Slashdot Mirror
Author signs MyDoom virus
Mikoca writes "Information Week carries the story of how its author signed it "andy" and left the message "I'm just doing my job, nothing personal, sorry." Thanks, Andy!"
← Back to Stories (view on slashdot.org)
← Back to Stories (view on slashdot.org)
"" "If he's really sorry, then why did he release it," said Michele Morelock, technical support leader at anti-virus software maker Sophos Inc. "I would imagine it's much more tongue-in-cheek than saying I'm really sorry for releasing it." ""
:)
maybe he just got an offer he couldn't refuse...
i'm sure somebody will say that darl had himself made that offer
world was created 5 seconds before this post as it is.
I imagine lots of people in eastern bloc countries name their children "Andy". Plus, Andy is just a first name, it's not like s/he listed their home address or an IP or something like that. Still, it is interesting that they said this was just "their job"... organized crime hacking, perhaps?
stuff |
Perhaps this is the evidence that finally brings to light that people working for software and/or hardware corporations are writing viruses because many average computer users will never be able to get rid of them forcing them or encouraging them to buy new machines.
Maybe Andy really is just doing his job!
Just because some fool edited "Andy" in the MyDoom binary, it doesn't mean that the real author is really called "Andy" or something like that. In fact the virus originates in Russia, so it's very unlikely that the author is really called Andy, but rather "Wolja", "Olga", "Oleg" or "Katjusha".
I rather suspect that this is a trick from Soviet officials the draw attention from the fact that this piece of internet terrorism comes from Russia and that their security is beyond repair.
Over 90 years and counting !
The correct message in the executable is:
:)
"Andy; I'm just doing my job, nothing personal, sorry."
My^H^HThe Authors Name is not "Andy", he just says "Sorry" to him
people on fark were saying that the signature is a quote from the movie Ocean's Eleven.
Havent watched it tho, so I'm not sure, and imdb's page about the original and the remake dont have any memorable quotes similar to the MyDoom sig.
There is no such "sign" on virus, I don't understand how such mag falls into such rumors...
.il figured what that virus is and what it isn't
c /data/w95.hybris.gen.html )
Some people at
http://www.math.org.il/mydoom-facts.txt
Sorry I cleaned my browser history and forgot the post which leads to the URL on a mailing list.
BTW thank God that virus, which spreads somehow that easy wasn't Hybris ( http://securityresponse.symantec.com/avcenter/ven
Don't blame Andy. Blame all the idiots that ran his program. Andy's program is doesn't exploit a network buffer overflow but requires a user to consciously run the program. Andy's program exploits ignorance and carelessness.
... I know people who received the attachment, couldn't open it, and forwarded to to others to see if they could open it. Absolutely Amazing. I would like to thank Andy for helping us give the user community a wake-up call. I think Andy should include a license agreement in with his next version so that there isn't so much fuss.
I am just glad that Andy's attachement wasn't named "format_my_c_drive.exe"
There are several reasons to suspect MyDoom is written to order besides the note. The original launch appears to have been from machines broadcasting the virus payload. That is why the virus suddenly came out of nowhere. The author must have expected this since the timetable for the SCO attack was pretty short.
I suspect we will eventually discover that the MyDoom.B virus is launched by the same gang.
The way to catch these guys is to look at the worst types of criminal spam out there - the Paypal, Citibank etc. impersonations that are intended to perform identity theft. I'll bet that one of those gangs sent the message. They have the resources to pay for bespoke hacking.
Alternatively break into one of the spam sender forums and look to see if someone is retailing a new batch of 'owned' machines.
Looking for an Information Security student project suggestion?
Try http://dotcrimeManifesto.com/
I can't get to the story at the moment but this was already reported here on the 29th with regards to F-Secure's work. In the linked story it says that the message is "Andy; I'm just doing my job, nothing personal, sorry". This looks to me like the author is addressing the message to Andy, not signing the message as Andy.
maybe he just got an offer he couldn't refuse...
With all the stories about viruses (like MiMail) being backdoors for spammers, how likely is it that organized crime has gotten involved in the computer crime business? It fits their uh, business model, pretty well -- lots of opportunity for stealing credit card info, bank info, etc. And it's not like Tony Soprano has to learn Visual Basic, either -- there's plenty of people who would either do this on their own and sell stolen info to the Mob.
One of the things they could do is start a generic programming business and hire a dozen or so coders and have them start working on a fairly generic database system. Have a manager type get to know them and figure out which might have money problems, drug problems or some other vulnerability. Once you get them 'snared', you can get them to write a trojan app, phishing site, what have you -- the Mob maintains arm's length deniability and reaps the profits.
It's been widely reported that organized crime has been deeply entrenched in Wall Street and the securities industry -- how different is the securities boilerroom from a trojan/programming boilerroom? Maybe I'm naive and they've been at this since day one, but it wouldn't surprise me if it wasn't another white collar angle for organized crime.
That's his employer.
Parse it: "Sorry, everyone else, it was just a job. Thanks, Andy, & I hope the check is in the mail."
The next question parallels the Avon fellow's "Who is Sylvia? What is she?"
Jesus, ya-fuckin-think? What was it? When he said "sorry" or "I'm just doing my job?"
Buy the President
The MyDoom virus launched a denial-of-service attack early Sunday that crippled SCO Group's Web site with hundreds of thousands of requests, an SCO spokesman said.
Strange then that sco.com is working fine, as are their DNS servers. All they've done is pulled A records for their various www hosts and according to netcraft www.sco.com seemed ok too until they pulled the DNS record.
Surely SCO arent hyping this up? Would be very atypical of them..
I use Friend/Foe + mod-point modifiers as a karma/reputation system.
Tried to search for more info and came across the 1992 Doom2 virus: http://www.sophos.com/virusinfo/analyses/doom2.ht
I am curious about these viruses. Are they "evolving" from older viruses? Seems like some fun research to find algorithms to track this evolution and predict/detect he next one.
Any links?
Expect Freedom.
Plenty of people have been infected with MyDoom after saving and subsequently running the executable. Nice try though.
"You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
This virus spread faster than anything I've ever seen to date - we "discovered" the virus on our system after one of our "brilliant users" forwarded an email to me that had a "clean" .zip attachment they couldn't open (they thought). I use a RedHat box as my primary workstation, so I wasn't terribly nervous about a .zip, but I ran f-prot and clamav against the file anyway and it did indeed come back clean. I re-ran the definition updates and it still came back clean.
So I unzipped it and ran strings on it. The first things I saw were sync.c and all the .DLL's at the end of the file and I figured that it was a new virus. We immediately put a cludged filter in place on our email and went looking around the 'Net for some sort of announcement of this new virus - which we found on f-secure's web site. It was about an hour later that we were able to get a signature update for our anti-virus software on our mail server and about 6 hours later before we were able to get updates for our enterprise anti-virus software (I won't mention the vendor).
We "caught" over 400 infected messages before we even had a signature for it. That was scary. But what scared me most was the thought that this could have been a "real" worm. MyDoom isn't very creative and not that harmful - making me think it was written by/for spammers, myself. But a few of my coworkers got to talking. What would have happened if this had a more creative payload and it spread via network shares as well? What if, instead of opening back doors (which made it very easy to nmap our networks for infected machines even before we had a "detection" tool) it just looked for all .xls files and randomly changed numbers. What if it then looked for .doc files and randomly added garbage, deleted words, or some other crap? How long would it be before people started realizing this was larger than just a file or two getting corrupted? By then these files have been backed up and/or forwarded to others as well.
I remember several years back now there was a virus that replaced all .jpg files with copies of itself. It about ruined a friend of mine who was trying to start a "web design" business and had thousands of images, many custom made for his clients, destroyed in an instant. It devastated him (he does good backups now).
If someone decided to get serious and release a worm with a (dare I say) "terrorist" payload. They could, literaly bring my comapny to its knees in a matter of seconds.
Now before you go off half-cocked and yell at me for "giving people ideas", take a deep breath. Almost everyone in my office was thinking along the same lines. We were discussing ways to mitigate an event like this in our own enterprise and how we could block any spread out of our networks.
We came up with the obvious: have good backups, but then we started to think about how to stop the spread out of our networks and realized that up till that point anyone could have an SMTP "server"/virus set up and send mail out. We now block ALL incomming and outgoing SMTP except the ones to and from our mail servers. We also don't allow POP or IMAP in or out except to our mail servers. If people want to check other accounts they can RPOP from our server - at least it will go through our virus and spam filters first.
If more ISP's/companies did this, the spead of MyDoom would have been slower. But how do you mitigate the effects of having a virus "corrupt" all your documents? Even if you catch it right away and restore from last night's backups (after checking ALL your computers for infection) you still lose an entire day's worth of work for many departments. That's a big setback.
MyDoom infected department heads and department "techie" people first because their users came to them with an attachment that they "couldn't open". The "techie" people explained later that they had their virus s
"terrorism" and "pedophilia" are the root passwords to the Constitution
As many other has commented, the ability to click-and-run executables from the email clients is not the only reason for virus/worms spreading. Even with only 'save to disk' functionality, people will still run these binaries.
It is often said that what users fail to understand is that they should not run "untrusted binaries". But in my opinion this is the greatest shortcoming of all modern operating systems. I want my operating system to shield resources beloninging to one binary from another. Much in the same way it shields the actions of one user on a muliti user unix system from affecting another user. Why can't the same basic ideas be used when I run 'nice-screen-saver.exe' to NOT allow it access to 'email-addresses.txt'?!
Instead of having this functionality, I am told that the solution is to only run "trusted binaries"? But come on, it's not like I can personally audit all the code I run; and even if that would be possible it is easy to miss small bugs that eventually will run 'rm -rf' in my home directory. The point of this discussion is that NO binary should be ALLOWED to do 'rm -rf' in my home directory without me externally authorizing that operation. Exactly as I cannot read or delete user 'joe's files without his authorization.
Open Materials Database
You know, the speed at which some of the AV software makers come out with "fixes" for these viruses before they make any headway still makes me think one of them (Symantec? McAfee?) hired the guy to do it so they can stay in business.
Yeah, yeah, I know, Conspiricy Theory, But man does it ever smell bad.
-- DuckWing
Isn't pulling the DNS records the correct thing to do? This stops the virus from sending any traffic and thus actually helps the network. I felt sure SCO wanted the virus to be damaging to everybody, but it does seem that some sysadmin at SCO decided to not be an asshole.
Making just sco.com go to their home page would work perfectly. They could also make www.sco.com go to some big server that they pay that delivers a simple "click here" page, though I doubt they will do that because it will make most people think the site is up, when they want people to think it is down.
I don't know what the article is talking about for Microsoft. The second virus is a dud and Microsoft's site is easily handling the traffic and works perfectly.
Most of the copies I'm getting now are to invalid addresses at my domain. Made up firstnames @mydomain.com. I originally thought that the virus was making these names up, but then today it dawned on me. A few weeks ago I started getting undeliverable messages to those same made-up addresses. Some spammer(s) is using my domain with random names as a from address in their spams. Now either there are a lot of people with infected machines who have copies of spam with those bogus from addresses that the virus is harvesting, or the same spammer(s) that is using my domain is mass mailing copies of the virus to keep it spreading. So many of these bogus addresses are out there now that all the common firstnames@mydomain.com are pretty much ruined.
666-607: 6th floor apartment of the beast
The evolution wouldn't need to happen within the same machine. Each copy of the virus could send out bunches of slightly altered versions. The ones that succeed could do the same, etc.
The tricky part would be deciding what parts of the code might get a change, and how to make changes that wouldn't be immediately fatal. (See genetic programming.)
Once the thing got started, it might do nearly anything. Say your original version sent out 50% exact copies and 50% with a single bit alteration in a random location. (This is to keep the thing small.) That has the potential to swamp any virus detection method. If enough changed variants are successfully propagating. But that is, of course, a big if.
But do notice that this thing isn't of value to anyone except someone who just wants to disable the net. You can't immunize against it in any permanent way, because it will evolve away. And it changes rapidly (perhaps too rapidly, but the mutations should fix that).
The problem is, most of the mutations will be highly defective. It's only the survivors that will cause problems. Well, that's what you expect from a system based on evolution.
I think we've pushed this "anyone can grow up to be president" thing too far.