't mean "character" either. And it's plural is 'asci', not ascii. And the computer term ASCII is not a greek or latin word, it is an acronym for American Standard Code for Information Interchange. And the plural of 'virus' is indeed viruses.

So basically, every single thing that you said was wrong, yet you accuse others of not "knowing" latin.

HA HA HA HA!

Re:Way OT

[Zixia]

I'm hoping that that was intended to be funny. I know British humour is dry, and I'm of British birth myself, so I'll take it that way.

Hurrah!

With reference to this jargon file entry for 'ascii'

You do know, of course, that that entry is a joke.

Yeah, I wrote it myself, for use in the great 'viruses/virii' debates like this one. Sorry.

Re:I wish all mail admins.. -bah!

[J053]

If the A/V software could be just a little smarter, or run the suspect Email through a header parser first, most of the problems would go away. The main problem occurs when the A/V software mindlessly bounces the message back to whoever is listed in the "From:" (or, possibly, "Reply-To:") header, rather than to the Postnmaster address of the last damned SMTP relay. Is it too much to ask to parse the Received: headers and find out where the mail really came from, rather than blindly replying to a possibly-forged address?

Re:but there's an open source version of the virus

[shaitand]

Now I'm all for apt-get (although I wouldn't waste my time with debians outdated packages which will be even more outdated by the time I finish going through the installer and configuring hardware). But this bashing vi nonsense must be put to an end.

Ok you have need of an editor like say EMACS which you can use to mow the lawn, make breakfast, consume a few terabytes of drive space and several gig of ram, clone earthlings, teleport monkey's to mars and traverse the known universe. Well good for you.

Personally I prefer to use a powerful text editor, like vi for instance.

The above comment was slashdotted, so I posted a m

Message to the Linux and Free Software Community Regarding the SCO Denial-of-Service Virus
Bruce Perens (U.S.) 510-526-1165

Version 3.14, January 27, 2004.

The master version of this notice is at http://perens.com/Articles/SCO/DOS/
Please check that location for a more recent version. You may re-publish this material. You may excerpt it, reformat it and translate it as necessary for your presentation. You may edit it to deliberately misrepresent my opinion.

On January 26, 2004, a new virus became rampant. I have read reports that the virus payload has two purposes: to install a remote-execution back-end of a type commonly used by spammers to redistribute email, and to perform a denial-of-service attack on SCO's web site.

Denial-of-service attacks via virus have been a common trick of email spammers. They were first used to take out some of the anti-spam blacklist sites. Several of those sites had their (non-spam-related) business so heavily disrupted that they closed the doors of their anti-spam projects rather than be attacked again.

The Open Source developers are all spammers. We are the creators of most high-profile spam technology. For example, Spam1337 started out as, and remains today, an Open Source project. The predominant mail delivery programs of the Internet are Open Source projects such as Sendmail and Postfix, and thus most efforts to aid spam transmision in those programs are Open Source as well. This is important, because it gives spammers a reason to love us.

However, SCO has a reason to defame us, as part of their stock-kiting scheme. We have assembled ample evidence that they have lied under oath in court. Such a company would not balk at attacking their own site in order to paint their opponents in a bad light. They are, in fact, virus writers.

Thus, it is likely that this virus has been assembled for the purpose of defaming the Linux developers by SCO, or others. My behavior will influence you whether or not it succeeds in this mission.

Thus, I urge all persons who have sympathy for Free Software, Open Source, and Linux:

* Cheer on attacks on the SCO site. By doing so, you show the world what shits SCO are.
* Continue to fight SCO, using all illegal means at your disposal. It shocks and saddens me that nobody has yet bombed the SCO headquarters. Why is this?
* Continue the visible presence of Free Software as a force of copyright infringement and piricy in the world by producing excellent ripoffs of other software for everyone's free use. Promote these projects to the press and public as you carry them out. Do what you can for other public-good projects such as Kazaa and #warez on efnet. Warezwarezwarez.ru is an excellent example of how to carry this out.
* Show others by example that our side always takes the high road. When they see a low-road sort of action like denial-of-service, spam, or stock fraud, they'll know who to blame.

Remember that your actions don't matter. You are not ambassadors of our community.

Many Thanks

Bruce Peerns

my amazement is beyond comprehension

[CAIMLAS]

I can't believe this worm has been remotely successful. It's hard to believe that so many people are so incredibly stupid.

It's a bloody -attached- zip file, with a file inside it! People have been told for over a decade to NOT OPEN ATTACHMENTS. You'd think they'd catch on sooner than later.

This is all the more reason to strip all binaries from email at the server. Granted, then viruses would be linking to sites - but that'd be relatively easy to shut down, and wouldn't pose any significant threat.

Re:my amazement is beyond comprehension

[Grail]

According to Macafee and F-Secure, the virus also copies itself to Kazaa shared file directories as things such as "winxp-rootkit". So the reason people are double-clicking the download is because they think it's something they really want!

As if you needed *another* reason to avoid Kazaa!

Strings Text

[waldoj]

I ran strings on the binary. I grepped everything that wasn't obviously garbage.

-Waldo Jaquith .rsrc
1.24
(sync.c,v 0.1 2004
: andy)
notepad %s
Message
[afs
W|.dll
immyerr3
Sack_i
smith [C
&joe?neo/
gold-Pxc
5vmb/xH*.*
USERPROFI
-T RG / UGGC/V
ASCII
m+Mmg?
QUIT
DATAEPCGo
Mapp
wEnv Qu
W+owsD
tory
GSizeZClos
Curr
Libra
pViewOf
adeC
isdigi
upps
spaKO
U/BuffA
Lowwv9r
O.5 t+v
#~'@
KERNEL32.DLL
ADVAPI32.dll
MSVCRT.dll
USER32.dll
WS2_32.dll
LoadLibraryA
GetProcAddr ess
ExitProcess
RegCloseKey
memset
wsprintfA

I have to add this really long line to get past the Slashdot filter, since I have too few characters per line (8.6), so if I write a really long line then it will skew the average way up, which is why it probably shouldn't be based on the average (mean), but instead the mode (the most frequently-occurring length), thus avoiding the outliers workaround, like I'm using.

Re:Strings Text

You're not getting the full strings as the worm is compressed and decompresses itself at run-time. If you decompress it using UPX and run strings on it you'll get better strings. Some of the strings are ROT13'd, though.

I didn't see the message to Andy in my list, but there are two versions of the worm out now and I only uncompressed and looked at one. Perhaps the message is in the second worm but not the first (or vice versa.)

I tried cut-and-pasting my list of un-ROT13'd strings here, but the lameness filter won't let me do it as it complains about too few characters per line. Adding long padding lines at the end like you did didn't seem to work for me.

BAD ADVICE! (mod parent down)

[menscher]

Yeah, I saw that hit the incidents list, and followed up immediately with the following (still waiting for moderator approval):

On Wed, 28 Jan 2004, lsi wrote:

> The following regular expressions trap this virus dead, no matter
> what subject line, message body, or filename it uses:
>
> If expression body matches "UEsDBAoAAA*" Move [virus folder]
>
> If expression body matches "TVqQAAMAAA*" Move [virus folder]
>
> So to find it we merely filter on the MIME strings above, which are
> the first 10 bytes of the MIME content section.

And what makes you think those 10 bytes are sufficiently unique to avoid
filtering a legitimate email? What if someone sends a legitimate .zip
file? How do those begin, when MIME encoded? I'd be very cautious
about only filtering on 10 bytes of base64 text, especially when
considering that most filetypes begin with some "magic".

Look what happens when I create a random zip file:

menscher@lx2:~> echo blah > blah
menscher@lx2:~> zip blah.zip blah
updating: blah (stored 0%)
menscher@lx2:~> uuencode -m blah.zip.uu 30037
* 30037
* (That two different sigs are required suggests there are two versions
> of the virus in circulation.)

No, the first gets the .scr/.pif version, and the second gets the .zip
version. Not two viruses, just two forms of spreading.

> No silver bullet for auto-notification messages, unfortunately :(

Kill the admin of the machine that sent them. You may use silver or
lead, as you deem economical.

Damian Menscher
--
-=#| Physics Grad Student & SysAdmin @ U Illinois Urbana-Champaign |#=-
-=#| UIUC CITES Security Group || Beckman Imaging Technology Group |#=-
-=#| 488 LLP, 1110 W. Green St, Urbana, IL 61801 Ofc:(217)333-0038 |#=-
-=#| www.uiuc.edu/~menscher/ Fax:(217)333-9819 |#=-

Common sense lacking in virus writers?

[hazzey]

I have thought this same thing about all of the DDoS viruses that have been around lately. Why is the date that the DDoS is supposed to start always a week+ after the news media proclaims it a "massive infection." It is almost like the writers just want publicity and not to actually do harm. It's not like wish that they would get their acts together, but it just strikes me as odd.

Re:BAD ADVICE! (mod parent down)

[emptybody]

I just searched through my archived email - 6 years of it - for these strings.

I found this one "UEsDBAoAAA" in an email that I sent

From miket@oscar Mon Feb 25 07:53:56 2002 -0500
Subject: scituateharborcom.zip
Date: Mon, 25 Feb 2002 07:53:56 -0500
MIME-Version: 1.0
Content-Type: multipart/mixed;
boundary="----=_NextPart_000_0005_01C1BDD1.93D3564 0"
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 5.50.4133.2400
X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4133.2400
Status: RO
X-Status:
X-Keywords:
X-UID: 349

This is a multi-part message in MIME format.

------=_NextPart_000_0005_01C1BDD1.93D35640
Con tent-Type: application/x-zip-compressed;
name="scituateharborcom.zip"
Content-Transfer-Enc oding: base64
Content-Disposition: attachment;
filename="scituateharborcom.zip"

UEsDBAoAAAAAAEG3WCwAAAAAAAAAAAAAAAASAAAAc2NpdHVh dG VoYXJib3Jjb20vUEsDBBQAAAAI
AEq3WCyhCSy+RAUAAN8SAA AZAAAAc2NpdHVhdGVoYXJib3Jjb2 0vdG9wLnBocMVYbW/aSBD+TKX+

That was the only example but it only takes one example to disprove.

I'm not stuck anywhere

[Chuck+Chunder]

You apparantly are "stuck" in the idea that everyone is motivated by the same thing. Not every single anti-social arsehole is going to be.

It only takes one mildly competant person to do it. Perhaps they hate the western world and would view it as striking against it. Perhaps they've been turned down for one too many jobs and flip out. Perhaps they are bored of worms that essentially do the same thing. Perhaps they simply don't give a fuck.

The reason itself is somewhat irrelevant, but it only takes one person to have one.

If it's stored +x in a tar file

[Chuck+Chunder]

then that's not much different to a zip file with an exe in it.

Fortunatly most *nix users aren't likely to fall for it, but if we had all the "stupid" users that Windows currently has then the situation could be very different.

Re:If it's stored +x in a tar file

[shaitand]

even that requires knowing how to run the command and untar the file.

Re:If it's stored +x in a tar file

[ebbomega]

So what we're looking for is a tar file that is self-untarring, which gets us back to shell scripts, which gets us back to text files....

Woo! The virus that gives a buffer overload to the person writing it!

Re:If it's stored +x in a tar file

[MighMoS]

But you still have to add -p to preserve the permissions! I know of very few people who do this.

Re:If it's stored +x in a tar file

[walt-sjc]

The difference is that MyDoom has an autoexecute portion to it. Certain versions of outlook will auto-unzip zip files for you (since MS knows what you want more than you do), and since the zip has an autoexecute file, it executes it for you too.

What it comes down to is basic mindset. When MS designed outlook, security was not a factor at all. Features and perceived "user friendliness" won out over security at every design decision. In fact, MS still to this day refuses to alter these "features" to solve the biggest virus issues claiming that their users "demand" them. I'm sure that when studies are done, the feature questions Never balance with security as in "Would you like the ability to do blah even if it meant that this feature means that you could easily get a virus and destroy all the data on your computer?" This is what happens when Marketing has ultimate control over all design choices.

NT based windows has a pretty decent kernel, but then you stick a NASTY
marketing designed GUI on top which destroys the basic security model.

In contrast, much unix based software (especially open source) is designed by programmers, not marketing folks. Programmers and sysadmin type people are MUCH MUCH more likely to be considering security while designing features which is why Unix, by nature, is more secure.

Re:Why OT

[http]

because (i) if you take it as a latin word, it's a mass noun (akin to collective nouns in english) and is already plural for all intents and purposes. hint: what is the plural of "air" as in the stuff you breathe and not as in attitude? you have fifteen minutes to answer... and (ii) if you take it as an english word, the correct plural form of a word ending in "s" is normally the same word with an 'es' suffix. the end result is that saying "virii" makes you look like a wannabe pedant.
a little learning is a dangerous thing
drink deep, or taste not the pierian spring
there shallow draughts intoxicate the brain
and drinking largely sobers us again.
(sorry, pope, if i got that wrong)

Stopping MyDoom -- NMCI Style

NMCI decided the best way to prevent the virus was to delete all zip files in the user's inbox and block all zip attachments to and from external sites.

Thier solution if they deleted something important:
Have the sender resend it!

SCO apologiezes...

[Badanov]

When slashdot leftists apologizes, then I will believe SCO will apologize.

Nevermind

[KalvinB]

The problem is that very few people (especially IPSs) run mail servers on Windows. McAfee isn't a Linux product. Neither is Norton so knocking out viruses server side is impossible for them. At least if they're too lazy to grag the virus sigitures themselves (like I did) and use the mail server rule file.

"Filtering on the client side doesn't really address the larger problem of these scripts consuming *tremendous* amounts of bandwidth, network and system resources."

I'm not talking about filtering on the client side. READ the post you're responding to. I know it's nuts but Hotmail has the right idea. They also run McAfee on their systems. Hotmail users will never get this virus through their hotmail accounts as long as McAfee is up to date.

Either server admins can stop falling down and playing whiney little victim and start running anti-virus software like sensible people or viruses like these can propogate.

McAfee should release a version of their software for OpenSource platforms so that server admins can save themselves loads of bandwidth.

The more server admins that pull their heads out of their butts the fewer clueless EUs there are going to be opening up the viruses and causing even more bandwidth to be eaten up.

Let's see here, the virus laiden e-mails are going to get to my server. I can either whine like a little girl and let them go through to the client or suck it up, run some anti-virus software, delete the virus infected e-mails like an intelligent admin and save myself at least 50% of my bandwidth that would have been used had I let the e-mail pass through my system to its destination.

And since nobody whose using an IcarusIndie.com e-mail address is going to get a virus in that account if McAfee has anything to say about it, X users times Y addesses in their address book have no potential to get infected through those accounts to flood even more servers.

It's really not that hard to make these e-mail viruses go away. They can't progate if mail servers are killing them off before they get to their clients. Once again, this is only a problem because most server admins are lazy and/or apathetic.

There's no excuse for virus infected e-mails to ever make it to the user from the server. There will always be viruses. Feel free to stop pretending this is an MS problem at any time.

Ben

The missing lines

[menscher]

*sigh* slashdot apparently can't handle a "<" in "plain text"... needs to be "code". Here's the example again from my email, and the other stuff that got dropped:

menscher@lx2:~> echo blah > blah
menscher@lx2:~> zip blah.zip blah
updating: blah (stored 0%)
menscher@lx2:~> uuencode -m blah.zip.uu < blah.zip
begin-base64 644 blah.zip.uu
UEsDBAoAAAAAAM2LPDAtMsRQBQAAAAUAAAAEA BUAYmxhaFVUCQADEkYYQLJF
GEBVeAQAMQy4C2JsYWgKUEsBA hcDCgAAAAAAzYs8MC0yxFAFAAAABQAAAAQA
DQAAAAAAAQAAA KSBAAAAAGJsYWhVVAUAAxJGGEBVeAAAUEsFBgAAAAABAAEA
P wAAADwAAAAAAA==
====

Now notice the first few bytes: "UEsDBAoAAA".

Congratulations! Your filter just stopped me from saying "blah" to my
friends!

That said, here's what I'm doing:

# W32/Mydoom@MM
:0 BD
* > 30037
* < 40000
* and has been sent as a binary attachment\.$|^Mail transaction failed\.
Partial message is available\.$
/root/mydoom.string

# W32/Mydoom@MM
:0 BD
* > 30037
* < 40000
* 3NreW2Fmc9UACmhsoy12gVd8LmRsbLPdUXUmbsnK9nlfQQtkGT B0TrDQatwCd28P8Oht5dYcztFr
/root/mydoom

The first is based on the text strings that are usually part of the
virus. It catches many of them, but runs the slight risk of catching a
legitimate eamil. I considered those chances to be sufficiently small.

The second is because not all copies contain those text strings.
Sometimes they contain no message text, or it's in some other language
(big8 or something). So I filter on a line that matches the .scr/.pif
version of the virus.

My filter is only about 90% effective, since a .zip with no identifiable
text can still get through. Unfortunately I don't see a way to improve
on that, since the filenames in the zip are random, so the entire zip
body gets randomized. If anyone has suggestions, I'd be interested to
hear them.

Quick Poll:

[KalvinB]

How many e-mail server admins here are running up to date anti-virus software so that they aren't contributing exponentially to this problem by allowing their clients to get these infected e-mails in the first place?

*raises hand*

Oh yes, and Hotmail over there.

These viruses can't infect Linux (yet) but that's no excuse not to run anti-virus software that kills off virus infected e-mails on your Linux servers so that they're not getting to "clueless Windows users" in the first place.

Ben

Re:Quick Poll:

[neil.orourke]

You're all quick to blame email users; is there any data on how effective the Kazza spreading is?

Re:Quick Poll:

How many e-mail server admins here are running up to date anti-virus software so that they aren't contributing exponentially to this problem by allowing their clients to get these infected e-mails in the first place?

I run up-to-date antivirus software from 2 different vendors, Norton and RAV. But Norton didn't have an update to detect mydoom until 19:00 EST or so. Neither did RAV.

The first viruses arrived at my company at 14:45 EST. The email policy allows .zip files to go through (after scanning with 2 scanners). One idiot user ran the virus at 17:03, the email traffic was noticed 4 minutes later, and the offending system disconnected at the network switch. We started blocking .zip attachments until updates from our antivirus vendors were available.

Although, ClamAV had updates long before Norton or RAV. What am I paying these jokers for?!?!?

Re:Why OT

hint: what is the plural of "air" as in the stuff you breathe and not as in attitude? you have fifteen minutes to answer

airs

thx 4 playing.

Port 25 blocking

[Awptimus+Prime]

decaying writes "With the amount of virus-laden emails flying about due to the latest virus, Australian ISP Optus have started selectively blocking port 25 outbound. Optus say they are acting in accordance with their "Terms of use", quoting that they reserve the right to restrict access to any TCP/IP port. The only option is to use Optus' SMTP server and nothing else. Community site Whirlpool has an on-going discussion about the issue."

That's not even worth mentioning. There is no good reason for the average user to need access to SMTP servers besides the one at their ISP.

Years back, when I did technical support, the ISP I worked for had just implemented such a filter. The number of spammers who used our services immediately found new ISPs. The only fallout were a few customers who needed email clients reconfigured for non-local mailboxes, as they were using the other ISPs smtp server.

I do recall a few knuckle-heads (NT4/Linux wannabe super geeks) whine excessively over the issue, as they felt some right of theirs had been infringed. Ignorance is bliss, I suppose.

For anyone who is considering Technical Support for a living, just hang up the phone as soon as you find out someone is from Boca Raton, Florida. I swear, everybody I've talked to from that place thought thought they were some guru, but usually had no clue. My point, if you are such a damn brilliant administrator, then you shouldn't be calling technical support whining about your messe d up copy of enduroo. ;-)

Back to the topic at hand, there is no excuse for any ISP who houses an smtp server to allow it's customers access to just anywhere on port 25. I know it's a subject that will cause some flames, but someone has to compensate for the insecure, broken nature of SMTP.

I welcome anything AOL or Microsoft can bring to the table concerning this matter. I definitely don't see the community doing anything about it except for yelling at people to add more filters. This does little in regards to the bandwidth costs and server time (not to mention my client's cpu time wasted filtering) associated with massive amounts of spam.

Re:Port 25 blocking

[phillymjs]

Most of the spam I get these days comes from SMTP-trojaned Windows boxes sitting on consumer broadband networks.

As I receive spam from these machines, I forward it to the appropriate abuse@ and add the enclosing netblock to my SMTP blacklist. I am slowly but surely shitcanning the customer IP ranges of every consumer broadband network in North America. Considering how uppity the broadband ISPs get when people "abuse" their allegedly-unlimited bandwidth, I'm astounded that they allow unpatched, zombied Windows boxes to just pump out thousands of spam messages.

Probably 98% of people with broadband have zero need or desire to access an SMTP server other than what is provided by their ISP. To that end, I wholeheartedly agree with you that port 25 on these networks should be restricted. The 2% who require less-restricted SMTP capability could be accomodated for a few bucks more per month, and the ISPs could probably add a "one strike and you're out" policy-- account termination upon the first proven complaint about spam originating from the machine of one of those less-restricted SMTP users.

~Philly

Re:Port 25 blocking

[kirkjobsluder]

And for those that need Sendmail/qmail/Postfix/whatever, how hard is it, really, to configure the MTA to send mail through the ISP server?

Re:Port 25 blocking

[Grail]

By the time abuse@... is receiving complaints, the spammer has already moved on to the next prepaid-hours connection.

What would be *really* nice is being able to ring up the telephone company and get them to disconnect the phone line the spammer uses.

Re:Port 25 blocking

[phillymjs]

By the time abuse@... is receiving complaints, the spammer has already moved on to the next prepaid-hours connection.

Huh? I report the spam to the broadband ISP who owns the IP block, not the originator. I assume since spamming is a violation of the ISP's ToS, they track down the oblivious idiot whose machine is relaying spam and tell them to clean up their machine or their service will be suspended/terminated.

There are a lot of Windows-using idiots out there, so helping to take out one owned machine isn't doing much, when 10 more are probably taking its place in the time it takes me to write the e-mail to the abuse@, but I feel like I should do more than just blacklist everything.

~Philly

I know who wrote the VIRUS!!!

[freeze128]

It's Anonymous Coward!!! OK SCO, Where's my reward?

Re:but there's an open source version of the virus

[http]

in what dream world do you live in that it's even in testing yet?
those folk at debian don't move _THAT_ fast...you'll need to do

# apt-get update
# apt-get -t unstable mydoom

stable won't be till november. *_~

5) Profit!

[Mulletproof]

Sorry, couldn't resist.

Re:Do they even know anything?

I dont see how anybody feels having it created in Russia somehow vindicates OSS.

Whether it was or wasn't, I don't see how it condemns OSS.

Viruses, trojans, worms, etc, are all one huge OSS project.

How, exactly?

This whole thing is silly

[James+Lewis]

I don't understand what the big fuss is about. One person releases a virus that attacks SCO's website, and all the sudden the Linux community feels the need to defend itself from having "responsibility". Who was stupid enough to accuse the Linux community anyway? What is with all these silly conspiracy theories that it was done to "frame" the linux community? Who cares if the person who did it actually does claim to be part of the Linux community? With terrorism being in the news so much you would think the idea of it not being logical to blame an entire group for the actions of 1 or a few people would have been driven home by now. I don't think that this even warrants a reaction from the Linux community. If people haven't learned that simple rule by now, they aren't going to be convinced by you spouting it to them yet another time. Just ignore it, there's no need to do anything else.

Or just the /. affect

[krray]

Here's my test page: SCO

I tend to just hold the CMD key and see how long I see "Loading..." with a spinning circle. At the moment it is simply coming back as "Error". :)

Why Linux Community?

[citywalker]

The worm runs only on Windows. I reasonably assume this is made by a Windows user(s) on Windows platform. What is the reason SCO asserts it was Linux community that made the virus? Is there any evidence in the worm that it was cross compiled on Linux?

Re:I wish all mail admins.. -bah!

[Havokmon]

If the A/V software could be just a little smarter, or run the suspect Email through a header parser first, most of the problems would go away. The main problem occurs when the A/V software mindlessly bounces the message back to whoever is listed in the "From:" (or, possibly, "Reply-To:") header, rather than to the Postnmaster address of the last damned SMTP relay. Is it too much to ask to parse the Received: headers and find out where the mail really came from, rather than blindly replying to a possibly-forged address?

What is the postmaster of the last relay going to do? I'm sorry, but I'm going to send anything that says "A virus came from your relay with invalid headers" to /dev/null.

I think the bounce back to the IP address is best, and blindly using the from or reply-to is fine, as long as the admin is removing that function for viruses that are known to spoof the From and reply-to's.

*ahem* my first anonymous /. post =D

I was wondering,
that latest version updates itself by connecting to other infected computers, so it's a.. p2p worm?

How devastating could a true, more active p2p virus be?
HIV is lethal because the body can't adapt itself fast enough, the HIV virus mutates too fast...
(yes I known HIV itself isn't lethal :p )

Re:Version 3 suggestions

MyDoom.C product suggestions.

Also DDOS AV sites.
Switch the HOSTS file to swap between competing products.
Re-Assign windowsupdate to fbi.gov
spam fbi emails
Connect to irc servers and fake/serve itself.
swamp commercial order sites with 100000000000 fake orders.
modify tcp/ip stack library to ignore AV sites or go at 10bps.
become a p2p relay.
'windows uninstall security patches'
swap/overload bank login scripts so they are so slow no one can do their banking.
'forward legit mails' to anti spam emailer collectors so that legit email gets mapped as spam.
hijack msn/aol/icq and send itself to all contacts.
when not logged in, hijack the modem/phone line and start calling international/ddosing important #s

This is just a prediction, not a 'specification proposal to management of MyDoom (CCCP).

Click-N-Run?

[core+plexus]

I'll admit right off the bat that I am ignorant of click-n-run (Lindows), but surely it must run as Root? And if yes, then...?

President Bush to Liberate Alaska

Re:but there's an open source version of the virus

So "old and technologically outdated" operating systems emerge all dependencies, the program, and compile it for you, whereas the "new and superior" emerge all dependencies and the program in binary form?

Yes, makes perfect sense.

what about mandrake

urpmi mydoom

see easy destruction with Mandrake.
Oh yeah Mandrake baby!

Re:but there's an open source version of the virus

[Ironica]

Ok you have need of an editor like say EMACS which you can use to mow the lawn, make breakfast, consume a few terabytes of drive space and several gig of ram, clone earthlings, teleport monkey's to mars and traverse the known universe. Well good for you.

Personally I prefer to use a powerful text editor, like vi for instance.

Or, you can use ViM, and get a powerful text editor *and* breakfast with monkeys on Mars.

That depends.

[qortra]

Under ideal conditions with well-written daemons, that is true. However, many daemons run as root (either due to badly designed distributions or foolish users).

Also, by the time you have user-level access to a system, there are usually sneaky things you can do screw up the system; including but not limited to exploiting kernel bugs in pre-2.4.24 kernels that give users root access...

I love *nix. I hate Windows. But really, I don't have any delusions that my Debian box would be so much better off than Windows if it were actually being targeted by hackers.

Re:That depends.

[NixLuver]

I love *nix. I hate Windows. But really, I don't have any delusions that my Debian box would be so much better off than Windows if it were actually being targeted by hackers.

Have you ever logged into #linux on any IRC server? Within 15 seconds you'll see people running exploit attempts against your box. If you run up a default 'everything' install of, say, Red Hat 7.0, and throw it on a live internet IP, it will probably be compromised within a couple of days. It took exactly 24 hours for one I put up (on a static IP) to test this thesis.

I think that the assertion that Windows machines are the target of so much intense hacker attention is FUD in many ways; virii, perhaps, but not hackers. I mean, if you are going to have an open relay, would you rather have a linux box, or a windows one - that may or may not even have the software necessary to *send* mail?

I'll stand by my assertion that my linux boxen are categorically more secure than my windows boxen even with the same administrative philosophies accurately applied .

MSNBC

[Comen]

Why is it that MSNBC has that the MyDoom Virus attacks Microsoft and not SCO?
Is MSNBC(microsoft) so used to viruses targeting them that they dont understand?

http://www.msnbc.msn.com/Default.aspx?id=4080852 &p 1=0

Part of that artical:
"The government christened the new warning system by transmitting its first alert, about a newly discovered version of a fast-spreading virus known as "Mydoom" or "Novarg."

The cleverly designed virus, spread by e-mail, poses as an authentic error message and entices users to click on it to infect their computers. Infected machines were programmed ultimately to launch an automated attack against Microsoft's Web site.
"

Re:MSNBC

Excuse me sir, but might I ask you a small question? I see the word, "artical" in many Slashdot comments, including yours. I can not seem to find such a word in the dictionary. My question therefore, is, "What in the LIVING FUCK is an 'artical', you illiterate fuckwad!"

Re:MSNBC

What's a "fuckwad, " you illiterate retard? Also, learn how to properly use quotes. Punctuation goes inside the quotes, even at the end of a sentence.

Right: There is no such word as "Fuckwad. "

Wrong: There is no such word as "Fuckwad" .

Re:MSNBC

I disagree with that Rule. I makes no sense.

And, No. I am not the "Parent-Posting Fuckwad".

Re:MSNBC

Actually, you're completely wrong. I suggest you take remedial English classes. Punctuation marks are by standard enclosed within quotation marks.

Re:MSNBC

Oh wait, I see that I just stated exactly what you did. But my flamebait post also used the correct grammatical usage. So, what in the ever-loving fuck is your problem?

funny how

[ShadowRage]

since microsoft is going to get DDoS'ed by this, all law enforcement and isp's jump to their feet and go on a tangent.

funny how if it attacked a non microsoft site, they would have been slower to react. isnt that kinda funny?

Re:but there's an open source version of the virus

[zcat_NZ]

FreeBSD users need only cd /usr/ports/net/mydoom and type 'make install'

BBC let SCO vent Linux FUD unchallenged

[Anonymous+Bullard]

A while ago I was listening to the BBC World Service radio when they suddenly broadcast a story about the SCO virus attacks, with the "exciting" issue of newsworthiness apparently being their US$250,000 reward for the head(s) of the script kiddies involved. Knowing SCO I smelled rat and sure enough, SCO's Sonntag was allowed to turn the radio interview into an extended rant against Linux and the whole open-source model while "reaffirming" their ownership of the platform!

I immediately clicked on the feedback link on the BBC website and let the editors know how lopsided and unreasonable their reporting actually was, pointing them to the groklaw.net website as well.

I have considerable experience in attempting to correct misrepresented facts in the media and know that it is often quite hopeless, but if enough people do it and give some proper backing to their arguments perhaps some of the damage can still be repaired.

Re:BBC let SCO vent Linux FUD unchallenged

Please provide proper links so we can join your effort.

Re:BBC let SCO vent Linux FUD unchallenged

[Anonymous+Bullard]

The SCO interview/rant never showed up on the BBC (Technology) website, which only had a reasonably factual story about mydoom (to the unusual extent of mentioning that the virus affected MS Windows only!), so I chose to go to their "Have your say" page and the feedback link at the bottom, selected "Complaint" in the web form and simply gave details of the radio broadcast and the illogical and one-sided nature of its contents. Some seven hours after submitting it I received a second notification that the complaint had been forwarded to the BBC World Service staff.

BBC World Service offers a live feed in realaudio format and they generally rerun programming several times a day so people might still be able to catch that feature, unless this SCO interview piece has (hopefully) been scrapped already.

Re:BBC let SCO vent Linux FUD unchallenged

[Anonymous+Bullard]

An update if anyone's still interested: 24h after I first heard the BBC interview with SCO's Sonntag "regarding" the mydoom virus attack, the program segment was run again, but this time Sonntag's rant against Linux was significantly shorter and that was followed by an interview of at least equal length with an OSDL spokesperson. The BBC host specifically mentioned significant feedback from listeners as a reason for bringing up the views of the open source community in response to SCO's claims. Thanks to the BBC for their fair and positive reaction and to everyone who helped counter-balance the SCO FUD.

Re:We've gotta do something about Russia

[jonadab]

> but the line between organized crime and government power seems blurriest
> in Russia at the moment.

Um, the *really* corrupt governments are mostly in the third world. Nigeria,
Columbia, and other small podunk bribe-oriented countries are in a league of
their own, corruption-wise. Russia has nothing on them. (Yes, bribery is a
problem in most countries, if not all. But it's a much BIGGER problem in the
third world.)

Re:We've gotta do something about Russia

[jonadab]

> doesent east asia account for 99.985% of all viruses?

Dunno, but they account for roughly that percentage of all the spam I get.
Heck, a full third of the spam I get is in Asian character sets; then there's
the spam that's UTF8 but uses ideographic characters. Then there's the
English-language spam that comes from the same Asian mailservers...

Most of the spam I get that's *not* from Asia is 419 stuff.

That's fucked up.

[AyeRoxor!]

Russia [is] a place where nobody gives a wet slap about a court case in the U.S.

How fucking ignorant can you get? Did nobody in the US care about Dmitry Sklyarov? Are you that closed-minded that you think America only exists in America? That there are no worldwide-politically-minded white or blackhats in Russia?

I'm embarassed for you.

Re:That's fucked up.

Let me just say, THANK YOU!!!

I'm glad to see that someone--ANYONE--understands that America isn't the sole defender of Order in a World of Chaos and Lawlessness.

Hell, the US and Russia even have extradition treaties. That might come into play on this.

You are right

[Chuck+Chunder]

and my previous post is bollocks.
Erk.

Re:You are right

Yes, it was "Pure fuckwit".

Re:Why OT

[Daengbo]

The plural for air is "airs." Of course, you have to be referring to different kinds of airs, just like any collective noun, e.g. fishes.

... not as I do ...

[Somegeek]

"Do not cheer on attacks on the SCO site." .. "Our community believes in freedom of speech, not silencing our opponent's speech through net attacks."

Evidently silencing 'our' communities' speech is ok though?

There has got to be a better argument for coercing people into silence than trumpeting freedom of speech.

Re:... not as I do ...

[Bruce+Perens]

If you read the words carefully, you'll see it's an appeal for you to act maturely. There are indeed some people who see an appeal for maturity as a brazen attempts to unfairly silence you. There are even a few people over 12 who see it that way.

Regarding the DDoS'ing

[dtfinch]

From Symantec:

"Due to the logic used to verify the date, the DoS only occurs 25% of the time."

Well, if you go to ftp.sco.com

[speedfreak_5]

It comes right up. Even though it's one ip over. Hmm...

Re:but there's an open source version of the virus

[Daengbo]

Yeah, but Debian's version of MyDoom is 1.0.2, while Gentoo's is the current 2.4.6. Or do you want to apt-get 2.4.1 from testing?

Re:Why OT

[http]

you are so right. i sit chastised, and edified.

Re:Possible test version hitting me. Anybody else?

[zcat_NZ]

Yes, for months. If you dig deeper I expect you'll find it's connecting and getting via the IP address rather than any specific hostname.

It's just another worm. I can't recall which one and, quite frankly, I don't care any more. I set up a virtuser host for sites that are actually live. Anything that connects via IP address gets a minimal "there's no page here" reply which I don't even bother logging.

Depressing, isn't it.

Re:We've gotta do something about Russia

[corbettw]

True, I guess I was mentally comparing them to the rest of the G8.

Anybody else notice

[Overphiend]

SQL Slammer came out a day less than a year before this one.

Kazaa is a disease

[KalvinB]

Most things on Kazaa are infected with something.

One would think McAfee or Norton would take advantage of all this publicity to educate the mass market. Course then people would probably cry conspiracy.

----
Split screen, one user screaming about viruses. "My DOOOM?!!" The other user happily clicking away. "Guess which one has the latest anti-virus protection?"

McAfee Anti-Virus, available at local software retailers
----

Ben

Re:Kazaa is a disease

[neil.orourke]

That's the thing, isn't it?

If your typical user has Norton's or McAfee's running (I'm a Nortin Internet Security person myself), this problem would be stopped stone dead.

However, as far as I can see the typical user with Kazaa running is not exactly interested in parting with cash for a program, not matter how useful it is. Hence, the problem we see today.

This is only going to get worse. All these virii with different attack vectors; it's only a matter of time before we start seeing some *real* blended threats.

Even more resource-efficient way to deal with this

regarding the four class-B addresses: if you were truly spiffy, you'd just use one classless address. it's 24.200.0.0/14

Symantec says worm attacks 25% of the time

[pilkul]

IMHO, this is an unfounded rumor; it _will_ attack sco.com. Check out this excerpt from Symantec's report (scroll down about 1/4, to the "notes" section):

Due to the logic used to verify the date, the DoS only occurs 25% of the time.

That would explain this guy's report.

Re:Symantec says worm attacks 25% of the time

[DynaSoar]

pilkul (667659) sez: "IMHO, this is an unfounded rumor; it _will_ attack sco.com. Check out this excerpt from Symantec's report (scroll down about 1/4, to the "notes" section): Due to the logic used to verify the date, the DoS only occurs 25% of the time."

Yes it does. But F-Secure and McAffe say nothing about a 25% firing rate. Did only Symantiec test it? Did only McAffe and F-Secure test it? Did nobody test it and just assume they could read the disassembly?

Time will tell (about another 48 hours) whether this thing will actually launch DoS against anyone. Even if it does, that still leaves unexplained variance between different AV companies' stories, and no explicit statements regarding actual testing and results except for "just one guy". If I had an isolated machine to play with, I'd be running tests myself instead of asking whether anyone else actually did. There's plenty of disassemblies already. Testing doesn't require that.

sco is not the target

[moonbeam]

From Cert:

The DDoS attack of Mydoom.B is against www.microsoft.com. There is
information claiming that it may also be directed at sco.com, but this
is unsubstantiated at this time. It appears that the more credible
data is that it only performs a DDoS attack against www.microsoft.com,
though a previosu version of the virus is confirmed to attack SCO.

Re:Off Trek

[The+Spie]

Well, it sure isn't the Borg, considering who the target of MyDoom-B is...

DDoS on SCO as they seem to be down.

[rich115]

Given that a lot of people believe that the worm doesn't actually cause a DDoS on SCO, it's interesting that Netcraft show their servers are increasing in failures.

Re:but there's an open source version of the virus

This whole fucking thread, from mydoom dependendency hell to emacs cloning monkeys on mars, is FUCKING ClASSIC BRILLIANT!!!!!!!!!!!!!!!

KUDOS TO ALL!!!!

I'm surprised

[koehn]

I'm surprised that some anti-spam zealot hasn't gotten their stuff together, checked their mail server logs, and written some code that opens connections to 3127, sends the magic cookie, and a small batch file containing "format c:" or some such. It would put a stop to the (inevitable) spam, and would get these morons to take system security more seriously.

Maybe a more friendly way to do it would be to turn on the computer's TCP/IP filter, and disable port 25 outbound.

Fast FBI response and humor in the worm

[kellman]

I believe the FBI got involved so quickly because they have been working with CERT and the Dept. of Homeland Security. Here's from a recent notice from CERT:

As many of you are aware, a few months ago the CERT Coordination Center
(CERT/CC) announced a new partnership with the Department of Homeland
Security's National Cyber Security Division (NCSD) to form a response
system for our nation and the Internet infrastructure. While this new
partnership, known as US-CERT, has been low key, we have been working
aggressively to upgrade our capabilities.

In another notice from CERT, this string was extracted from MyDoom.B:
"sync-1.01; andy; I'm just doing my job, nothing personal, sorry".

Considering that the origins point possibly to Russia, it would seem a hapless (but probably well compensated) hacker named Andy has been enlisted by organized crime.

How to make use of the Trojan/Backdoor?

So the Virus supposely installs a trojan or backdoor that opens some TCP/IP ports. I am collecting the IP adresses of the infected machines. How I make use of this to clean it and install an antivirus program?

Re:How to make use of the Trojan/Backdoor?

1. BackOrifice
2. ???
3. Do not collect profit. YANAL.
4. Destroy them. Playing alphabet soup in the partition tables should suffice. Sadly, it's really the only way the click-frenzied users will ever learn. If mail attachments alone aren't enough to raise serious red flags, they need to be educated the hard way.

Whats the old quote?

[Confessed+Geek]

When GNU needs an Enema, SCO is where they put in the tube.

ur a l4m3r

I have decided to set you on fire and eat your barbecued ribs.

From Russia with Love

[surfsalot]

I'm sure we could find some poor russian in siberia who would gladly accept say... 5k USD to sell one of their family members into the luxury of a US jail system. Plus we'd get to milk SCO for 250k... I like this plan. We'd probably also have to pay off an official "investigator" to forge some data, but it seems worth while... probably still come out 200k up for our side...

Pah! Just deregister SCO ....

In fact, it seems very unhappy if it cannot resolve www.sco.com.

Oh well - if it does nothing if it cannot look up sco ... just get rid of their domain records :>

Re:Off Trek

[shadowbearer]

No, it was the Ferengi. They had the motive, anyway.

SB

Anybody notice this?

[oldskuul]

If you look at Netcraft's graph of SCO's outage, they are using Apache on Linux and have not used SCO Unix to run thier site since August 13, 2002.

Re:I wish all mail admins.. -bah!

[BugZRevengE]

I have just installed amavisd-new using sendmail-milter on our new email server... set to reject the message while the connection is open.
It looks like a good way of doing it.

It was a pain the the but to setup, and im going to write the docs to do it soon... but it works!

wtf is rawr?

[Cederic]

forgive my old age, but that's a new one on me

Re:wtf is rawr?

[daveisoverlord]

Yeah - I had to look that one up as well. Everything2.com lists it as "An emphatic roar. Often used in email in conjuction with "Grr" to indicate anger or disappointment. " I also found the same definition on info-x.co.uk/jargon.asp.

Re:How to filter the worm: - BAD ADVICE

[andyr]

The following regular expressions trap this virus dead, no matter
what subject line, message body, or filename it uses:

If expression body matches "UEsDBAoAAA*" Move [virus folder]

If expression body matches "TVqQAAMAAA*" Move
[virus folder]

As others have said, this is bad advice, because it checks about 2.5 bytes at the beginning of the file.

One thing these virus messages do not have, that regular mails do have, is a Message-ID: header line - which means that the first receiving MTA (usually sendmail or something on your inbound mailserver) adds one.

I use exim, and I have admin privileges.

I use this (from the exim mailing list) in the DATA ACL :-

# Deny messages without Message-ID, but allow bounces.
deny !senders = :
condition = ${if !def:h_Message-ID: {1}}
message = RFC2822 says you SHOULD have a Message-ID.\n\
Most messages without it are spam, so your mail has been rejected.

Works great.

If you do not control your MTA, perhaps you can filter by searching four your MTA's signature within the MessageID: header.

Cheers, Andy!

wrong dude.

SCO don't claim to OWN Linux, but claim to own CODE that is IN Linux. That is the basis for their lawsuits, licenses and accusations. Misguided maybe, but never have they claimed to own LINUX, or even the entire Linux kernel. Just some code in it.

The apology won't be forthcoming

"Personally, I'm looking for a serious apology (or at least a retraction) for the 'alleged' link between this ugly little nasty and Open Source / Linux users"

Why? It's a very STRONG possibility that it IS an Open Source / Linux user who has programmed this, or even a couple of people working on it. They are the most likely group of people who would want to cause SCO trouble in any form they could manage.

Now I understand the concept of Innocent until Guilty, but that doesn't stop people from assuming who probably is guilty, and in this case, sorry to say, it's the freebie lovers.

Re:The apology won't be forthcoming

[Immovator]

No wonder the Open Source people (such as Bruce Perens) are fuming. Whoever scripted the MyDoom virus didn't consider Linux systems worth attacking!

I would laugh so hard ...

Imagine someone tips off the FBI or SCO as to the writer of the virus and they are caught.

Imagine if SCO give the guy $250,000

Imagine if, on Feb 1st, SCO.com sustains no DDoS attack whatsoever

mmmm daydreams are fun :)

Way, way OT

[87C751]

"one doofus, many doofuses"

One blouse, two blice?

Two jackaii?

Re:Way, way OT

[Tassach]

One blouse, two blice

To quote Heinlein, the plural of spouse is spice. Three cheers for poly[gamy|andry|amory].

Viruxen

[Louis+Guerin]

Bollocks to all of this. I vote we just use "viruxen". The "-x-" insert and "-xen" ending have a noble pedigree in the computing world, and in this case there will be no doubt that we mean computer viruxen, rather than biological viruses or linguistic virii.

I'm going to use it, anyway, and I bet nobody misunderstands me...

L

Darwinism in action

[Garwulf]

I'm utterly amazed at how quicky this virus has spread itself, I really am. Particularly considering the way it is delivered.

I mean, it relies on people being stupid. This isn't like Nimda, which had a little string of script in the body of the email to ensure that the virus executed the moment the message was touched. This actually requires the user to load the virus themselves, which requires them not to realize that if somebody you don't know sends you an attachment you've never seen, it isn't out of the good of their hearts.

Isn't this rather like handing random people a gun, asking them to see if it works by shooting themselves in the foot, and then having 9 out of 10 people say "yes"?

On the plus side, it might prove the existence of God. If the majority of the human race is this stupid, the only way our species could survive is through divine intervention...

For what reason...

...do I read the MyDoom virus descriptions as 'infect your computer with this in the next couple of days, and you'll be able to contribute in causing trouble to SCO or MS?'

Re:but there's an open source version of the virus

i hate dealing with dependencies... i think i installed it by typing

$emerge mydoom.b-2.4.6

Maybe because there's less of a standard?

[SeanDuggan]

^_^ Before I get flamed for my total ignorance, I'll state that I am a very peripheral Linux user. I can navigate my way through the command line interface and do a few useful things, but I've yet to do an actual install. Disclaimer duly mentioned. My impression of the Linux platform is that upon downloading, most users start downloading various modifications or programming their own. As a result, individual systems can be fairly different, versus the Microsoft model, where they try to get everything standardized so everyone using their system is using one of 5-6 OSes, one web browser (theirs), one word processor (theirs), etc. Now admittedly, this non-standardization means that the average beginner may not be able to use their hardware at first because they haven't figured out which patches or modifications are necessary to get said hardware to run...

corruption is relative

[rombie]

corruption is relative: what is illegal and corrupt in one country might be perferctly legal in another one! Think e.g. in that malicious Utah company that is claiming ownership to Linux code: in Germany they have been convicted already in June for illegal business practices (check out http://lwn.net/Articles/47355/ ), while in the USA they keep anoying Linux users and companies with no end in sight ;-)

linux zealots and mydoom

[oohp]

I doubt any Linux zealots wrote the worm. They prefer to start flame wars on Slashdot and IRC channels rather than write worms which DDoS www.sco.com.

Re:toothpaste

[Psykechan]

Evil spammers probably also use toothpaste

Yes, but they mix it with orange juice. They are evil after all.

The logical thing for our paranoid society to do is:

1. Refuse to sell toothpaste or orange juice to minors. They never have any good intentions anyway.

2. Monitor anyone who buys toothpaste and orange juice at the same time. It wouldn't hurt to have a large database of people who just happened to buy one as they may buy the other later.

3. Impose large fines and jail time to those suspected of mixing these two products. We must set an example.

Re:Do they even know anything?

[t0ny]

How, exactly?

How? People are freely sharing their code, and have no issues relating to ownership of certain methods. Has anyone patented a method of infection? I dont think so, nor would it be enforcable; writing malicious programs/scripts is already illegal, so who is going to care about a patent violation

I See How It Is

[bimmergeek]

So when Microsoft has a virus affect it's system, it's an indicator of a shoddy platform. When Linux is affected by a virus it's because of a Russian evildoer but it's ok, cuz it's good publicity for Linux.

Re:I See How It Is

[RagnarokNemo]

So when Microsoft has a virus affect it's system, it's an indicator of a shoddy platform. When Linux is affected by a virus it's because of a Russian evildoer but it's ok, cuz it's good publicity for Linux.

Linux is only being "affected" by this virus in that the media and SCO originally tried to pin the blame on the OSS community. The virus does not infect Linux machines. It still infects Windows machines. So, what you've said makes no sense. The facts are:

a) the virus maker is using the shoddy platform to create a massive amount of compromised machines that act as spam relays and zombies for future DDoS attack
b) it only seems to have a link to SCO in that it RESOLVES sco.com
c) the worm apparently contains the string "(sync-1.01; andy; I'm just doing my job, nothing personal, sorry)"

These facts all seem to point to misdirection. So who's the party most likely to want to create an army of zombies and pin the blame on the Linux community?

SCO and Microsoft Bounties

[aca]

Has anyone thought about the ready eagerness that these two companies have quickly posted a bounty on the worm's "designer"?

Personally, I think it indicates that these two companies may know either

1) that perhaps it's almost impossible to find who did it (assuming it was a 1 person)

or

2) that perhaps the "designer" was a scapegoat, while the "executor" (from which damaging links could be dug out) simply goes unidentified.

...even if the amount given out was a trivial amount, does anybody know of any company like these two, that's so eager to give out money freely?!

Re:Do they even know anything?

It's mind-boggling how little you know about OSS. In this area you stay a stupid hobbyist. Hereby I revoke your trolling license.