More MyDoom Gloom

StarWreck points out this article in The Atlanta Journal Constitution citing "experts who believe the worm was put out for criminal profit motives by spammers and not by Linux Advocates." Further on that, deadmonk writes "MessageLabs is reporting that the recent Mydoom virus seems to have originated in Russia. A place where nobody gives a wet slap about a court case in the U.S. Personally, I'm looking for a serious apology (or at least a retraction) for the 'alleged' link between this ugly little nasty and Open Source / Linux users." Of course, there could be evil spammers who also like Linux (or don't like SCO), but until someone's caught, or fesses up, it's impossible to say. Read on for some more MyDoom updates, including a new variant (with a new payload), ramifications for Australians, and a forensic analysis of the worm.

fudgefactor7 writes "Hot on the heels of the last virus, Mydoom.b is on the loose. According to Computerworld, this variant has a larger payload and targets Microsoft's Web site for a distributed denial-of-service attack on Feb. 1, instead of The SCO Group Inc. Patch those systems and keep your A-V up to date. Definitions are available currently."

decaying writes "With the amount of virus-laden emails flying about due to the latest virus, Australian ISP Optus have started selectively blocking port 25 outbound. Optus say they are acting in accordance with their "Terms of use", quoting that they reserve the right to restrict access to any TCP/IP port. The only option is to use Optus' SMTP server and nothing else. Community site Whirlpool has an on-going discussion about the issue."

carnun writes "Just another link on MyDoom. Apparently the FBI are also getting in on the act. Interesting to see such a fast response." And to me, the most interesting one: Zeriel writes "After much discussion on a mailing list discussing trojan horses, some people have reached the conclusion that MyDoom doesn't accomplish its stated goal of DDOSing SCO at all! Choice quote from the analysis: "I have the new critter in a test environment where we conducted a preliminary and rudimentary functionality and threat analysis...I have played with the date, etc, but still no activity directed toward www.sco.com." The link also includes disassembly and analysis of the worm code."

Off Track

[andyrut]

It's entirely possible that the authors of this virus targeted SCO, simply to make it appear that Linux zealots were responsible...to throw off the law enforcement officials who might look for the culprit in the Linux community.

While I despise these worms, you've got to admit that some of these more recent ones are pretty ingenious:

Blaster - The only way to fix it is to grab stuff from Microsoft? Have it DDOS Windows Update.
MyDoom - Hate SCO, Love Linux? Target Microsoft systems and leave Linux machines alone. Have it DDOS SCO.

Re:Off Track

[southpolesammy]

As I said a couple of days ago, the primary goal of this worm is not to DDoS SCO, it's to cause a big amount of traffic and noise in order to quietly install keystroke loggers in hopes of obtaining bank account numbers and passwords and be able to send that data back to some collector site without being seen due to the massive network jam.

It's a classic misdirection tactic that criminals use all the time to slip past unnoticed. Get people to look somewhere else while you do your dirty work sight unseen.

Re:Off Track

[Jonathan+the+Nerd]

How dumb do you have to be to actually think this malware was created by Linux zealots?

How dumb do you have to be to infuriate the entire Open Source community by claiming you own Linux and trying to license it for $699 per CPU?

Re:Off Track

[pegr]

I certainly hope the author wasn't a Linux zealot trying to harm SCO.

Especially when they're doing such a fine job all by themselves! ;)

Re:Off Track

[LnxAddct]

Why is everybody looking at this so negatively? I've got tons of people finally talking to me about what this Linux thing is that they've heard me mention and that they saw in the news paper today. In the past 3 days I've gotten probably about 40 people interested in Linux who had never known about it before. Most are corporate types too. These are people that barely know what a harddrive is for, and here I am explaining not only what Linux is, but the whole Open Source movement and how great it is. This is great publicity! Didn't anyone ever hear "Any publicity is good publicity." ? The media finally has their story straight about what scum SCO is and I'm seeing Linux on the front page of my local newspaper ! This is great for the community. Linux is in the press and the media is making a mockery of SCO, and people are finally interested in Linux that never would have been before. And when you are talking to them about Novarg/MyDoom, don't forget to mention that it doesn't affect Linux.
Regards,
Steve

McBride interview

[BWJones]

I'm looking for a serious apology (or at least a retraction) for the 'alleged' link between this ugly little nasty and Open Source / Linux users."

Of note: Darl McBride was on local (Utah) television last night with a stinging quote. "What we are seeing here is the dark side of the open source movement" or something very close to that. I thought, no dude, you have it all backwards. SCO is the dark side of the open source movement.

Re:McBride interview

[haystor]

Bah!

The virus is closed source and runs on Windows. It clearly has nothing to with the GNU/Linux.

Hehe, insert joke about BSD catching a virus...

I wish all mail admins..

[grub]

.. would TURN OFF those blasted "Your mail has a virus!" auto-replies. They accomplish nothing but the generation of yet more useless traffic.

Proof of who's lying

[Saven+Marek]

I have the new critter in a test environment where we conducted a preliminary and rudimentary functionality and threat analysis...I have played with the date, etc, but still no activity directed toward www.sco.com." The link also includes disassembly and analysis of the worm code."

So basically, SCO being down right now is Yet Another Big Lie from SCO. Nice to see them shown up as spreaders of misinformation yet again. I'm sure the FBI will love to hear their excuses as to why they're pretending to be down, especially if they're attempting to blame the worm. Fascinating

Please Remember!

[Bruce+Perens]

Excerpted from perens.com/SCO/DOS/, this bears repeating.

It is likely that this virus has been assembled for the purpose of defaming the Linux developers by spammers, SCO, or others. Your behavior will influence whether or not it succeeds in this mission.

Thus, I urge all persons who have sympathy for Free Software, Open Source, and Linux:

• Do not cheer on attacks on the SCO site. By doing so, you falsely implicate our community in the attacks, in the eyes of outsiders who read your words. Our community believes in freedom of speech, not silencing our opponent's speech through net attacks. We will defeat SCO using the truth, not by gagging them.
• Publicly deplore the attacks as an attempt to defame us, and not an effort of our community. Show others this notice.
• Continue to fight SCO, using all legal means at your disposal. Show others the analysis of SCO's ongoing fraud at Groklaw.net and elsewhere, and explain to them your own experience as a participant in the Free Software community.
• Continue the visible presence of Free Software as a force for good in the world by producing excellent original software for everyone's free use and deploying it wherever possible. Promote these projects to the press and public as you carry them out. Do what you can for other public-good projects such as schools and non-profit organizations. FreeGeek.org is an excellent example of how to carry this out.
• Show others by example that our side always takes the high road. When they see a low-road sort of action like denial-of-service, spam, or stock fraud, they'll know who to blame.

Remember that your actions count. You are ambassadors of our community.

I don't find the fast reactions unbelievable...

[Coocha]

... here at Virginia Tech, the virus has had our pop/smtp servers down since sometime last night. Apparently it infected our financial aid listserv, which caters to 51,000 email addresses, most of them in the vt.edu domain. Not to mention 8000 of the not-so-savvy on-campus undergrads whose systems have been infected. In the 4+ years I've been here, this is the longest downtime for our email system yet, even considering the downtime a couple routine server rebuilds caused. I'm sure other institutions, agencies, and businesses are experiences unheard-of downtimes as well.

If I've said it once . . .

[Leroy_Brown242]

I've said it a thousand times.

1. Mutt
2. Spamassassin
3. Greylisting
4. Profit!

If it weren't for /., I'd have never noticed.

Stawin-A Trojan

[sharp-bang]

Sophos has intercepted a new trojan called Troj/Stawin-A that installs a keystroke logger, captures data related to financial institutions, and sends it back to a Russian e-mail address.

Re:Stawin-A Trojan

[johnmc]

Make that Troj/Stawin-A..
There was a typo in the URL

Possible test version hitting me. Anybody else?

[John+Walker]

In the discussion cited in the main article, the observation is made from disassembly of the payload:

Nicolas Brulez:
-----
from my quick and dirty analysis, its a thread that does the DDOS.
It has below normal priority, and it just does a GET.

GET / HTTP/1.1\r\nHost: www.sco.com\r\n\r\n"

This is very interesting, because my site has been under a broadly based but inexplicably benign apparent DDoS attack which is bombarding my site with precisely such requests (obviously www.fourmilab.ch, not www.sco.com) at a rate of just one hit from each IP every four minutes. (This rate is not absolutely consistent, and some seem to be running multiple copies of the requester, each hitting every four minutes.)

I've been watching this and running analyses since it became obvious something was up and have posted an incident report page on my site which I'm updating as things develop. Bottom line, the apparent attack appears to have reached equilibrium with a total of 2894 different IP addresses hitting my site since the outbreak, with the hit rate following a diurnal pattern (there's a chart in the incident report) which peaks at around 20,000 hits per hour from on the order of 1000 different hosts at 20:00-21:00 UTC every day.

I'd previously concluded this probably had nothing to do with MyDoom. Although a few of the hosts hitting me are listening on the MyDoom remote control post, most aren't. (Of course, a test version may use a different port or none at all--I discuss in the document.) But the fact that the hits are precisely the same--a simple request to the home page--makes me wonder. All of these sites hitting me request only the "/" page (which at my site is just a <frameset> container, which any browser would follow up with hits on the content frames).

Has anybody else seen this kind of traffic hitting their sites?

needs re-thinking

[aca]

In my opinion, I don't think it was a Linux fan that caused it.

Firstly, he attack was not technologically sophisticated, in that it required exploiting a weakness in the operating system. The style of the attack was conceptually sophisticated, it was a worm not a virus. Which means that the attack relied on 'social engineering' or 'human weakness' to succeed.

The exploit however was quite creative. It was multi-faceted, even doing a DDOS on 'www.sco.com'.

Personally, I suspect that the creator and the executor of this worm may be two different persons altogether. Most importantly, the one ultimately responsible for the worm's spread and impact on the internet is not a Linux fan.

Linux users, ones that are capable enough to create such a worm, would more likely be above average intelligence. They would know very well, the consequences of DDOS'sing SCO's web-site, and that these consequences will most definitely be extremely detrimental to Linux. They would also know very well that a DDOS of SCO's web-site is almost a trivial thing to fix, and doesn't help in reducing SCO's position in any way.

Other than making SCO spend some money to rectify the DDOS, and preventing some of SCO's limited customer base from accessing SCO's web-site, it doesn't do relatively much harm to SCO (as compared to finding a back-door or hole into SCO's internal network). There is no real motivation for a Linux fan to carry out a DDOS on SCO's web-site.

I think the REAL reason for this worm, was for a 'frame-up'. It coincides with the conceptually sophisticated thinking as evidenced in its style of attack. I think the real reason was to *help* SCO and Microsoft, because both of these entities have the most to gain from it. Even with the recent 'b' variant of the worm targetting Microsoft. I still think the original motive remains the same.

Either that, or we're dealing with an extremely shallow and stupid 'Linux fan', which I very highly doubt.

People reading this may start having this thought of 'oh, another conspiracy theory...', but I would ask readers to carefully think about the obvious and carefully consider the occurence of this worm. Industrial espionage has been around for a long-time, and we know that it happens. What's to prevent it worms or viruses being used in industrial espoinage? Especially when the internet is a lot more relevant to businesses today.

Version 2 commentary

[WebGangsta]

By now you probably have heard that there's a new version (MyDoom.B) that is also making it's way across the Internet, this time supposedly targeting Microsoft.

According to Symantec, this version now modifies your HOSTS file to try and disable the user from being able to reach antivirus websites.

Among other entries in the HOSTS file are Doubleclick, FastClick, and some other advertising-related companies. Should I be concerned or happy that the virus may make surfing the web a little bit better by doing this?

Re:SCO connection is a red herring

[jamesh]

The obvious solution then is to demand that sco remove the sco.com domain. It's the only decent thing to do.