More MyDoom Gloom

StarWreck points out this article in The Atlanta Journal Constitution citing "experts who believe the worm was put out for criminal profit motives by spammers and not by Linux Advocates." Further on that, deadmonk writes "MessageLabs is reporting that the recent Mydoom virus seems to have originated in Russia. A place where nobody gives a wet slap about a court case in the U.S. Personally, I'm looking for a serious apology (or at least a retraction) for the 'alleged' link between this ugly little nasty and Open Source / Linux users." Of course, there could be evil spammers who also like Linux (or don't like SCO), but until someone's caught, or fesses up, it's impossible to say. Read on for some more MyDoom updates, including a new variant (with a new payload), ramifications for Australians, and a forensic analysis of the worm.

fudgefactor7 writes "Hot on the heels of the last virus, Mydoom.b is on the loose. According to Computerworld, this variant has a larger payload and targets Microsoft's Web site for a distributed denial-of-service attack on Feb. 1, instead of The SCO Group Inc. Patch those systems and keep your A-V up to date. Definitions are available currently."

decaying writes "With the amount of virus-laden emails flying about due to the latest virus, Australian ISP Optus have started selectively blocking port 25 outbound. Optus say they are acting in accordance with their "Terms of use", quoting that they reserve the right to restrict access to any TCP/IP port. The only option is to use Optus' SMTP server and nothing else. Community site Whirlpool has an on-going discussion about the issue."

carnun writes "Just another link on MyDoom. Apparently the FBI are also getting in on the act. Interesting to see such a fast response." And to me, the most interesting one: Zeriel writes "After much discussion on a mailing list discussing trojan horses, some people have reached the conclusion that MyDoom doesn't accomplish its stated goal of DDOSing SCO at all! Choice quote from the analysis: "I have the new critter in a test environment where we conducted a preliminary and rudimentary functionality and threat analysis...I have played with the date, etc, but still no activity directed toward www.sco.com." The link also includes disassembly and analysis of the worm code."

Off Track

[andyrut]

It's entirely possible that the authors of this virus targeted SCO, simply to make it appear that Linux zealots were responsible...to throw off the law enforcement officials who might look for the culprit in the Linux community.

While I despise these worms, you've got to admit that some of these more recent ones are pretty ingenious:

Blaster - The only way to fix it is to grab stuff from Microsoft? Have it DDOS Windows Update.
MyDoom - Hate SCO, Love Linux? Target Microsoft systems and leave Linux machines alone. Have it DDOS SCO.

Re:Off Track

[B'Trey]

It is entirely possible the SCO connection is a red herring. However, it's also possible it's an attempt to kill two birds with one stone. I certainly hope the author wasn't a Linux zealot trying to harm SCO. However, the argument that a Russian Linux user wouldn't care about the SCO trial doesn't hold water. Linux has come a long way in recent years and a large part of it's progress is directly attributable to commercial companies who have either invested in Linux, contributed code to Linux, or supported Linux developers. SCO's case appears extremely weak, and the chances of them having any sort of success seem very remote. However, if SCO were to win their case, it could heavily damage the Linux movement. Particularly if SCO were to be found to have ownership rights in certain technologies, it isn't all certain that a rewrite of the relevant portions of the kernel would be sufficient to remove the taint. Linux users worldwide could be affected.

This is, of course, a worse case scenario and it doesn't provide any evidence that Linux fans were connected in any way. However, one can't dismiss the possibility simply because it came from Russia.

Re:Off Track

[FortKnox]

Target Microsoft systems and leave Linux machines alone.

I'm no hacker, but I do have a technology background, here. Most worms and virii are windows based. Most exploits that are found are windows based. Making a linux worm is tough and hard, because not many people have the desire to go into the inner workings of the kernel and find exploits, not to mention that most linux users are smart enough to figure out when they have an attachment by a random person not to open it. Windows users could be a software engineer FBI agent... but it could also be grandma melba. Seeing as most virus writers don't use a multiplatform language like java to write their virii, I'm thinking windows is the best option for destruction if you get your kicks off by that.

To say its because he's trying to frame linux users, or is a linux user just cause of it being a windows worm is pretty absurd.

Re:Off Track

[southpolesammy]

As I said a couple of days ago, the primary goal of this worm is not to DDoS SCO, it's to cause a big amount of traffic and noise in order to quietly install keystroke loggers in hopes of obtaining bank account numbers and passwords and be able to send that data back to some collector site without being seen due to the massive network jam.

It's a classic misdirection tactic that criminals use all the time to slip past unnoticed. Get people to look somewhere else while you do your dirty work sight unseen.

Re:Off Track

[Jonathan+the+Nerd]

How dumb do you have to be to actually think this malware was created by Linux zealots?

How dumb do you have to be to infuriate the entire Open Source community by claiming you own Linux and trying to license it for $699 per CPU?

Re:Off Track

[Popageorgio]

After all, it doesn't target Mac users either, and the new anti-Microsoft.com DOS attack of MyDoom.B would fit the intentions of a Mac activist. But I haven't seen anyone accuse Mac users. All the evidence is circumstantial.

Except-

The SCO DOS attack (geez, the TLAs are bumping and grinding today) suggests the pro-Linux link. Does any other faction have a beef with Darl?

Re:Off Track

[Junks+Jerzey]

It's entirely possible that the authors of this virus targeted SCO, simply to make it appear that Linux zealots were responsible...

Sadly, though, it shows the reputation that Linux zealots have made for themselves, not that it is any justification for this.

Re:Off Track

[The+Analog+Kid]

Because I'm sure framing someone else is such an ingenious origninal idea. Now if someone made a virus that changed your background to a picture of the goatse.cx man, well that would truely be ingenious.

Re:Off Track

[pegr]

I certainly hope the author wasn't a Linux zealot trying to harm SCO.

Especially when they're doing such a fine job all by themselves! ;)

Re:Off Track

[insensitive+claude]

Malware author != script kiddie

Re:Off Track

[mindbooger]

Exactly! Have you noticed that the last 3 or 4 of these oubreaks (at least!) have installed backdoors or keystroke loggers and all anyone will talk about is the SPAM and DDOS aspects of them? Aargh!

"There's an arsonist running loose, and he keeps stepping on people's flowers as he runs away. Oh, the poor flowers. Won't somebody think of the flowers....."

Re:Off Track

[vanyel]

I certainly hope the author wasn't a Linux zealot trying to harm SCO.

Indeed. Personally, I think the Open Source community should set up a fund to add to the reward SCO is offering because of the black eye it gives the community if he was.

Re:Off Track

[bfg9000]

I'm still laughing at SCO's offer to pay a $250,000 reward to whoever can catch the MyDoom author. It's a bit like OJ offering $250,000 for the arrest of his wife's killer....

Re:Off Track

[kkerwin]

But what the virus does do is shed light on the SCO v IBM controversy. Anyone heard anything about SCO on NBC? How about MyDoom? It's all over the place. While it certainly does little to aid our cause, and probably more to hinder it, it does make the general public aware of it. -- Kris

Re:Off Track

[LnxAddct]

Why is everybody looking at this so negatively? I've got tons of people finally talking to me about what this Linux thing is that they've heard me mention and that they saw in the news paper today. In the past 3 days I've gotten probably about 40 people interested in Linux who had never known about it before. Most are corporate types too. These are people that barely know what a harddrive is for, and here I am explaining not only what Linux is, but the whole Open Source movement and how great it is. This is great publicity! Didn't anyone ever hear "Any publicity is good publicity." ? The media finally has their story straight about what scum SCO is and I'm seeing Linux on the front page of my local newspaper ! This is great for the community. Linux is in the press and the media is making a mockery of SCO, and people are finally interested in Linux that never would have been before. And when you are talking to them about Novarg/MyDoom, don't forget to mention that it doesn't affect Linux.
Regards,
Steve

Re:Off Track

[rgriff59]

I'm not a Doctor, and I don't play one on TV, however, my wife is an RN and is working on a FNP. As such, she has lots of wonderfully definitive medical reference books. According to both Taber's Cyclopedic Medical Dictionary, 19th edition and The Merck Manual, 17th edition, it is absolutely and without doubt "viruses." If the medical community says so, that trumps Webster's and /.'ers.

As far as being off track (not unlike this virus plural rot in a story about a worm) wouldn't it be funny to have someone claim SCO's $250,000 bounty for a worm that never would have caused them harm?

Re:Off Track

Just key stroke loggers?

Back during the summer there was a Wired article on a spam operation which claimed to be running a network of over 450,000 computers - on trojaned systems. They are/were used to send spam. They are/were used to host the spamvertized sites (most likely proxies fetching the pages from a central location). They are/were used to host the nameservers for the operation's domain names. They are/were used to run DDoS attacks against anti-spam groups (SPEWS, abuse.net, spamhaus, etc.).

At least one (Russian) operation is still doing this. Check where the nameservers for oem-sale.biz are. Check where the host www.oem-sale.biz is. All on home user machines.

Why do I say Russian? It used to be they hosted the spamvertized websites on trojaned home user machines, but used hacked commercial (not home user) systems for the nameservers. Usually only two (commercial systems are less easily taken over) and sometimes they went down and they were left with using their own nameservers (from which the others fetch the data) in Russia.

And ... try one of the purchase links at www.oem-sale.biz (pirate software - another vector, for if you get this operation's provided software, an operation running on trojaned machines, would you install it?). Say,
http://www.oem-sale.biz/cgi-bin/order.pl?iid =12&mi d=2
and watch carefully what happens.

HTTP/1.1 302 Found
Location: http://82.196.65.37/cgi-bin/c/check.pl?iid=12&aid= [varies]&mid=2

And that gets a new redirection:

HTTP/1.1 302 Found
Location: http://oem-sale.biz/cgi-bin/order.pl?iid=12&aid=[v aries]&mid=2&ipaddr=[victim's_IP_address]&ipaddrdc =[tracking_tag]

One bounces off, for a moment, a Russian site which logs the victim's IP address and changes the URL for the purchase to include that and their tracking tag.

Now, of course, if the registrars knew they were inserting the addresses of hacked systems in the root servers as nameservers for domains running on hacked machines they would ... what?

Continue to do so, as long as they get paid.

domaindiscover and directi.com are the registrars and complaints about their assisting on this attack on the internet, and complaints to ICANN about their registrars claiming that this support of hackers is "accredited" (by ICANN) activity since they are "accredited" registrars ... well, this has been going on for quite awhile. ICANN has been informed, directi and domaindiscover have been informed and on and on it goes.

(nameservers running on hacked systems in the domain morozreg.biz: registrar domaindiscover

oem-sale.biz, registrar directi.com

and they know, have been informed over and over and over and over ...)

If this is a professional spam operation which created MYDOOM, I would guess the goal is not so simple as key-stroke loggers but to have a bullet-proof network of their own, running on trojaned machines, which could only be stopped by actions by registrars who would block it along with ISPs who would be proactive in helping keep secure their users so those machines are not used to send spam, host spamvertized web sites, run nameservers for spam operations, assist in DDoS attacks, etc.

Once they have such a network, I doubt they will be satisfied only to use it to send spam or grab data with key-stroke loggers.

Folks over in news.admin.net-abuse.email are fed up with directi.com and domaindiscover knowingly assisting in this abuse of, and attack on, users and hiding behind their "accredited" status.

Re:Off Track

[RML]

My mom is a molecular biologist who works on viruses for a living, and I've worked with molecular biologists before. Let me assure you that if you said "virii" in a scientific conference you would be laughed out of the room.

In my opinion it might be acceptable to use "virii" for computer viruses. If we can pluralize "box" as "boxen", why not. But it's definitely not the standard plural of "virus".

Re:Off Track

[magores]

I propose the theory that a Linux virus would actually succeed quite well.

My reasons for thinking this are:

1) For every 100 linux users, I suspect that ~40% of them are people that are currently "dabbling" in linux. These users are as new to linux as "Grandma Gertrude" is to Windows.

2) Of the 100 linux users mentioned, I would guess that ~75% have never done more than glanced at the source code for any given program, much less the kernal. Give these users two pieces of code to run. They are just as likely to run the "bad code" as they are the "good code".

3) I think most would agree that the linux kernal is "safer" than a Windows system. But what about all the programs that get installed on top of (over?) the linux kernal? Many reports are released daily about buffer overflows, etc that effect these programs. Taking the hypothetical 100 linux users I mention above, I would venture that at most 25% of these people apply the patches in a reasonably short time frame.

4) Windows is targeted because it is common. The structure/implementation of Windows "probably" lends itself to the ease of compromising it. However, I venture the guess that a sufficiently motivated malware author (notice I didn't say hacker) could construct an exploit that would cripple many of the linux boxes owned by the people that I mention in 1, 2, and 3.

All I'm really saying is: The Linux Community should make sure it doesn't say, "Bring it on!" Because, the bad guys WILL.

Re:Off Track

[LittleBigLui]

...free software community offer a bounty

I offer 15 lines of code. From System V. :)

Re:Off Track

[tehcyder]

Didn't anyone ever hear "Any publicity is good publicity." ?

Brilliant! In other news:

"Linux responsible for SARS virus"

"Linus Torvalds is Antichrist, confirms Pope"

"Open Source developers are sheltering Osama bin Lade, says Pentagon".

McBride interview

[BWJones]

I'm looking for a serious apology (or at least a retraction) for the 'alleged' link between this ugly little nasty and Open Source / Linux users."

Of note: Darl McBride was on local (Utah) television last night with a stinging quote. "What we are seeing here is the dark side of the open source movement" or something very close to that. I thought, no dude, you have it all backwards. SCO is the dark side of the open source movement.

Re:McBride interview

[vladkrupin]

I think - No, dude, SCO is not the dark side of the open source movement. Aside from old Caldera, it has no relation to any side of the open source movement.

Re:McBride interview

[haystor]

Bah!

The virus is closed source and runs on Windows. It clearly has nothing to with the GNU/Linux.

Hehe, insert joke about BSD catching a virus...

Re:McBride interview

[Vagrant]

SCO is the dark side of the open source movement.
Darth McBride: "You underestimate the power of the dark side. If you will not fight, then you will meet your destiny."

Re:McBride interview

[ananke]

Ironically, open source seems to be helping to stop that. Here's my story:

I use mailscanner [sendmail wrapper] with clamav [opensource antivirus engine]. Clamav was one of the first engines that had definitions for the first mydoom worm. We started catching mydoom around 4:00PM EST, and none have gotten through to our windows workstations.

Thanks to open source, we were able to prevent from contributing to the spread of this worm. So to sum it up: thanks to the clamav folks, and thanks to open source.

Re:McBride interview

[Popageorgio]

Darth: "I am your father."
Linus: "Hell no, you're just a desperate old fart who's jealous of my DNA and wants to take some credit for it."
Darth: "Shit."

Re:McBride interview

[muckdog]

aahh does SCO Linux ring a bell, How about SCO as a founding member of United Linux. They were a part of the open source movement. They turned to the dark side just like Vader in a search for more Money ^H^H^H^H^H Power.

Re:McBride interview

[Flwyd]

You may modify and redistribute this virus however often you like, so long as you include the source code. If you do not share the source code, you may not redistribute this virus.

Sounds like a pretty sweet deal to me. No wonder Linux systems aren't hit very often; viruses violate the GPL.

It's another case against OS monoculture

[Eyah....TIMMY]

It was covered last week.

Basically, to limit the spread of a worm on a network such as the internet, we can only diversify to make sure not all machines go down.

Here's a presentation (sorry I could only find a PowerPoint version) that was made by Jonathan Wignall at DefCon last year about this topic. Same conclusion, diversifying is the necessary to combat worms.

Re:It's another case against OS monoculture

[sheriff_p]

You can read a good rebuttal against the 'MONOCULTURE IS DEATH' argument here:

http://www.virusbtn.com/magazine/archives/200312/m onoculture.xml

written by someone who actually knows a little about malicious mobile code :-)

For profit?

[spun]

You mean, a big bag of money showed up on some spammer's doorstep with a note promising much more if a DDoS against www.sco.com is included in the next release?

Completely untraceable, even if caught: the spammer wouldn't know who sent the money, and could even claim, "I think it was some Linux Zealot."

OK, Deadmonk!!

Personally, I'm looking for a serious apology (or at least a retraction) for the 'alleged' link between this ugly little nasty and Open Source / Linux users.

We'll get right on that!

Sincerely,
The Mass Media.

In addition, not instead of

[allism]

The B variant targets both Microsoft and SCO.

Am I the only one?

[CGP314]

place where nobody gives a wet slap

Anyone care to clarify what a wet slap is?

--
In London? Need a Physics Tutor?

American Weblog in London

Re:Am I the only one?

[Conspiracy_Of_Doves]

Umm.. Dude. I'm as big a Douglass Adams fan as the next guy, but he didn't invent every figure of speech in the english language. Some expressions (such as wet slap) did, in fact, exist before he first used them.

Re:Am I the only one?

[Dutch_Cap]

No, Douglas Adams did invent the expression "wet slap", it's reality that's got it all wrong.

I wish all mail admins..

[grub]

.. would TURN OFF those blasted "Your mail has a virus!" auto-replies. They accomplish nothing but the generation of yet more useless traffic.

Re:I wish all mail admins..

[Random+Guru+42]

Maybe the mail server authors are in league with the spammers! Ohtehnos!

Re:I wish all mail admins..

[forevermore]

would TURN OFF those blasted "Your mail has a virus!" auto-replies

I agree - I've taken to replying to them in person, telling them of all the useless traffic they're making. Then again, I've only received one so far.

On the other hand, I really wish that Amavis would respect its "locals" settings and when set not to reply to offsite addresses, NOT to respond to offsite senders. What the heck is an offsite recipient, anyway? If they're getting mail on my server, they're local. It's the senders that I care about being offsite, not the recipients.

Security could be easily enhanced

[Samuel+Duncan]

Two steps:

• Make bad system adminstrators personally responsible for the damages they create by not fixing security holes.
• Give physical punishment to the virus writers. Money charges won't usually do the trick (paid by parents/community), but a decent spanking will teach them a lesson.

Re:Security could be easily enhanced

[Flower]

*sigh*

No patching would have prevented this worm. Look, when MyDoom comes in as a zip file the user has to open it once to access the actual payload. When you open the thing in WinZip it shows up as [random].[doc or whatever] but has the wrong icon. WinZip then identifies it as a pif file and in the screen says DOS executable. After all that, the user has to execute it again to deliver the actual payload.

MyDoom has nothing to do with bad sysadmins. Nada! At work we have the desktops locked down and Outlook is setup to not permit autoexecute. Most executable attachments are dropped at the mailserver. The reason I say most is because we do allow Word documents and the like because surprise, surprise we have to actually run a business. Our signature files are updated daily and if a new virus comes out I do my job to make sure we're at the proper rev and run a manual update if we're not. The one thing I can't do is play Big Brother to a 1000+ employees scattered over the state 365/7 and smack them everytime they try to open some random shiny thing.

And more importantly, how can a sysadmin stop some random Joe User on a home cable connection from executing the stupid worm or patching his damn system?

That soundbite of yours starts getting a little hollow now doesn't it?

Proof of who's lying

[Saven+Marek]

I have the new critter in a test environment where we conducted a preliminary and rudimentary functionality and threat analysis...I have played with the date, etc, but still no activity directed toward www.sco.com." The link also includes disassembly and analysis of the worm code."

So basically, SCO being down right now is Yet Another Big Lie from SCO. Nice to see them shown up as spreaders of misinformation yet again. I'm sure the FBI will love to hear their excuses as to why they're pretending to be down, especially if they're attempting to blame the worm. Fascinating

Re:Proof of who's lying

[LearnToSpell]

Netcraft's got an interesting idea - Journalists reporting on SCO and people interested in the www.sco.com site can now subscribe to receive alerts when the site is unavailable.

Please Remember!

[Bruce+Perens]

Excerpted from perens.com/SCO/DOS/, this bears repeating.

It is likely that this virus has been assembled for the purpose of defaming the Linux developers by spammers, SCO, or others. Your behavior will influence whether or not it succeeds in this mission.

Thus, I urge all persons who have sympathy for Free Software, Open Source, and Linux:

• Do not cheer on attacks on the SCO site. By doing so, you falsely implicate our community in the attacks, in the eyes of outsiders who read your words. Our community believes in freedom of speech, not silencing our opponent's speech through net attacks. We will defeat SCO using the truth, not by gagging them.
• Publicly deplore the attacks as an attempt to defame us, and not an effort of our community. Show others this notice.
• Continue to fight SCO, using all legal means at your disposal. Show others the analysis of SCO's ongoing fraud at Groklaw.net and elsewhere, and explain to them your own experience as a participant in the Free Software community.
• Continue the visible presence of Free Software as a force for good in the world by producing excellent original software for everyone's free use and deploying it wherever possible. Promote these projects to the press and public as you carry them out. Do what you can for other public-good projects such as schools and non-profit organizations. FreeGeek.org is an excellent example of how to carry this out.
• Show others by example that our side always takes the high road. When they see a low-road sort of action like denial-of-service, spam, or stock fraud, they'll know who to blame.

Remember that your actions count. You are ambassadors of our community.

Re: Please Remember!

[Flower]

I probably rank right up their with all the other SCO haters. I'm on GrokLaw everyday and chip in when I can by transcribing documents but I'd never cheer on MyDoom. The stupid thing, because of the damage it's doing (and it is damage), brings an emotional reaction to the SCO debate which undermines all the good arguments the community has developed. Even if it was developed in Russia, cheering it on because it will DDoS SCO just provides SCO and industry analysts more junk to bring up rather than focusing on the real issues.

I totally agree with Bruce on this one and just wish more "advocates" had the maturity and insight to realize this isn't a joke.

It's interesting

[nil5]

if this is not a more effective form of economic terrorism, I don't know what is. These worms seem to cost US companies millions if not billions of dollars, and they're probably not so difficult to develop either.

With such a hugely damaging effect for such little cost, wouldn't you say that is almost the perfect weapon?

Not to condone writing worms....

[phaetonic]

Wouldn't it be ironic if a worm were to DDoS slashdot.

Re:Not to condone writing worms....

[allism]

Don't give them ideas...although it WOULD be interesting to see what kind of load /. can handle...on Sept 11, it seemed like it was the only site up, so it can handle quite a bit, but I guess the question is - which is greater - /.'s load handling or the number of stupid Windows users?

(Not trolling by saying stupid Windows users - it could just as easily be written as stupid computer users who happen to be using Windows - but....anyway, I'm rambling, I will shut up now.)

Re:Not to condone writing worms....

[pyros]

don't you realise that slashdot is a DDoS worm?

I don't find the fast reactions unbelievable...

[Coocha]

... here at Virginia Tech, the virus has had our pop/smtp servers down since sometime last night. Apparently it infected our financial aid listserv, which caters to 51,000 email addresses, most of them in the vt.edu domain. Not to mention 8000 of the not-so-savvy on-campus undergrads whose systems have been infected. In the 4+ years I've been here, this is the longest downtime for our email system yet, even considering the downtime a couple routine server rebuilds caused. I'm sure other institutions, agencies, and businesses are experiences unheard-of downtimes as well.

Re:I don't find the fast reactions unbelievable...

[back_pages]

Or some tiny cog in the beaucracy with an old copy of the mailing list ran the attachment. It's probably very difficult to say at this point. I know that I should be on the financial aid listserv that has apparently been comprimised, but only since last fall, and I've only been sent the virus about 30 times. Most of those were from individual's email accounts (which could have been spoofed) but still it sounds to me like some luser had a copy of an old mailing list otherwise I would have received many more emails.

Some VT students who have been here longer said they've received the virus on average twice per minute for the last 36 hours. Ouch? Dumb user, no doubt, but I wouldn't yet conclude that it was some mission critical machine that was comprimised.

Huh?!

[pclminion]

Of course, there could be evil spammers who also like Linux (or don't like SCO), but until someone's caught, or fesses up, it's impossible to say.

What the hell would it matter anyway? Evil spammers probably also use toothpaste. Does that make everyone who uses toothpaste evil?

The fallacious logic here astounds me. Wait, no it doesn't.

Linux users

[gid13]

From the post: "Personally, I'm looking for a serious apology (or at least a retraction) for the 'alleged' link between this ugly little nasty and Open Source / Linux users."

I don't know what it is with people trying to represent such large groups. Every group has nasty people in it! Since Linux is generally more efficient once set up (IMHO, anyway), then OF COURSE people will use it to do nasty things like serve spam and make DOS attacks and so on. I don't get why people are so patriotic all the time... "He's American! No AMERICAN could be evil!" Sigh...

Does Andy work at SCO

[jaymzter]

A report covering F-Secure's work on the virus reveals this interesting comment imbedded in the virus:

Buried in its programming code -- and only readable after it has been decrypted -- was also the message "Andy; I'm just doing my job, nothing personal, sorry" from the creator

My tinfoil hat says it's some poor guy at SCO!

Re:Does Andy work at SCO

There was an Andrew Sharpe who worked for Caldera. Dunno if he's still with them.

Re:Does Andy work at SCO

[Zocalo]

A couple of thoughts leapt to mind about that. Firstly the comment is in English, and the name is in English (Andre[i] would be the Russian equivalent) which kind of implies an English speaking author, despite the first capture being in Russia. Using compromised box(es) to initiate the spread of the worm would be a fairly obvious step to cover ones tracks.

Secondly, since "andy" is one of the email addresses spoofed by the worm I'm guessing that the worm's author was a) commissioned to write the worm by parties unknown, and b) included a colleague's email in the spoof list, perhaps by mistake.

So the question is, will Andy, whoever he is, get pissed off enough to turn his colleague in for the $250,000 reward posted by SCO and turn over a new leaf? /tinfoil Assuming he's not working for SCO of course. /tinfoil

Bravo!

[Dman33]

Not to mention all of the scared users calling the helpdesk insisting that they are infected.

"Dude, you are using PINE! You are NOT infected!!!"

close

[doug]

SCO is the back side of the open source movement.

If I've said it once . . .

[Leroy_Brown242]

I've said it a thousand times.

1. Mutt
2. Spamassassin
3. Greylisting
4. Profit!

If it weren't for /., I'd have never noticed.

The new payload is to DDoS MS

[dupper]

All right, it's clearly one of us. 'Fess up, J. Random Slashdotter.

Also, you forgot to make an RIAA variant, dumbass!

We have you now...

[RobinH]

Of course, there could be evil spammers who also like Linux (or don't like SCO), but until someone's caught, or fesses up, it's impossible to say.

That sounds like terrorist speak to me. Thanks to recent legislation, anyone running Linux can now be 'detained' indefinitely without evidence. God bless Micro^H^H^H^H^H^H America.

Of course it wasn't some malicous Linux user

[bogie]

This was some criminal capitalizing on the Hot topic of the Linux vs SCO debate. If this worm has targeted the whiteshouse.gov site you've have the same idiots saying terrorists did it. These criminals just used Linux as a scapegoat. I try to avoid reading articles about this worm because I just can't stomach reading all these posts about how the OSS community should "tread lightly" etc. Get a clue people.

How to filter the worm:

[Saint+Aardvark]

From a posting on the SecurityFocus Incidents mailing list:

------- Forwarded message follows -------
From: lsi <stuart cyberdelix net>
To: focus-virus securityfocus com
Subject: how to filter the Novarg virus
Send reply to: stuart cyberdelix net
Date sent: Wed, 28 Jan 2004 17:35:57 -0000

I have devised a near-bulletproof Novarg filter.

The following regular expressions trap this virus dead, no matter
what subject line, message body, or filename it uses:

If expression body matches "UEsDBAoAAA*" Move [virus folder]

If expression body matches "TVqQAAMAAA*" Move
[virus folder]

This is because the worm is in fact the same program with many
disguises. However the program looks the same when encoded with
MIME. Therefore, the above are basically 'MIME sigs' which work just
like a virus signature in a regular virusscanner.

So to find it we merely filter on the MIME strings above, which are
the first 10 bytes of the MIME content section.

For users without enterprise-class content filters (such as me),
these two regexp's work like a silver bullet.

(That two different sigs are required suggests there are two versions
of the virus in circulation.)

No silver bullet for auto-notification messages, unfortunately :(

Stuart

------- End of forwarded message -------

Re:How to filter the worm:

[TwinkieStix]

In the last myDoom article I posted this, but it seems relevant in this thread too. Here is a procmail recipe that will work on any Linux Mail server that uses procmail, including postfix sendmail etc. Just add it to your /etc/procmailrc file (may be a different folder, but this is pretty standard). It seems to have stopped all of the myDoom messages from coming in:

:0 B
* ^UEsDBAoAAAAAA...OzDKJx\+eAFgAAABYAA
/dev/null

Re:How to filter the worm:

[rabidcow]

That's not really a good idea if you don't understand the format of Win32 executables and zip files.

"TVqQAAMAAA" = 4D 5A 90 00 03 00 00 0x

The first two bytes are "MZ", which will be the same on every dos and windows executable (except .com files). Matching against that part gains you nothing. You might as well just block by file extension.

The rest are just bits of the header, which are hardly specific to this program. It would be better to check against part of the file that was actually code.

"UEsDBAoAAA" = 50 4B 03 04 0A 00 00 0x

Again, the first two bytes are a signature, in this case "PK", which identifies it as a zip file. The 03 04 is then a marker to tell it what sort of record follows, best case you're only matching against 3.5 bytes that are actually relevant.

Patch patch scratch and lose

[djupedal]

OS X....works for me...all go to the trash.

Oh what a relief it is :)

Eventually, that might not help.

[qortra]

Many worms nowadays are capable of traveling along multiple protocols and containing multiple payloads. Of course, worm writers generally don't bother because there are indeed far more copies of Windows out in the wild than anything else. However, if we began to see a more substantial plurality of OSes, I suspect multiple-architecture worms would become more common place; just pick your favorite exploit from each os, and make a separate payload for each. The worm might double or triple in size (depending on the number of architectures supported), but authors won't care.

Further more, universal binaries like those associated with Java or .NET/Mono might eventually make it so worm writers don't even have to include multiple payloads; just multiple exploits.

Maybe diversifying will help a little for a short while, but the real solution to this problem is to write better code.

Isn't It Ironic - Don't You Think?

[BigBlockMopar]

Here's a presentation (sorry I could only find a PowerPoint version) that was made by Jonathan Wignall at DefCon last year about this topic. Same conclusion, diversifying is the necessary to combat worms.

How ironic is that? Someone who allegedly knows something about network security, who insists on providing presentations in a format which:

• promotes the very monoculture about which he speaks (noting that Microsoft doesn't offer a PowerPoint reader for Linux)
• allows the embedding of executable content which could be (and has been) used to carry malicious code

Fine, use PowerPoint for the presentation. But damn well save the slides as HTML, Acrobat, plain text, etc. for public downloading and consumption.

At my university, the only department which saved all lecture notes, etc in proprietary format (and continues to do so!) was the very one which should know better: Systems and Computer Engineering. It's really pathetic.

what makes you think that people in Russia

[meshko]

do not follow the SCO lawsuite?
Fuck, I'm pissed of more than usualy about Slashdot editors.
If you were to read www.linux.org.ru you would notice that the site follows the suite pretty closely, sometimes more so than Slashdot.

Re:Block port 25?

[Sandman1971]

No, most viruses run their own SMTP engines. The smarter ones do an MX lookup for the host domain (based on reverse DNS) and use that as the MTA. Smart ISPs, however, split inbound and outbound MTAs to block this.

Re:Off Trek

[NanoGator]

"It's entirely possible that the authors of this virus targeted SCO, simply to make it appear that Linux zealots were responsible..."

I wouldn't rule out Romulan involvement.

Clueless Newscaster.

[cant_get_a_good_nick]

A couple days ago, a local televisions station (Fox 32 Chicago) had a 20 second blurb on the worm. It said there was a new computer virus around. The picture? Apple iMac. At least it was the newer iMac, I'm surprised they didn't put a IIci on there.

The blurb had no information on what to do. Didn't say it was an MS virus, didn't say to go to any website to see what you could do. Just announced "another virus". Waste of time.

Re:Clueless Newscaster.

[mabu]

Wow, and you say this came from a FOX affilliate?

Imagine that.

Re:MyDoom victim

[mabu]

Your friend is a moron.

The SCO DDOS is nothing compared to the fact that the worm opens up a back door which allows other people complete control over his computer.

but there's an open source version of the virus...

[commodoresloat]

Greetings. You have been infected with GNU/MyDoom, a destructive anti-SCO virus brought to you by members of the open source community. In order to get this virus to infect your system properly, you will need to use wget to download mydoom-config-2.4.6 from one of the usual mirrors. Be careful; this version of the virus is not compatible with versions of mydoom-config prior to 2.4.4. After you have downloaded the config tools and issued the usual incantations (./configure; make; make install), you can configure the virus from any directory simply by typing sudo mydoom-config -ort [your login id] [your current IP address] [full path to your email client] [interval since last kernel rebuild in seconds]. This virus is licensed under the GPL. If you have any questions, be sure to RTFM, the docs are installed at /usr/share/info/mydoom and all your config files are stored at ~/.mydoom.

p.s. yes, it's an old joke, but still, you know you laughed....

Re:The ultimate call for group think.

[Krow10]

I personally like to see SCO denial of serviced to kingdom come.

The problem with that is it doesn't hurt SCOX at all. Look at their business; look at the SEC filings with their financial numbers -- SCOX is not getting any revenue from their website, but they do get some sympathy every time some jackhole pulls a DoS on their pathetic site (of course, in the lab tests show that MyDoom.a doesn't actually execute the DoS code.) Yeah, SCOX can kiss my arse as well, but so can the spammers who coded this and anyone else who puts SCOX in the news for something other than their impending bankruptcy and fraud investigation.

Cheers,
Craig

McBride is cunning

Oh and I just realized. The reason why SCO could seem to be so stupid:

Disgruntled SCO Employee: This company is going down the tubes. If I stay here much longer I'll never find work again! I quit! *slam*

Darl McBride: Damn! We just lost our last programmer! What are we going to do now?

Grand Vizier: *rubbing hands together* Well, now I suggest we go to the very salt of the earth...To the spammers!

McBride: Wha? What the hell are you talking about?

Mr. Burns: Obviously our only course of action is to utilize the dark side of the force. We must make those young linux whippersnappers look bad by making a virus that seems to target our own servers!

McBride: Brilliant! We'll make it look like those linux communists are trying to destroy our legitimate business! Make it so!

Mr. Burns: Eeeexcellent.....

Thus goes the story I heard from a passing lunatic...

Re:I wish all mail admins.. -bah!

[Havokmon]

.. would TURN OFF those blasted "Your mail has a virus!" auto-replies. They accomplish nothing but the generation of yet more useless traffic.

A nice guy on the FreeBSD Mail-Toaster list put out a good script..

I now grab all the IP's out of infected emails, and put them in my etc/tcp.smtp file:

123.123.17.50:allow,RBLSMTPD="-VIRUS SOURCE Please check your computer for infections"
IP obfuscated to protect the guilty

How about that? You only get your mail bounced, with a virus warning if your IP (sure dial-up _could_ be hit - but I'm a standalone email provider) sent a virus through my system in the last day.

Social engineering for Sysadmins

[ericspinder]

Throwing the authorities off-track might have been the idea, but I think that it JUST MIGHT have been an attempt at social engineering aimed at the sysAdmins and virus hunters.

Just think, you are one of the first hunter to see the virus. You examine the code, and "Damn, their going after SCO, COOOOOOOOLL, I hate those bastards, I'm not reporting it". Or a sys admin at an email gateway. Most guys are real pros but maybe, just maybe a few took a little extra time...

They say that it's one of the fastest spreading Virus to date, perhaps targeting SCO was the bump it needed.

Ingenious my arse

[Chuck+Chunder]

Didn't blaster target the wrong address for Windows Update?

DDOS a website that probably gets about 10 interested visitors a day anyway?

Personally I'm surprised at the lack of damage these things do. Our systems and people are apparently wide open to these things. Blaster and MyDoom should be viewed as warning shots. It's only going to be a matter of time before someone writes something that infects, spends 2-8 hours propagating itself and then nukes the system it's living on, causing real widespread damage rather than minor annoyances.

Re:Ingenious my arse

[zcat_NZ]

and then nukes the system it's living on..

Why does everyone seem to think this is the -worst- thing that could happen? Restore from backups, business as usual the next day. Sure, a lot of businesses would be fucked over, but anything really important is backed up.

Now imagine a worm that spreads fast (flood-scan the local /16 plus a few random IP's outside that with tcp syn packets, infect anyone that syns) and then immediately goes dormant. Over the next month or so it quietly makes alterations to all the files it can access. Changes numbers in databses and spreadsheets, swaps words around in documents. By the time anyone starts to notice this thing has rendered all of the current data and at least a month of backups unusable.

That's the worst virus I can think of.

Re:Ingenious my arse

[zoney_ie]

Shhhhhh...

Re:Ingenious my arse

[zcat_NZ]

I think they're _stupider_ than that..

nimda was supposed to attack whitehouse.gov, but used a hard-coded IP address and tested it first. The admins changed the address from (iirc 198.137.240.91 to 198.137.240.92, trivially avoiding the DDoS.

sobig attacked www.windowsupdate.com, an almost totally useless 'typo redirect' on a completely unrelated subnet, not windowsupdate.microsoft.com, the site where everyone gets their windows updates from. To avoid the 'attack' Microsoft just switched the DNS for windowsupdate.com off, and nobody even noticed. They also akamai-cached all of microsoft.com at the same time, although this was likely planned a month or so beforehand and completely coincidental. It certinly wasn't necessary, since the DDoS attack was never aimed anywhere near microsoft.com. And it totally confused most of the press who had no idea that "windowsupdate.com" was NEVER the actual windows update site.

Early analysis of MyDoom suggests that it resolves www.sco.com but doesn't try to connect, even when the machine clock is set forward. Not even once. That makes for a fairly unimpressive DDoS.

This one?

[ebbomega]

To: Luser (whoever@blah.com)
From: Hax0r (jeffk@somethingawful.com)
Subject: *nix virus

This is the only known Virus that works on all *nix systems. Please forward this to everybody on your list and delete all the files on your harddrive. Thank you.

(Or something to that effect)

Re:Why is this an issue?

[mabu]

Why is this so hard for other people to do that this virus is actually getting through to their clients?


1. Nowadays your average computer user is a moron.

I'm sure you and everyone else knows some hopeless PC user who uses Outlook, can't help but click on some attachment, believes everything they read online, or does not patch their Windows on a regular basis. All it takes is a few of these n00bs to make life miserable for others in one form or another.

2. Filtering on the client side doesn't really address the larger problem of these scripts consuming *tremendous* amounts of bandwidth, network and system resources.

If you're an end-user, you can't appreciate how much fun it is to manage a server that is getting hammered with this crap. Even if you block it out, you still have to deal with reduced performance and limited bandwidth available to all your users because of yet another unpatched MS hole or irresponsible ISP.

And of course, whenever there's another announcement of a "virus" every person with a PC who can't get it to work right is convinced that the "virus" is the culprit.

Stawin-A Trojan

[sharp-bang]

Sophos has intercepted a new trojan called Troj/Stawin-A that installs a keystroke logger, captures data related to financial institutions, and sends it back to a Russian e-mail address.

Re:Stawin-A Trojan

[johnmc]

Make that Troj/Stawin-A..
There was a typo in the URL

Re:Stawin-A Trojan

[Dwedit]

Wow, typoing URLS on informative posts, then replying with the correction is an excellent way to effortlessly build your karma score. I've got to try that sometime.

A million zombied machines for anyones use

[codepunk]

Read the following....extremely scary....

Listens on port 3127; accepts a maximum of 3 connections
at a time. If the first byte of the recieved data is
0x85, the DLL skips the next byte, then compares the next
dword read to 133C9EA2h; if this is true, it accepts
the executable from the sender, downloads it to a temp
file/directory and runs it.

Re:A million zombied machines for anyones use

[mabu]

As soon as this information was known, the FBI should send agents to Worldcom, Sprint and all the other backbone providers with instructions to log all port 3127 traffic immediately.

Unfortunately, I have a feeling somewhere, some authority is typing "virus writer's home address" into Google.

I'm tired of this...

[verbatim]

I'm getting hundreds of these cute "you've got a virus" warning from mail servers around the world. They're all the same - We've found an infection in an email from you... except when you look at the headers of the original e-mail, it is plain as day that the e-mail never went through my mail server and just forged the e-mail address.

A header from the most recent example:

Received: from [200.223.39.59] (helo=writeopen.com)
by mailforward.freeparking.co.uk with esmtp (Exim 4.24)
id 1AlqLU-0007Hx-48
for brian@dwrees.co.uk; Wed, 28 Jan 2004 09:07:08 -0500

RAWR. I mean, seriously. RAWR. (writeopen.com is 69.0.209.130, btw).

I'm being flooded by this crap. I've managed to get a filter going that catches them, but it's still traffic that I have to endure. And I'm getting them from ISPs all over the planet. RAWR.

I'm betting that Martians are behind this

[Snork+Asaurus]

Earth has really been pissing Mars off lately:

1) Earth landed a multi-ship advance scouting party on Mars this month

2) An earth leader with a track record for aggression speculated in a speech about the resources that might be plundered from Mars

3) Earth announced that it was preparing a full scale manned invasion of Mars by 2050

4) SCO sent a letter demanding payment to Martian citizen Marvin, just in case he uses Linux in his Space Modulator

Who Said It'll Attack SCO? & A FUDworm?

[DynaSoar]

Zeriel writes "After much discussion on a mailing list discussing trojan horses, some people have reached the conclusion that MyDoom doesn't accomplish its stated goal of DDOSing SCO at all! Choice quote from the analysis: "I have the new critter in a test environment where we conducted a preliminary and rudimentary functionality and threat analysis...I have played with the date, etc, but still no activity directed toward www.sco.com." The link also includes disassembly and analysis of the worm code."

If it turns out that the DDOS payload is inert:

Who was it that FIRST said it WOULD attack SCO, and how did they determine this? And who else quoted them without checking? (Not including normal media outlets, who'll quote anyone that can form a coherent sentence, if it'll fill white space.)

If this thing doesn't perform as advertised, what we are seeing is the first (purposeful or not) FUDworm. It definitely is spreading virus-like and causing traffic problems, but also it's spreading FUD, and using all of us as vectors. We will all have been infected with a socially engineered disease. If this is the case, it's a master stroke of psyops. If not, considering its success so far, its example will be repeated for this purpose.

Re:Who Said It'll Attack SCO? & A FUDworm?

[interiot]

Okay, let's go over some of the facts:

• The idea that the payload is inert comes from a single post on the internet by some random guy, and is now being quoted all over slashdot without anyone checking or verifying. It may turn out to be true, but either you should personally verify it, or at least wait for ONE other person to verify it before you start conspiracy theories.
  
  
• Norton Antivirus believes the payload to be an active DDOS against www.sco.com. So does F-Secure. So does McAfee.
  
  
• You can look at the worm yourself and verify that it contains references to www.sco.com. Combine this with the fact that the worm is fairly small and is UPX compressed, you can conclude that the worm author took up space with the reference for a reason, either to create conspiracy theories (which would be unprecedented for a worm/virus I believe) or it's actually to DDOS a website (happens all the time with worms/viruses).
  
  
• The partial dissassembly that people have posted so far indicates that the worm does use the www.sco.com address while creating a thread, opening a socket, and send some data.

So please, Please, PLEASE, would slashdot posters and moderators stop with the conspiracy theory stuff until someone posts a full disassembly on the internet, and lots of people verify that the analysis is correct. Until then, trying to come up with flamboyant conspiracy theories isn't going to do anything.

Re:Block port 25?

[cpghost]

Operating a mail server carries special responsibilities with it. You have to make sure that you're not operating an open relay (even inadvertantly), you must monitor your outgoing mail(logs), to make sure that your server is not being abused as a spam source, and you should react to problems such as mail-loops etc., e.g. by assuming the role of postmaster.

While most of us /.-ers are technically savvy enough to do this, a whole lot of Windows-PC owners are not. Their machines are constantly being hijacked by viruses, and then they become spam zombies from hell. I can understand why ISPs are reluctant to keep port 25 open to such people. OTOH, I don't like this collective punishment meted out by some ISPs who don't discriminate between responsible and irresponsible users.

It is quite common for ISPs to block port 25 for dial-up users, but they won't do so if they assign to you a static IP. In most cases, people with static IPs are more responsible (and technically savvy) than Joe Sixpack, and there's often no need to block them. Of course, in an ideal world, the ACLs on ISPs routers would be configured dynamically for every user who logs in. It is easy to implement a whitelist/ blacklist of users and block only those who don't act responsibly, open everything for users who have a good history of fixing bugs or keeping a tight ship, and giving everyone else the benefit of the doubt.

Mydoom generates it's own recipients

[Net_Wakker]

Email for my domain is wildcarded, so it really doesn't matter that much what's in front of the @ and I'll get it.
The past 2 days I've received a shitload of Mydooms, and there's something funny going on. Mydoom will put common names in front of the @. I've started receiving viruses for brian@ and bill@ and claudia@ and fred@ and jerry@ and george@ and smith@ and and and. I even received one for debby@. What, she's doing my domain now?
I've also noticed that some of the "senders" are constructed the same way.

Possible test version hitting me. Anybody else?

[John+Walker]

In the discussion cited in the main article, the observation is made from disassembly of the payload:

Nicolas Brulez:
-----
from my quick and dirty analysis, its a thread that does the DDOS.
It has below normal priority, and it just does a GET.

GET / HTTP/1.1\r\nHost: www.sco.com\r\n\r\n"

This is very interesting, because my site has been under a broadly based but inexplicably benign apparent DDoS attack which is bombarding my site with precisely such requests (obviously www.fourmilab.ch, not www.sco.com) at a rate of just one hit from each IP every four minutes. (This rate is not absolutely consistent, and some seem to be running multiple copies of the requester, each hitting every four minutes.)

I've been watching this and running analyses since it became obvious something was up and have posted an incident report page on my site which I'm updating as things develop. Bottom line, the apparent attack appears to have reached equilibrium with a total of 2894 different IP addresses hitting my site since the outbreak, with the hit rate following a diurnal pattern (there's a chart in the incident report) which peaks at around 20,000 hits per hour from on the order of 1000 different hosts at 20:00-21:00 UTC every day.

I'd previously concluded this probably had nothing to do with MyDoom. Although a few of the hosts hitting me are listening on the MyDoom remote control post, most aren't. (Of course, a test version may use a different port or none at all--I discuss in the document.) But the fact that the hits are precisely the same--a simple request to the home page--makes me wonder. All of these sites hitting me request only the "/" page (which at my site is just a <frameset> container, which any browser would follow up with hits on the content frames).

Has anybody else seen this kind of traffic hitting their sites?

Re:but there's an open source version of the virus

[IdleTime]

You must be using one of those old and technologically outdated Linux distros as RedHat, SuSE or Debian.
All I do is emerge sync && emerge mydoom and I'm good to go. Ebuild is currently in Portage, just sync your systems :) Oh yeah, forgot to mention, Gentoo baby. LOL

needs re-thinking

[aca]

In my opinion, I don't think it was a Linux fan that caused it.

Firstly, he attack was not technologically sophisticated, in that it required exploiting a weakness in the operating system. The style of the attack was conceptually sophisticated, it was a worm not a virus. Which means that the attack relied on 'social engineering' or 'human weakness' to succeed.

The exploit however was quite creative. It was multi-faceted, even doing a DDOS on 'www.sco.com'.

Personally, I suspect that the creator and the executor of this worm may be two different persons altogether. Most importantly, the one ultimately responsible for the worm's spread and impact on the internet is not a Linux fan.

Linux users, ones that are capable enough to create such a worm, would more likely be above average intelligence. They would know very well, the consequences of DDOS'sing SCO's web-site, and that these consequences will most definitely be extremely detrimental to Linux. They would also know very well that a DDOS of SCO's web-site is almost a trivial thing to fix, and doesn't help in reducing SCO's position in any way.

Other than making SCO spend some money to rectify the DDOS, and preventing some of SCO's limited customer base from accessing SCO's web-site, it doesn't do relatively much harm to SCO (as compared to finding a back-door or hole into SCO's internal network). There is no real motivation for a Linux fan to carry out a DDOS on SCO's web-site.

I think the REAL reason for this worm, was for a 'frame-up'. It coincides with the conceptually sophisticated thinking as evidenced in its style of attack. I think the real reason was to *help* SCO and Microsoft, because both of these entities have the most to gain from it. Even with the recent 'b' variant of the worm targetting Microsoft. I still think the original motive remains the same.

Either that, or we're dealing with an extremely shallow and stupid 'Linux fan', which I very highly doubt.

People reading this may start having this thought of 'oh, another conspiracy theory...', but I would ask readers to carefully think about the obvious and carefully consider the occurence of this worm. Industrial espionage has been around for a long-time, and we know that it happens. What's to prevent it worms or viruses being used in industrial espoinage? Especially when the internet is a lot more relevant to businesses today.

Version 2 commentary

[WebGangsta]

By now you probably have heard that there's a new version (MyDoom.B) that is also making it's way across the Internet, this time supposedly targeting Microsoft.

According to Symantec, this version now modifies your HOSTS file to try and disable the user from being able to reach antivirus websites.

Among other entries in the HOSTS file are Doubleclick, FastClick, and some other advertising-related companies. Should I be concerned or happy that the virus may make surfing the web a little bit better by doing this?

Watch MyDoom in Action!

[pfifltrigg]

If you would like to watch MyDoom's effect on www.sco.com as we near February 1, have a look at a little tool I cooked up.

Most resource-efficient way to deal with this

[mabu]

I recommend that other ISPs do what we're doing to deal with this. The problem with using content-based filtering is that it constantly needs updating and still costs you bandwidth and system resources.

The propagation of this worm is not unlike the propagation of spam. The ISPs are doing a piss-poor job of regulating the smtp traffic of their non-business customers.

My solution to this is very simple, and all I ask is that the large ISPs separate their DUL IP space from any legitimate mail relays they operate.

For example, we're seeing a ton of spam originate from Videotron in Canada. An IPWHOIS shows that this is one of their major blocks:

Le Groupe Videotron Ltee VL-2BL
24.200.0.0 - 24.203.255.255

The easy thing to do is put 4 lines in my /etc/mail/access file to block those 4 class Bs, and bingo... I've shut out more than 250,000 IPs from sending me spam or worms. I modify the error message to redirect inquiries to a web page with a form that legitimate users can use to whitelist their IP/relay.

Using this method, I take the burden off my network. If you are selective about the IP blocks you ban, you can really whittle this down to almost no bouncing of legitimate mail.

Many ISPs are using DUL RBLs to accomplish the same thing, but the problem is that this requires more resources and huge databases of every possible IP. If you know that an ISP has allocated a large number of IP space to customers who shouldn't be operating their own SMTP relay, you can bypass this and just cut them off.

Generally speaking, I employ this method primarily with Asian and Middle-Eastern IP blocks where I don't normally expect any mail traffic in the first place, so the collateral is minimal if any.

Now if you have DSL or Cable and you've hung your own SMTP relay on your home network, yes, you might have some problems with this method, but it only takes a few seconds to request whitelist authorization and then it's done. Spammers aren't going through this trouble and if they do, I can track them when they try to make these requests.

If more ISPs employed this technique, it would be very effective. I am convinced that many large ISPs, including AOL are already doing this in one form or another: being very picky about accepting certain types of traffic from certain IP blocks.

The next evolution of RBLs will probably involve something like what I'm doing... which is the ultimate movement to a whitelist system where you deny the most-henous sources and make them request acceptance. It's a lot easier to maintain a small list of authorized SMTP relays among a very large blacklisted DUL IP space.

Totally OT

[back_pages]

when I was an undergrad, a fun way for my friends and myself to amuse ourselves was to get really drunk (this makes it more amusing) and then cruise the schools intranet for dopes who had shared their entire hard drives on the network. We would do all sorts of bad things, but the best was defacing a person's Internet Explorer wallpaper.

In Win98, I believe the wallpaper filename was stored in win.ini (it doesn't appear to be so in Win2k and this seriously isn't interesting enough for me to look it up at the moment.) We would grab that file and take a peek. If they had an image suitable to be defaced, we would draw mustaches on everyone and draw little cartoon baloons saying stuff like, "UR COMPUTAR HAS EBOLA!!11" and then overwrite their copy of the file. If they had a stupid background, we'd find something funny to give them.

Between the sorely juvenile humor and the liquor, it was completely hilarious to us at the time. I was even called by the school's Computer Support Desk at one time to see if I knew anything about the rare computer virus the student computers had. And before anybody points out how childish and potentially criminal this was, let me say that it was childish and potentially criminal. We just screwed with people's wallpapers but we could have remotely deleted their entire hard drives. Educating the masses about computer security is a difficult task, but goddamn if drawing mustaches on people isn't funny.

SCO connection is a red herring

[budgenator]

The linked mailing-list at,Math.org reports the preliminary disassembly show that the worm only resolves the name SCO.com, and is unhappy if the name doesn't resolve. My guess is that have the name resolve shows the worm that an active internet connection exists, with out tipping it's hand too badly. In test environments the worm didn't attact SCO.com no matter what the computer's date was set to.

Re:SCO connection is a red herring

[jamesh]

The obvious solution then is to demand that sco remove the sco.com domain. It's the only decent thing to do.

Let me guess....

[Kjella]

Personally, I'm looking for a serious apology (or at least a retraction) for the 'alleged' link between this ugly little nasty and Open Source / Linux users."

...you were going for +1, Funny? I mean this is SCO, the company that never ever makes unfounded allegations, assume there is evidence of a crime where there isn't, deny the facts when they go against their claims or otherwise do anything shady. Of course they'll apologize.

That'll be the day the temperature in hell goes sub-zero - on the Kelvin scale.

Kjella

Wouldn't it be ironic...

[Ingenium13]

You know, with all the stunts SCO has pulled lately, wouldn't it be ironic if they created this worm themselves or were somehow responsible? According to the article it doesn't DDoS SCO, but even if it did, isn't this in a way what they want? They can now point the finger at the Open Source Movement. They can draw negative media attention toward Linux which may, in their minds, help their court case. If people become under the impression that Linux and Linux users are "bad" than they will be more likely to sympathize with SCO.

This is of course an unlikely situation since if it was discovered SCO was behind the worm then it would all be over for the company. However, it is an interesting thought...

my amazement is beyond comprehension

[CAIMLAS]

I can't believe this worm has been remotely successful. It's hard to believe that so many people are so incredibly stupid.

It's a bloody -attached- zip file, with a file inside it! People have been told for over a decade to NOT OPEN ATTACHMENTS. You'd think they'd catch on sooner than later.

This is all the more reason to strip all binaries from email at the server. Granted, then viruses would be linking to sites - but that'd be relatively easy to shut down, and wouldn't pose any significant threat.

Common sense lacking in virus writers?

[hazzey]

I have thought this same thing about all of the DDoS viruses that have been around lately. Why is the date that the DDoS is supposed to start always a week+ after the news media proclaims it a "massive infection." It is almost like the writers just want publicity and not to actually do harm. It's not like wish that they would get their acts together, but it just strikes me as odd.

Re:Way OT

[AJWM]

Why is the plural of virus viruses? One octopus and many octopi. One cactus, many cacti. Why not one virus, many virii?

Then why spell it with two 'i's? "Viri" would be correct by your example.

However, in the original latin, "virus" is a collective rather than singular noun (eg "snow" vs "snowflake", although the original meaning is more like "slime".) Perhaps whoever first applied the word to the infectious microscopic critters should have used "virum" as the singular (like "bacterium") in which case the plural would be "vira", but s/he didn't, so we're stuck with "virus" as the singular and an argument over "viri[i]"/"viruses" as the plural.

Personally I think it should be "viruses". You wouldn't say "many doofii", would you? It's "one doofus, many doofuses".

Quick Poll:

[KalvinB]

How many e-mail server admins here are running up to date anti-virus software so that they aren't contributing exponentially to this problem by allowing their clients to get these infected e-mails in the first place?

*raises hand*

Oh yes, and Hotmail over there.

These viruses can't infect Linux (yet) but that's no excuse not to run anti-virus software that kills off virus infected e-mails on your Linux servers so that they're not getting to "clueless Windows users" in the first place.

Ben

Port 25 blocking

[Awptimus+Prime]

decaying writes "With the amount of virus-laden emails flying about due to the latest virus, Australian ISP Optus have started selectively blocking port 25 outbound. Optus say they are acting in accordance with their "Terms of use", quoting that they reserve the right to restrict access to any TCP/IP port. The only option is to use Optus' SMTP server and nothing else. Community site Whirlpool has an on-going discussion about the issue."

That's not even worth mentioning. There is no good reason for the average user to need access to SMTP servers besides the one at their ISP.

Years back, when I did technical support, the ISP I worked for had just implemented such a filter. The number of spammers who used our services immediately found new ISPs. The only fallout were a few customers who needed email clients reconfigured for non-local mailboxes, as they were using the other ISPs smtp server.

I do recall a few knuckle-heads (NT4/Linux wannabe super geeks) whine excessively over the issue, as they felt some right of theirs had been infringed. Ignorance is bliss, I suppose.

For anyone who is considering Technical Support for a living, just hang up the phone as soon as you find out someone is from Boca Raton, Florida. I swear, everybody I've talked to from that place thought thought they were some guru, but usually had no clue. My point, if you are such a damn brilliant administrator, then you shouldn't be calling technical support whining about your messe d up copy of enduroo. ;-)

Back to the topic at hand, there is no excuse for any ISP who houses an smtp server to allow it's customers access to just anywhere on port 25. I know it's a subject that will cause some flames, but someone has to compensate for the insecure, broken nature of SMTP.

I welcome anything AOL or Microsoft can bring to the table concerning this matter. I definitely don't see the community doing anything about it except for yelling at people to add more filters. This does little in regards to the bandwidth costs and server time (not to mention my client's cpu time wasted filtering) associated with massive amounts of spam.

Re:Port 25 blocking

[phillymjs]

Most of the spam I get these days comes from SMTP-trojaned Windows boxes sitting on consumer broadband networks.

As I receive spam from these machines, I forward it to the appropriate abuse@ and add the enclosing netblock to my SMTP blacklist. I am slowly but surely shitcanning the customer IP ranges of every consumer broadband network in North America. Considering how uppity the broadband ISPs get when people "abuse" their allegedly-unlimited bandwidth, I'm astounded that they allow unpatched, zombied Windows boxes to just pump out thousands of spam messages.

Probably 98% of people with broadband have zero need or desire to access an SMTP server other than what is provided by their ISP. To that end, I wholeheartedly agree with you that port 25 on these networks should be restricted. The 2% who require less-restricted SMTP capability could be accomodated for a few bucks more per month, and the ISPs could probably add a "one strike and you're out" policy-- account termination upon the first proven complaint about spam originating from the machine of one of those less-restricted SMTP users.

~Philly

Re:Port 25 blocking

[kirkjobsluder]

And for those that need Sendmail/qmail/Postfix/whatever, how hard is it, really, to configure the MTA to send mail through the ISP server?

Re:the virus dies if www.sco.com dies

[Sj0]

Since this virus is an act of cyber-terrorism, could it be said that he's supporting the terrorists? Can we finally bomb utah?

BBC let SCO vent Linux FUD unchallenged

[Anonymous+Bullard]

A while ago I was listening to the BBC World Service radio when they suddenly broadcast a story about the SCO virus attacks, with the "exciting" issue of newsworthiness apparently being their US$250,000 reward for the head(s) of the script kiddies involved. Knowing SCO I smelled rat and sure enough, SCO's Sonntag was allowed to turn the radio interview into an extended rant against Linux and the whole open-source model while "reaffirming" their ownership of the platform!

I immediately clicked on the feedback link on the BBC website and let the editors know how lopsided and unreasonable their reporting actually was, pointing them to the groklaw.net website as well.

I have considerable experience in attempting to correct misrepresented facts in the media and know that it is often quite hopeless, but if enough people do it and give some proper backing to their arguments perhaps some of the damage can still be repaired.

Re:Why OT

[Daengbo]

The plural for air is "airs." Of course, you have to be referring to different kinds of airs, just like any collective noun, e.g. fishes.

Re:Way OT

[SlightOverdose]

/me double checks what language he speaks

"English"

oh. Wow. English != Latin.

Just because a word is wrong in latin doesn't make in wrong in english. New words are made up every day and accepted into normal speech. Most of these words don't have latin roots.

More specifically, a word is only a phonetic way of transfering information. if a significant number of people use a word and know what it means, that word has correctly transfered this information, and therefore is correct regardless of whether some anal language nazi thinks so.

I always have and always will say Virii. Most people I know say Virii. Therefore, Virii IS a valid word, even if it is only slang, like Boxen or scr1pt k1dd33.

Thank you and goodnight.

Anybody else notice

[Overphiend]

SQL Slammer came out a day less than a year before this one.

Re:take the high road

[Bruce+Perens]

What? You haven't been to groklaw to read the evidence? Perhaps you should do your homework.

From Russia with Love

[surfsalot]

I'm sure we could find some poor russian in siberia who would gladly accept say... 5k USD to sell one of their family members into the luxury of a US jail system. Plus we'd get to milk SCO for 250k... I like this plan. We'd probably also have to pay off an official "investigator" to forge some data, but it seems worth while... probably still come out 200k up for our side...