More MyDoom Gloom

StarWreck points out this article in The Atlanta Journal Constitution citing "experts who believe the worm was put out for criminal profit motives by spammers and not by Linux Advocates." Further on that, deadmonk writes "MessageLabs is reporting that the recent Mydoom virus seems to have originated in Russia. A place where nobody gives a wet slap about a court case in the U.S. Personally, I'm looking for a serious apology (or at least a retraction) for the 'alleged' link between this ugly little nasty and Open Source / Linux users." Of course, there could be evil spammers who also like Linux (or don't like SCO), but until someone's caught, or fesses up, it's impossible to say. Read on for some more MyDoom updates, including a new variant (with a new payload), ramifications for Australians, and a forensic analysis of the worm.

fudgefactor7 writes "Hot on the heels of the last virus, Mydoom.b is on the loose. According to Computerworld, this variant has a larger payload and targets Microsoft's Web site for a distributed denial-of-service attack on Feb. 1, instead of The SCO Group Inc. Patch those systems and keep your A-V up to date. Definitions are available currently."

decaying writes "With the amount of virus-laden emails flying about due to the latest virus, Australian ISP Optus have started selectively blocking port 25 outbound. Optus say they are acting in accordance with their "Terms of use", quoting that they reserve the right to restrict access to any TCP/IP port. The only option is to use Optus' SMTP server and nothing else. Community site Whirlpool has an on-going discussion about the issue."

carnun writes "Just another link on MyDoom. Apparently the FBI are also getting in on the act. Interesting to see such a fast response." And to me, the most interesting one: Zeriel writes "After much discussion on a mailing list discussing trojan horses, some people have reached the conclusion that MyDoom doesn't accomplish its stated goal of DDOSing SCO at all! Choice quote from the analysis: "I have the new critter in a test environment where we conducted a preliminary and rudimentary functionality and threat analysis...I have played with the date, etc, but still no activity directed toward www.sco.com." The link also includes disassembly and analysis of the worm code."

Off Track

[andyrut]

It's entirely possible that the authors of this virus targeted SCO, simply to make it appear that Linux zealots were responsible...to throw off the law enforcement officials who might look for the culprit in the Linux community.

While I despise these worms, you've got to admit that some of these more recent ones are pretty ingenious:

Blaster - The only way to fix it is to grab stuff from Microsoft? Have it DDOS Windows Update.
MyDoom - Hate SCO, Love Linux? Target Microsoft systems and leave Linux machines alone. Have it DDOS SCO.

Re:Off Track

[B'Trey]

It is entirely possible the SCO connection is a red herring. However, it's also possible it's an attempt to kill two birds with one stone. I certainly hope the author wasn't a Linux zealot trying to harm SCO. However, the argument that a Russian Linux user wouldn't care about the SCO trial doesn't hold water. Linux has come a long way in recent years and a large part of it's progress is directly attributable to commercial companies who have either invested in Linux, contributed code to Linux, or supported Linux developers. SCO's case appears extremely weak, and the chances of them having any sort of success seem very remote. However, if SCO were to win their case, it could heavily damage the Linux movement. Particularly if SCO were to be found to have ownership rights in certain technologies, it isn't all certain that a rewrite of the relevant portions of the kernel would be sufficient to remove the taint. Linux users worldwide could be affected.

This is, of course, a worse case scenario and it doesn't provide any evidence that Linux fans were connected in any way. However, one can't dismiss the possibility simply because it came from Russia.

Re:Off Track

[FortKnox]

Target Microsoft systems and leave Linux machines alone.

I'm no hacker, but I do have a technology background, here. Most worms and virii are windows based. Most exploits that are found are windows based. Making a linux worm is tough and hard, because not many people have the desire to go into the inner workings of the kernel and find exploits, not to mention that most linux users are smart enough to figure out when they have an attachment by a random person not to open it. Windows users could be a software engineer FBI agent... but it could also be grandma melba. Seeing as most virus writers don't use a multiplatform language like java to write their virii, I'm thinking windows is the best option for destruction if you get your kicks off by that.

To say its because he's trying to frame linux users, or is a linux user just cause of it being a windows worm is pretty absurd.

Re:Off Track

[southpolesammy]

As I said a couple of days ago, the primary goal of this worm is not to DDoS SCO, it's to cause a big amount of traffic and noise in order to quietly install keystroke loggers in hopes of obtaining bank account numbers and passwords and be able to send that data back to some collector site without being seen due to the massive network jam.

It's a classic misdirection tactic that criminals use all the time to slip past unnoticed. Get people to look somewhere else while you do your dirty work sight unseen.

Re:Off Track

[Jonathan+the+Nerd]

How dumb do you have to be to actually think this malware was created by Linux zealots?

How dumb do you have to be to infuriate the entire Open Source community by claiming you own Linux and trying to license it for $699 per CPU?

Re:Off Track

[pegr]

I certainly hope the author wasn't a Linux zealot trying to harm SCO.

Especially when they're doing such a fine job all by themselves! ;)

Re:Off Track

[vanyel]

I certainly hope the author wasn't a Linux zealot trying to harm SCO.

Indeed. Personally, I think the Open Source community should set up a fund to add to the reward SCO is offering because of the black eye it gives the community if he was.

Re:Off Track

[LnxAddct]

Why is everybody looking at this so negatively? I've got tons of people finally talking to me about what this Linux thing is that they've heard me mention and that they saw in the news paper today. In the past 3 days I've gotten probably about 40 people interested in Linux who had never known about it before. Most are corporate types too. These are people that barely know what a harddrive is for, and here I am explaining not only what Linux is, but the whole Open Source movement and how great it is. This is great publicity! Didn't anyone ever hear "Any publicity is good publicity." ? The media finally has their story straight about what scum SCO is and I'm seeing Linux on the front page of my local newspaper ! This is great for the community. Linux is in the press and the media is making a mockery of SCO, and people are finally interested in Linux that never would have been before. And when you are talking to them about Novarg/MyDoom, don't forget to mention that it doesn't affect Linux.
Regards,
Steve

Re:Off Track

Just key stroke loggers?

Back during the summer there was a Wired article on a spam operation which claimed to be running a network of over 450,000 computers - on trojaned systems. They are/were used to send spam. They are/were used to host the spamvertized sites (most likely proxies fetching the pages from a central location). They are/were used to host the nameservers for the operation's domain names. They are/were used to run DDoS attacks against anti-spam groups (SPEWS, abuse.net, spamhaus, etc.).

At least one (Russian) operation is still doing this. Check where the nameservers for oem-sale.biz are. Check where the host www.oem-sale.biz is. All on home user machines.

Why do I say Russian? It used to be they hosted the spamvertized websites on trojaned home user machines, but used hacked commercial (not home user) systems for the nameservers. Usually only two (commercial systems are less easily taken over) and sometimes they went down and they were left with using their own nameservers (from which the others fetch the data) in Russia.

And ... try one of the purchase links at www.oem-sale.biz (pirate software - another vector, for if you get this operation's provided software, an operation running on trojaned machines, would you install it?). Say,
http://www.oem-sale.biz/cgi-bin/order.pl?iid =12&mi d=2
and watch carefully what happens.

HTTP/1.1 302 Found
Location: http://82.196.65.37/cgi-bin/c/check.pl?iid=12&aid= [varies]&mid=2

And that gets a new redirection:

HTTP/1.1 302 Found
Location: http://oem-sale.biz/cgi-bin/order.pl?iid=12&aid=[v aries]&mid=2&ipaddr=[victim's_IP_address]&ipaddrdc =[tracking_tag]

One bounces off, for a moment, a Russian site which logs the victim's IP address and changes the URL for the purchase to include that and their tracking tag.

Now, of course, if the registrars knew they were inserting the addresses of hacked systems in the root servers as nameservers for domains running on hacked machines they would ... what?

Continue to do so, as long as they get paid.

domaindiscover and directi.com are the registrars and complaints about their assisting on this attack on the internet, and complaints to ICANN about their registrars claiming that this support of hackers is "accredited" (by ICANN) activity since they are "accredited" registrars ... well, this has been going on for quite awhile. ICANN has been informed, directi and domaindiscover have been informed and on and on it goes.

(nameservers running on hacked systems in the domain morozreg.biz: registrar domaindiscover

oem-sale.biz, registrar directi.com

and they know, have been informed over and over and over and over ...)

If this is a professional spam operation which created MYDOOM, I would guess the goal is not so simple as key-stroke loggers but to have a bullet-proof network of their own, running on trojaned machines, which could only be stopped by actions by registrars who would block it along with ISPs who would be proactive in helping keep secure their users so those machines are not used to send spam, host spamvertized web sites, run nameservers for spam operations, assist in DDoS attacks, etc.

Once they have such a network, I doubt they will be satisfied only to use it to send spam or grab data with key-stroke loggers.

Folks over in news.admin.net-abuse.email are fed up with directi.com and domaindiscover knowingly assisting in this abuse of, and attack on, users and hiding behind their "accredited" status.

Re:Off Track

[LittleBigLui]

...free software community offer a bounty

I offer 15 lines of code. From System V. :)

McBride interview

[BWJones]

I'm looking for a serious apology (or at least a retraction) for the 'alleged' link between this ugly little nasty and Open Source / Linux users."

Of note: Darl McBride was on local (Utah) television last night with a stinging quote. "What we are seeing here is the dark side of the open source movement" or something very close to that. I thought, no dude, you have it all backwards. SCO is the dark side of the open source movement.

Re:McBride interview

[vladkrupin]

I think - No, dude, SCO is not the dark side of the open source movement. Aside from old Caldera, it has no relation to any side of the open source movement.

Re:McBride interview

[haystor]

Bah!

The virus is closed source and runs on Windows. It clearly has nothing to with the GNU/Linux.

Hehe, insert joke about BSD catching a virus...

Re:McBride interview

[Vagrant]

SCO is the dark side of the open source movement.
Darth McBride: "You underestimate the power of the dark side. If you will not fight, then you will meet your destiny."

Re:McBride interview

[ananke]

Ironically, open source seems to be helping to stop that. Here's my story:

I use mailscanner [sendmail wrapper] with clamav [opensource antivirus engine]. Clamav was one of the first engines that had definitions for the first mydoom worm. We started catching mydoom around 4:00PM EST, and none have gotten through to our windows workstations.

Thanks to open source, we were able to prevent from contributing to the spread of this worm. So to sum it up: thanks to the clamav folks, and thanks to open source.

Re:McBride interview

[Popageorgio]

Darth: "I am your father."
Linus: "Hell no, you're just a desperate old fart who's jealous of my DNA and wants to take some credit for it."
Darth: "Shit."

It's another case against OS monoculture

[Eyah....TIMMY]

It was covered last week.

Basically, to limit the spread of a worm on a network such as the internet, we can only diversify to make sure not all machines go down.

Here's a presentation (sorry I could only find a PowerPoint version) that was made by Jonathan Wignall at DefCon last year about this topic. Same conclusion, diversifying is the necessary to combat worms.

Re:It's another case against OS monoculture

[sheriff_p]

You can read a good rebuttal against the 'MONOCULTURE IS DEATH' argument here:

http://www.virusbtn.com/magazine/archives/200312/m onoculture.xml

written by someone who actually knows a little about malicious mobile code :-)

In addition, not instead of

[allism]

The B variant targets both Microsoft and SCO.

Am I the only one?

[CGP314]

place where nobody gives a wet slap

Anyone care to clarify what a wet slap is?

--
In London? Need a Physics Tutor?

American Weblog in London

I wish all mail admins..

[grub]

.. would TURN OFF those blasted "Your mail has a virus!" auto-replies. They accomplish nothing but the generation of yet more useless traffic.

Re:I wish all mail admins..

[forevermore]

would TURN OFF those blasted "Your mail has a virus!" auto-replies

I agree - I've taken to replying to them in person, telling them of all the useless traffic they're making. Then again, I've only received one so far.

On the other hand, I really wish that Amavis would respect its "locals" settings and when set not to reply to offsite addresses, NOT to respond to offsite senders. What the heck is an offsite recipient, anyway? If they're getting mail on my server, they're local. It's the senders that I care about being offsite, not the recipients.

Security could be easily enhanced

[Samuel+Duncan]

Two steps:

• Make bad system adminstrators personally responsible for the damages they create by not fixing security holes.
• Give physical punishment to the virus writers. Money charges won't usually do the trick (paid by parents/community), but a decent spanking will teach them a lesson.

Re:Security could be easily enhanced

[Flower]

*sigh*

No patching would have prevented this worm. Look, when MyDoom comes in as a zip file the user has to open it once to access the actual payload. When you open the thing in WinZip it shows up as [random].[doc or whatever] but has the wrong icon. WinZip then identifies it as a pif file and in the screen says DOS executable. After all that, the user has to execute it again to deliver the actual payload.

MyDoom has nothing to do with bad sysadmins. Nada! At work we have the desktops locked down and Outlook is setup to not permit autoexecute. Most executable attachments are dropped at the mailserver. The reason I say most is because we do allow Word documents and the like because surprise, surprise we have to actually run a business. Our signature files are updated daily and if a new virus comes out I do my job to make sure we're at the proper rev and run a manual update if we're not. The one thing I can't do is play Big Brother to a 1000+ employees scattered over the state 365/7 and smack them everytime they try to open some random shiny thing.

And more importantly, how can a sysadmin stop some random Joe User on a home cable connection from executing the stupid worm or patching his damn system?

That soundbite of yours starts getting a little hollow now doesn't it?

Proof of who's lying

[Saven+Marek]

I have the new critter in a test environment where we conducted a preliminary and rudimentary functionality and threat analysis...I have played with the date, etc, but still no activity directed toward www.sco.com." The link also includes disassembly and analysis of the worm code."

So basically, SCO being down right now is Yet Another Big Lie from SCO. Nice to see them shown up as spreaders of misinformation yet again. I'm sure the FBI will love to hear their excuses as to why they're pretending to be down, especially if they're attempting to blame the worm. Fascinating

Please Remember!

[Bruce+Perens]

Excerpted from perens.com/SCO/DOS/, this bears repeating.

It is likely that this virus has been assembled for the purpose of defaming the Linux developers by spammers, SCO, or others. Your behavior will influence whether or not it succeeds in this mission.

Thus, I urge all persons who have sympathy for Free Software, Open Source, and Linux:

• Do not cheer on attacks on the SCO site. By doing so, you falsely implicate our community in the attacks, in the eyes of outsiders who read your words. Our community believes in freedom of speech, not silencing our opponent's speech through net attacks. We will defeat SCO using the truth, not by gagging them.
• Publicly deplore the attacks as an attempt to defame us, and not an effort of our community. Show others this notice.
• Continue to fight SCO, using all legal means at your disposal. Show others the analysis of SCO's ongoing fraud at Groklaw.net and elsewhere, and explain to them your own experience as a participant in the Free Software community.
• Continue the visible presence of Free Software as a force for good in the world by producing excellent original software for everyone's free use and deploying it wherever possible. Promote these projects to the press and public as you carry them out. Do what you can for other public-good projects such as schools and non-profit organizations. FreeGeek.org is an excellent example of how to carry this out.
• Show others by example that our side always takes the high road. When they see a low-road sort of action like denial-of-service, spam, or stock fraud, they'll know who to blame.

Remember that your actions count. You are ambassadors of our community.

Re: Please Remember!

[Flower]

I probably rank right up their with all the other SCO haters. I'm on GrokLaw everyday and chip in when I can by transcribing documents but I'd never cheer on MyDoom. The stupid thing, because of the damage it's doing (and it is damage), brings an emotional reaction to the SCO debate which undermines all the good arguments the community has developed. Even if it was developed in Russia, cheering it on because it will DDoS SCO just provides SCO and industry analysts more junk to bring up rather than focusing on the real issues.

I totally agree with Bruce on this one and just wish more "advocates" had the maturity and insight to realize this isn't a joke.

It's interesting

[nil5]

if this is not a more effective form of economic terrorism, I don't know what is. These worms seem to cost US companies millions if not billions of dollars, and they're probably not so difficult to develop either.

With such a hugely damaging effect for such little cost, wouldn't you say that is almost the perfect weapon?

Not to condone writing worms....

[phaetonic]

Wouldn't it be ironic if a worm were to DDoS slashdot.

Re:Not to condone writing worms....

[pyros]

don't you realise that slashdot is a DDoS worm?

I don't find the fast reactions unbelievable...

[Coocha]

... here at Virginia Tech, the virus has had our pop/smtp servers down since sometime last night. Apparently it infected our financial aid listserv, which caters to 51,000 email addresses, most of them in the vt.edu domain. Not to mention 8000 of the not-so-savvy on-campus undergrads whose systems have been infected. In the 4+ years I've been here, this is the longest downtime for our email system yet, even considering the downtime a couple routine server rebuilds caused. I'm sure other institutions, agencies, and businesses are experiences unheard-of downtimes as well.

Re:I don't find the fast reactions unbelievable...

[back_pages]

Or some tiny cog in the beaucracy with an old copy of the mailing list ran the attachment. It's probably very difficult to say at this point. I know that I should be on the financial aid listserv that has apparently been comprimised, but only since last fall, and I've only been sent the virus about 30 times. Most of those were from individual's email accounts (which could have been spoofed) but still it sounds to me like some luser had a copy of an old mailing list otherwise I would have received many more emails.

Some VT students who have been here longer said they've received the virus on average twice per minute for the last 36 hours. Ouch? Dumb user, no doubt, but I wouldn't yet conclude that it was some mission critical machine that was comprimised.

Huh?!

[pclminion]

Of course, there could be evil spammers who also like Linux (or don't like SCO), but until someone's caught, or fesses up, it's impossible to say.

What the hell would it matter anyway? Evil spammers probably also use toothpaste. Does that make everyone who uses toothpaste evil?

The fallacious logic here astounds me. Wait, no it doesn't.

Linux users

[gid13]

From the post: "Personally, I'm looking for a serious apology (or at least a retraction) for the 'alleged' link between this ugly little nasty and Open Source / Linux users."

I don't know what it is with people trying to represent such large groups. Every group has nasty people in it! Since Linux is generally more efficient once set up (IMHO, anyway), then OF COURSE people will use it to do nasty things like serve spam and make DOS attacks and so on. I don't get why people are so patriotic all the time... "He's American! No AMERICAN could be evil!" Sigh...

Does Andy work at SCO

[jaymzter]

A report covering F-Secure's work on the virus reveals this interesting comment imbedded in the virus:

Buried in its programming code -- and only readable after it has been decrypted -- was also the message "Andy; I'm just doing my job, nothing personal, sorry" from the creator

My tinfoil hat says it's some poor guy at SCO!

Bravo!

[Dman33]

Not to mention all of the scared users calling the helpdesk insisting that they are infected.

"Dude, you are using PINE! You are NOT infected!!!"

If I've said it once . . .

[Leroy_Brown242]

I've said it a thousand times.

1. Mutt
2. Spamassassin
3. Greylisting
4. Profit!

If it weren't for /., I'd have never noticed.

The new payload is to DDoS MS

[dupper]

All right, it's clearly one of us. 'Fess up, J. Random Slashdotter.

Also, you forgot to make an RIAA variant, dumbass!

Of course it wasn't some malicous Linux user

[bogie]

This was some criminal capitalizing on the Hot topic of the Linux vs SCO debate. If this worm has targeted the whiteshouse.gov site you've have the same idiots saying terrorists did it. These criminals just used Linux as a scapegoat. I try to avoid reading articles about this worm because I just can't stomach reading all these posts about how the OSS community should "tread lightly" etc. Get a clue people.

How to filter the worm:

[Saint+Aardvark]

From a posting on the SecurityFocus Incidents mailing list:

------- Forwarded message follows -------
From: lsi <stuart cyberdelix net>
To: focus-virus securityfocus com
Subject: how to filter the Novarg virus
Send reply to: stuart cyberdelix net
Date sent: Wed, 28 Jan 2004 17:35:57 -0000

I have devised a near-bulletproof Novarg filter.

The following regular expressions trap this virus dead, no matter
what subject line, message body, or filename it uses:

If expression body matches "UEsDBAoAAA*" Move [virus folder]

If expression body matches "TVqQAAMAAA*" Move
[virus folder]

This is because the worm is in fact the same program with many
disguises. However the program looks the same when encoded with
MIME. Therefore, the above are basically 'MIME sigs' which work just
like a virus signature in a regular virusscanner.

So to find it we merely filter on the MIME strings above, which are
the first 10 bytes of the MIME content section.

For users without enterprise-class content filters (such as me),
these two regexp's work like a silver bullet.

(That two different sigs are required suggests there are two versions
of the virus in circulation.)

No silver bullet for auto-notification messages, unfortunately :(

Stuart

------- End of forwarded message -------

Isn't It Ironic - Don't You Think?

[BigBlockMopar]

Here's a presentation (sorry I could only find a PowerPoint version) that was made by Jonathan Wignall at DefCon last year about this topic. Same conclusion, diversifying is the necessary to combat worms.

How ironic is that? Someone who allegedly knows something about network security, who insists on providing presentations in a format which:

• promotes the very monoculture about which he speaks (noting that Microsoft doesn't offer a PowerPoint reader for Linux)
• allows the embedding of executable content which could be (and has been) used to carry malicious code

Fine, use PowerPoint for the presentation. But damn well save the slides as HTML, Acrobat, plain text, etc. for public downloading and consumption.

At my university, the only department which saved all lecture notes, etc in proprietary format (and continues to do so!) was the very one which should know better: Systems and Computer Engineering. It's really pathetic.

what makes you think that people in Russia

[meshko]

do not follow the SCO lawsuite?
Fuck, I'm pissed of more than usualy about Slashdot editors.
If you were to read www.linux.org.ru you would notice that the site follows the suite pretty closely, sometimes more so than Slashdot.

Re:Off Trek

[NanoGator]

"It's entirely possible that the authors of this virus targeted SCO, simply to make it appear that Linux zealots were responsible..."

I wouldn't rule out Romulan involvement.

but there's an open source version of the virus...

[commodoresloat]

Greetings. You have been infected with GNU/MyDoom, a destructive anti-SCO virus brought to you by members of the open source community. In order to get this virus to infect your system properly, you will need to use wget to download mydoom-config-2.4.6 from one of the usual mirrors. Be careful; this version of the virus is not compatible with versions of mydoom-config prior to 2.4.4. After you have downloaded the config tools and issued the usual incantations (./configure; make; make install), you can configure the virus from any directory simply by typing sudo mydoom-config -ort [your login id] [your current IP address] [full path to your email client] [interval since last kernel rebuild in seconds]. This virus is licensed under the GPL. If you have any questions, be sure to RTFM, the docs are installed at /usr/share/info/mydoom and all your config files are stored at ~/.mydoom.

p.s. yes, it's an old joke, but still, you know you laughed....

McBride is cunning

Oh and I just realized. The reason why SCO could seem to be so stupid:

Disgruntled SCO Employee: This company is going down the tubes. If I stay here much longer I'll never find work again! I quit! *slam*

Darl McBride: Damn! We just lost our last programmer! What are we going to do now?

Grand Vizier: *rubbing hands together* Well, now I suggest we go to the very salt of the earth...To the spammers!

McBride: Wha? What the hell are you talking about?

Mr. Burns: Obviously our only course of action is to utilize the dark side of the force. We must make those young linux whippersnappers look bad by making a virus that seems to target our own servers!

McBride: Brilliant! We'll make it look like those linux communists are trying to destroy our legitimate business! Make it so!

Mr. Burns: Eeeexcellent.....

Thus goes the story I heard from a passing lunatic...

Social engineering for Sysadmins

[ericspinder]

Throwing the authorities off-track might have been the idea, but I think that it JUST MIGHT have been an attempt at social engineering aimed at the sysAdmins and virus hunters.

Just think, you are one of the first hunter to see the virus. You examine the code, and "Damn, their going after SCO, COOOOOOOOLL, I hate those bastards, I'm not reporting it". Or a sys admin at an email gateway. Most guys are real pros but maybe, just maybe a few took a little extra time...

They say that it's one of the fastest spreading Virus to date, perhaps targeting SCO was the bump it needed.

Ingenious my arse

[Chuck+Chunder]

Didn't blaster target the wrong address for Windows Update?

DDOS a website that probably gets about 10 interested visitors a day anyway?

Personally I'm surprised at the lack of damage these things do. Our systems and people are apparently wide open to these things. Blaster and MyDoom should be viewed as warning shots. It's only going to be a matter of time before someone writes something that infects, spends 2-8 hours propagating itself and then nukes the system it's living on, causing real widespread damage rather than minor annoyances.

Re:Ingenious my arse

[zcat_NZ]

I think they're _stupider_ than that..

nimda was supposed to attack whitehouse.gov, but used a hard-coded IP address and tested it first. The admins changed the address from (iirc 198.137.240.91 to 198.137.240.92, trivially avoiding the DDoS.

sobig attacked www.windowsupdate.com, an almost totally useless 'typo redirect' on a completely unrelated subnet, not windowsupdate.microsoft.com, the site where everyone gets their windows updates from. To avoid the 'attack' Microsoft just switched the DNS for windowsupdate.com off, and nobody even noticed. They also akamai-cached all of microsoft.com at the same time, although this was likely planned a month or so beforehand and completely coincidental. It certinly wasn't necessary, since the DDoS attack was never aimed anywhere near microsoft.com. And it totally confused most of the press who had no idea that "windowsupdate.com" was NEVER the actual windows update site.

Early analysis of MyDoom suggests that it resolves www.sco.com but doesn't try to connect, even when the machine clock is set forward. Not even once. That makes for a fairly unimpressive DDoS.

This one?

[ebbomega]

To: Luser (whoever@blah.com)
From: Hax0r (jeffk@somethingawful.com)
Subject: *nix virus

This is the only known Virus that works on all *nix systems. Please forward this to everybody on your list and delete all the files on your harddrive. Thank you.

(Or something to that effect)

Stawin-A Trojan

[sharp-bang]

Sophos has intercepted a new trojan called Troj/Stawin-A that installs a keystroke logger, captures data related to financial institutions, and sends it back to a Russian e-mail address.

Re:Stawin-A Trojan

[johnmc]

Make that Troj/Stawin-A..
There was a typo in the URL

A million zombied machines for anyones use

[codepunk]

Read the following....extremely scary....

Listens on port 3127; accepts a maximum of 3 connections
at a time. If the first byte of the recieved data is
0x85, the DLL skips the next byte, then compares the next
dword read to 133C9EA2h; if this is true, it accepts
the executable from the sender, downloads it to a temp
file/directory and runs it.

Re:A million zombied machines for anyones use

[mabu]

As soon as this information was known, the FBI should send agents to Worldcom, Sprint and all the other backbone providers with instructions to log all port 3127 traffic immediately.

Unfortunately, I have a feeling somewhere, some authority is typing "virus writer's home address" into Google.

I'm tired of this...

[verbatim]

I'm getting hundreds of these cute "you've got a virus" warning from mail servers around the world. They're all the same - We've found an infection in an email from you... except when you look at the headers of the original e-mail, it is plain as day that the e-mail never went through my mail server and just forged the e-mail address.

A header from the most recent example:

Received: from [200.223.39.59] (helo=writeopen.com)
by mailforward.freeparking.co.uk with esmtp (Exim 4.24)
id 1AlqLU-0007Hx-48
for brian@dwrees.co.uk; Wed, 28 Jan 2004 09:07:08 -0500

RAWR. I mean, seriously. RAWR. (writeopen.com is 69.0.209.130, btw).

I'm being flooded by this crap. I've managed to get a filter going that catches them, but it's still traffic that I have to endure. And I'm getting them from ISPs all over the planet. RAWR.

I'm betting that Martians are behind this

[Snork+Asaurus]

Earth has really been pissing Mars off lately:

1) Earth landed a multi-ship advance scouting party on Mars this month

2) An earth leader with a track record for aggression speculated in a speech about the resources that might be plundered from Mars

3) Earth announced that it was preparing a full scale manned invasion of Mars by 2050

4) SCO sent a letter demanding payment to Martian citizen Marvin, just in case he uses Linux in his Space Modulator

Who Said It'll Attack SCO? & A FUDworm?

[DynaSoar]

Zeriel writes "After much discussion on a mailing list discussing trojan horses, some people have reached the conclusion that MyDoom doesn't accomplish its stated goal of DDOSing SCO at all! Choice quote from the analysis: "I have the new critter in a test environment where we conducted a preliminary and rudimentary functionality and threat analysis...I have played with the date, etc, but still no activity directed toward www.sco.com." The link also includes disassembly and analysis of the worm code."

If it turns out that the DDOS payload is inert:

Who was it that FIRST said it WOULD attack SCO, and how did they determine this? And who else quoted them without checking? (Not including normal media outlets, who'll quote anyone that can form a coherent sentence, if it'll fill white space.)

If this thing doesn't perform as advertised, what we are seeing is the first (purposeful or not) FUDworm. It definitely is spreading virus-like and causing traffic problems, but also it's spreading FUD, and using all of us as vectors. We will all have been infected with a socially engineered disease. If this is the case, it's a master stroke of psyops. If not, considering its success so far, its example will be repeated for this purpose.

Mydoom generates it's own recipients

[Net_Wakker]

Email for my domain is wildcarded, so it really doesn't matter that much what's in front of the @ and I'll get it.
The past 2 days I've received a shitload of Mydooms, and there's something funny going on. Mydoom will put common names in front of the @. I've started receiving viruses for brian@ and bill@ and claudia@ and fred@ and jerry@ and george@ and smith@ and and and. I even received one for debby@. What, she's doing my domain now?
I've also noticed that some of the "senders" are constructed the same way.

Possible test version hitting me. Anybody else?

[John+Walker]

In the discussion cited in the main article, the observation is made from disassembly of the payload:

Nicolas Brulez:
-----
from my quick and dirty analysis, its a thread that does the DDOS.
It has below normal priority, and it just does a GET.

GET / HTTP/1.1\r\nHost: www.sco.com\r\n\r\n"

This is very interesting, because my site has been under a broadly based but inexplicably benign apparent DDoS attack which is bombarding my site with precisely such requests (obviously www.fourmilab.ch, not www.sco.com) at a rate of just one hit from each IP every four minutes. (This rate is not absolutely consistent, and some seem to be running multiple copies of the requester, each hitting every four minutes.)

I've been watching this and running analyses since it became obvious something was up and have posted an incident report page on my site which I'm updating as things develop. Bottom line, the apparent attack appears to have reached equilibrium with a total of 2894 different IP addresses hitting my site since the outbreak, with the hit rate following a diurnal pattern (there's a chart in the incident report) which peaks at around 20,000 hits per hour from on the order of 1000 different hosts at 20:00-21:00 UTC every day.

I'd previously concluded this probably had nothing to do with MyDoom. Although a few of the hosts hitting me are listening on the MyDoom remote control post, most aren't. (Of course, a test version may use a different port or none at all--I discuss in the document.) But the fact that the hits are precisely the same--a simple request to the home page--makes me wonder. All of these sites hitting me request only the "/" page (which at my site is just a <frameset> container, which any browser would follow up with hits on the content frames).

Has anybody else seen this kind of traffic hitting their sites?

needs re-thinking

[aca]

In my opinion, I don't think it was a Linux fan that caused it.

Firstly, he attack was not technologically sophisticated, in that it required exploiting a weakness in the operating system. The style of the attack was conceptually sophisticated, it was a worm not a virus. Which means that the attack relied on 'social engineering' or 'human weakness' to succeed.

The exploit however was quite creative. It was multi-faceted, even doing a DDOS on 'www.sco.com'.

Personally, I suspect that the creator and the executor of this worm may be two different persons altogether. Most importantly, the one ultimately responsible for the worm's spread and impact on the internet is not a Linux fan.

Linux users, ones that are capable enough to create such a worm, would more likely be above average intelligence. They would know very well, the consequences of DDOS'sing SCO's web-site, and that these consequences will most definitely be extremely detrimental to Linux. They would also know very well that a DDOS of SCO's web-site is almost a trivial thing to fix, and doesn't help in reducing SCO's position in any way.

Other than making SCO spend some money to rectify the DDOS, and preventing some of SCO's limited customer base from accessing SCO's web-site, it doesn't do relatively much harm to SCO (as compared to finding a back-door or hole into SCO's internal network). There is no real motivation for a Linux fan to carry out a DDOS on SCO's web-site.

I think the REAL reason for this worm, was for a 'frame-up'. It coincides with the conceptually sophisticated thinking as evidenced in its style of attack. I think the real reason was to *help* SCO and Microsoft, because both of these entities have the most to gain from it. Even with the recent 'b' variant of the worm targetting Microsoft. I still think the original motive remains the same.

Either that, or we're dealing with an extremely shallow and stupid 'Linux fan', which I very highly doubt.

People reading this may start having this thought of 'oh, another conspiracy theory...', but I would ask readers to carefully think about the obvious and carefully consider the occurence of this worm. Industrial espionage has been around for a long-time, and we know that it happens. What's to prevent it worms or viruses being used in industrial espoinage? Especially when the internet is a lot more relevant to businesses today.

Version 2 commentary

[WebGangsta]

By now you probably have heard that there's a new version (MyDoom.B) that is also making it's way across the Internet, this time supposedly targeting Microsoft.

According to Symantec, this version now modifies your HOSTS file to try and disable the user from being able to reach antivirus websites.

Among other entries in the HOSTS file are Doubleclick, FastClick, and some other advertising-related companies. Should I be concerned or happy that the virus may make surfing the web a little bit better by doing this?

Totally OT

[back_pages]

when I was an undergrad, a fun way for my friends and myself to amuse ourselves was to get really drunk (this makes it more amusing) and then cruise the schools intranet for dopes who had shared their entire hard drives on the network. We would do all sorts of bad things, but the best was defacing a person's Internet Explorer wallpaper.

In Win98, I believe the wallpaper filename was stored in win.ini (it doesn't appear to be so in Win2k and this seriously isn't interesting enough for me to look it up at the moment.) We would grab that file and take a peek. If they had an image suitable to be defaced, we would draw mustaches on everyone and draw little cartoon baloons saying stuff like, "UR COMPUTAR HAS EBOLA!!11" and then overwrite their copy of the file. If they had a stupid background, we'd find something funny to give them.

Between the sorely juvenile humor and the liquor, it was completely hilarious to us at the time. I was even called by the school's Computer Support Desk at one time to see if I knew anything about the rare computer virus the student computers had. And before anybody points out how childish and potentially criminal this was, let me say that it was childish and potentially criminal. We just screwed with people's wallpapers but we could have remotely deleted their entire hard drives. Educating the masses about computer security is a difficult task, but goddamn if drawing mustaches on people isn't funny.

SCO connection is a red herring

[budgenator]

The linked mailing-list at,Math.org reports the preliminary disassembly show that the worm only resolves the name SCO.com, and is unhappy if the name doesn't resolve. My guess is that have the name resolve shows the worm that an active internet connection exists, with out tipping it's hand too badly. In test environments the worm didn't attact SCO.com no matter what the computer's date was set to.

Re:SCO connection is a red herring

[jamesh]

The obvious solution then is to demand that sco remove the sco.com domain. It's the only decent thing to do.

my amazement is beyond comprehension

[CAIMLAS]

I can't believe this worm has been remotely successful. It's hard to believe that so many people are so incredibly stupid.

It's a bloody -attached- zip file, with a file inside it! People have been told for over a decade to NOT OPEN ATTACHMENTS. You'd think they'd catch on sooner than later.

This is all the more reason to strip all binaries from email at the server. Granted, then viruses would be linking to sites - but that'd be relatively easy to shut down, and wouldn't pose any significant threat.

Re:Way OT

[AJWM]

Why is the plural of virus viruses? One octopus and many octopi. One cactus, many cacti. Why not one virus, many virii?

Then why spell it with two 'i's? "Viri" would be correct by your example.

However, in the original latin, "virus" is a collective rather than singular noun (eg "snow" vs "snowflake", although the original meaning is more like "slime".) Perhaps whoever first applied the word to the infectious microscopic critters should have used "virum" as the singular (like "bacterium") in which case the plural would be "vira", but s/he didn't, so we're stuck with "virus" as the singular and an argument over "viri[i]"/"viruses" as the plural.

Personally I think it should be "viruses". You wouldn't say "many doofii", would you? It's "one doofus, many doofuses".

Quick Poll:

[KalvinB]

How many e-mail server admins here are running up to date anti-virus software so that they aren't contributing exponentially to this problem by allowing their clients to get these infected e-mails in the first place?

*raises hand*

Oh yes, and Hotmail over there.

These viruses can't infect Linux (yet) but that's no excuse not to run anti-virus software that kills off virus infected e-mails on your Linux servers so that they're not getting to "clueless Windows users" in the first place.

Ben

Port 25 blocking

[Awptimus+Prime]

decaying writes "With the amount of virus-laden emails flying about due to the latest virus, Australian ISP Optus have started selectively blocking port 25 outbound. Optus say they are acting in accordance with their "Terms of use", quoting that they reserve the right to restrict access to any TCP/IP port. The only option is to use Optus' SMTP server and nothing else. Community site Whirlpool has an on-going discussion about the issue."

That's not even worth mentioning. There is no good reason for the average user to need access to SMTP servers besides the one at their ISP.

Years back, when I did technical support, the ISP I worked for had just implemented such a filter. The number of spammers who used our services immediately found new ISPs. The only fallout were a few customers who needed email clients reconfigured for non-local mailboxes, as they were using the other ISPs smtp server.

I do recall a few knuckle-heads (NT4/Linux wannabe super geeks) whine excessively over the issue, as they felt some right of theirs had been infringed. Ignorance is bliss, I suppose.

For anyone who is considering Technical Support for a living, just hang up the phone as soon as you find out someone is from Boca Raton, Florida. I swear, everybody I've talked to from that place thought thought they were some guru, but usually had no clue. My point, if you are such a damn brilliant administrator, then you shouldn't be calling technical support whining about your messe d up copy of enduroo. ;-)

Back to the topic at hand, there is no excuse for any ISP who houses an smtp server to allow it's customers access to just anywhere on port 25. I know it's a subject that will cause some flames, but someone has to compensate for the insecure, broken nature of SMTP.

I welcome anything AOL or Microsoft can bring to the table concerning this matter. I definitely don't see the community doing anything about it except for yelling at people to add more filters. This does little in regards to the bandwidth costs and server time (not to mention my client's cpu time wasted filtering) associated with massive amounts of spam.

Re:Port 25 blocking

[phillymjs]

Most of the spam I get these days comes from SMTP-trojaned Windows boxes sitting on consumer broadband networks.

As I receive spam from these machines, I forward it to the appropriate abuse@ and add the enclosing netblock to my SMTP blacklist. I am slowly but surely shitcanning the customer IP ranges of every consumer broadband network in North America. Considering how uppity the broadband ISPs get when people "abuse" their allegedly-unlimited bandwidth, I'm astounded that they allow unpatched, zombied Windows boxes to just pump out thousands of spam messages.

Probably 98% of people with broadband have zero need or desire to access an SMTP server other than what is provided by their ISP. To that end, I wholeheartedly agree with you that port 25 on these networks should be restricted. The 2% who require less-restricted SMTP capability could be accomodated for a few bucks more per month, and the ISPs could probably add a "one strike and you're out" policy-- account termination upon the first proven complaint about spam originating from the machine of one of those less-restricted SMTP users.

~Philly

BBC let SCO vent Linux FUD unchallenged

[Anonymous+Bullard]

A while ago I was listening to the BBC World Service radio when they suddenly broadcast a story about the SCO virus attacks, with the "exciting" issue of newsworthiness apparently being their US$250,000 reward for the head(s) of the script kiddies involved. Knowing SCO I smelled rat and sure enough, SCO's Sonntag was allowed to turn the radio interview into an extended rant against Linux and the whole open-source model while "reaffirming" their ownership of the platform!

I immediately clicked on the feedback link on the BBC website and let the editors know how lopsided and unreasonable their reporting actually was, pointing them to the groklaw.net website as well.

I have considerable experience in attempting to correct misrepresented facts in the media and know that it is often quite hopeless, but if enough people do it and give some proper backing to their arguments perhaps some of the damage can still be repaired.