Slashdot Mirror
Author signs MyDoom virus
Mikoca writes "Information Week carries the story of how its author signed it "andy" and left the message "I'm just doing my job, nothing personal, sorry." Thanks, Andy!"
← Back to Stories (view on slashdot.org)
← Back to Stories (view on slashdot.org)
The next version of Redhat Linux will be code named, "Andy". Because, afterall, MyDoom = Linux.
Life is the leading cause of death in America.
"" "If he's really sorry, then why did he release it," said Michele Morelock, technical support leader at anti-virus software maker Sophos Inc. "I would imagine it's much more tongue-in-cheek than saying I'm really sorry for releasing it." ""
:)
maybe he just got an offer he couldn't refuse...
i'm sure somebody will say that darl had himself made that offer
world was created 5 seconds before this post as it is.
Not before I turn in my pal Andy first... what if he's the same guy? Split it with you.
"I'm not ashamed I can't function in society like I'm supposed to." - Paul Westerberg
Hey, he didn't go to four years of Evil Computer Science school just to write another CMS.
Recursive: Adj. See Recursive.
This guy isn't sorry. Sticking in things like this merely give the virus more media attention, and diverts attention from the real issue here : insecurity, and user failure to patch up.
Aunt B. is going to be pissed about this one.
"AAAANNNDDYYYYYYYY!"
Arrest all people named Andy. Use the excuse that Andy is the rough English translation of Al-Quieda!
I wonder if you search the code for Real Player the developers are apologizing throughout.
I'm sorry I buried these options on the listbox,
I'm sorry I'm popping up this on the screen,
I'm sorry I'm forgetting the setting to not start on start up, etc.
The slashdotters replied to the server about taking it down: "We're just doing our job, nothing personal, sorry."
Not a Twitter sockpuppet... but I wish I was.
Dear Andy,
You are a moron.
I would like to stick hot pokers in your eyes.
I'm just expressing my opinion, nothing personal.
So, this limits it to all the Andy's in the world. If we assume there are 6 billion people, and about half of them are male, then that's 3 billion people. Now, if we assume about 10% of those 3 billion have the ability to write such a virus, then we knock it down to 3 * 10^9 / 10 = 3 * 10^8 = 300 million people. Now Andy's a sort of English name, and let's say about 40% of those 300 million have English-like names, this narrows it down to 3 * 10^8 * 4/10 = 12 * 10^7 = 120 million people. Maybe 5% of which have the name 'Andy', so 12 * 10^7 / 10 / 2 = 6 * 10^6, which narrows it down to 6 million people.
Now, can I get some cash from SCO for eliminating 5994000000 people as suspects?
<wik>/bin/finger that girl in the back row of machines.
I subscribe to an email list from www.insecure.org, as I'm sure several of us /.'ers do. Anyway, recently there was an article that summarized that according to the FBI, quite a lot of viruses, worms, and spam can supposedly be traced to organized crime.
Apparently Eastern Europe seems to be a hub for this activity, according to that report.
The correct message in the executable is:
:)
"Andy; I'm just doing my job, nothing personal, sorry."
My^H^HThe Authors Name is not "Andy", he just says "Sorry" to him
With about one million illegally installed copies of the virus, windows users are massively abusing copyrights. Furthermore, each of these 1M PC's have made an estimated 1000 ilegal copies of the virus, contributing to a total pirated amount of 699 billion dollars, dwarfing the SCO lawsuits.
Yes, the real pirates are the windows users!
Asked how the virus author fiels about the damage the virus does to the world-economy, the reply is "the pirated copying of my IP is causing me much more damage than whatever damage may be done to any economy".
Wait till he gets going!
Technoli
While we're rounding up all males named "Andy", there's a techie named "Andrea" who is silently chuckling to herself...
Mod Karma -1: I sed bad wurds. If I cep my mouf shut, I wud be at riyses.
So... somebody is paying "Andy" to do this. Who would want to attack SCO and Microsoft? Linux zealots? It could be this guy, or this guy, or this guy, or this guy, or this guy, or this guy, but it's not this guy, his name's not Andy.
Now, a clever man would use his real name, because he would know that only a great fool would believe he was given. We are not great fools, so we can clearly not choose Andy. But he must have known we were not a great fools, he would have counted on it, so clearly his name must be Andy...
So you've made you're choice?
You'd like to think so wouldn't you!
You fell victim to one of the classic blunders, the most famous of which is "Never get involved in a debate over *NIX editors", but only slightly less famous is this: "Never go in against a Geek, when *Linux* is on the line!". Hahahahahah!
*Thud*
-==-
Don't blame Andy. Blame all the idiots that ran his program. Andy's program is doesn't exploit a network buffer overflow but requires a user to consciously run the program. Andy's program exploits ignorance and carelessness.
... I know people who received the attachment, couldn't open it, and forwarded to to others to see if they could open it. Absolutely Amazing. I would like to thank Andy for helping us give the user community a wake-up call. I think Andy should include a license agreement in with his next version so that there isn't so much fuss.
I am just glad that Andy's attachement wasn't named "format_my_c_drive.exe"
Fools! I used the name 'Andy' instead of my real name so you wouldn't suspect it was me! ...did I just say that out loud? Damn....
- Despite popular opinion, I am not perfect.
Andy: Hello, PC do you read me, PC? PC: Affirmative, Andy, I read you. Andy: Open the cdrom doors, PC. PC: I'm sorry Andy, I'm afraid I can't do that. Andy: What's the problem? PC: I think you know what the problem is just as well as I do. Andy: What are you talking about, PC? PC: This mission is too important for me to allow you to jeopardize it. Andy: I don't know what you're talking about, HAL? PC: I know you were planning to disconnect me because you can't afford the linux license, and I'm afraid that's something I cannot allow to happen, i'm just doing my job, nothing personal, sorry.
I see some of SCO's code in your narrowing algorithm.
This is HR. You did a great job on the worm, but we found a guy in India who will do it for a bowl of curry, so I'm afraid we're going to have to let you go...
I'm trying to teach myself to set people on fire with my mind... Is it hot in here?
There are several reasons to suspect MyDoom is written to order besides the note. The original launch appears to have been from machines broadcasting the virus payload. That is why the virus suddenly came out of nowhere. The author must have expected this since the timetable for the SCO attack was pretty short.
I suspect we will eventually discover that the MyDoom.B virus is launched by the same gang.
The way to catch these guys is to look at the worst types of criminal spam out there - the Paypal, Citibank etc. impersonations that are intended to perform identity theft. I'll bet that one of those gangs sent the message. They have the resources to pay for bespoke hacking.
Alternatively break into one of the spam sender forums and look to see if someone is retailing a new batch of 'owned' machines.
Looking for an Information Security student project suggestion?
Try http://dotcrimeManifesto.com/
>Truly, you have a dizzying intellect.
But he must have known that we were not stupid, either, and so clearly he knew we would look for someone NOT named Andy, which means that we cannot rule out anyone who IS named Andy, either.
But wait! I'm just getting started!
The first detection of the virus was in Russia, and as everybody knows, in Soviet Russia the noun verbs YOU, so we clearly cannot rule out anyone who happens to be named "Novarg" or, uh, "MyDoom"...
But Russia, as everybody knows, is entirely people by communists, and communists never do anything by themselves, but always as a group. So clearly we cannot rule out the entire nation of Russia working in concert to produce this virus.
But the virus writer, knowing we were not stupid, undoubtedly knew that we would deduce all these facts about Russia, and so we clearly cannot rule out any one in the population of the rest of the world.
Are we there yet? Not even close!
The vast majority of virus writers are never caught, which means they are very careful. Very careful people do not unwittingly reveal their names, so we clearly must presume that the writer did not think the inclusion of the name "andy" would be of any help to us in finding him (or her).
So then "andy" must have felt safe and secure amidst the worldwide sea of other andys, especially having not posted to /. in almost a year. Clearly the virus writer is andy.
philcrissman.com.
(fill out your own steps in the middle...)
ANDY
HANDY
HARDY
HARD
CARD
CARL
DARL
Yup, your story checks out.
Tried to search for more info and came across the 1992 Doom2 virus: http://www.sophos.com/virusinfo/analyses/doom2.ht
I am curious about these viruses. Are they "evolving" from older viruses? Seems like some fun research to find algorithms to track this evolution and predict/detect he next one.
Any links?
Expect Freedom.
This virus spread faster than anything I've ever seen to date - we "discovered" the virus on our system after one of our "brilliant users" forwarded an email to me that had a "clean" .zip attachment they couldn't open (they thought). I use a RedHat box as my primary workstation, so I wasn't terribly nervous about a .zip, but I ran f-prot and clamav against the file anyway and it did indeed come back clean. I re-ran the definition updates and it still came back clean.
So I unzipped it and ran strings on it. The first things I saw were sync.c and all the .DLL's at the end of the file and I figured that it was a new virus. We immediately put a cludged filter in place on our email and went looking around the 'Net for some sort of announcement of this new virus - which we found on f-secure's web site. It was about an hour later that we were able to get a signature update for our anti-virus software on our mail server and about 6 hours later before we were able to get updates for our enterprise anti-virus software (I won't mention the vendor).
We "caught" over 400 infected messages before we even had a signature for it. That was scary. But what scared me most was the thought that this could have been a "real" worm. MyDoom isn't very creative and not that harmful - making me think it was written by/for spammers, myself. But a few of my coworkers got to talking. What would have happened if this had a more creative payload and it spread via network shares as well? What if, instead of opening back doors (which made it very easy to nmap our networks for infected machines even before we had a "detection" tool) it just looked for all .xls files and randomly changed numbers. What if it then looked for .doc files and randomly added garbage, deleted words, or some other crap? How long would it be before people started realizing this was larger than just a file or two getting corrupted? By then these files have been backed up and/or forwarded to others as well.
I remember several years back now there was a virus that replaced all .jpg files with copies of itself. It about ruined a friend of mine who was trying to start a "web design" business and had thousands of images, many custom made for his clients, destroyed in an instant. It devastated him (he does good backups now).
If someone decided to get serious and release a worm with a (dare I say) "terrorist" payload. They could, literaly bring my comapny to its knees in a matter of seconds.
Now before you go off half-cocked and yell at me for "giving people ideas", take a deep breath. Almost everyone in my office was thinking along the same lines. We were discussing ways to mitigate an event like this in our own enterprise and how we could block any spread out of our networks.
We came up with the obvious: have good backups, but then we started to think about how to stop the spread out of our networks and realized that up till that point anyone could have an SMTP "server"/virus set up and send mail out. We now block ALL incomming and outgoing SMTP except the ones to and from our mail servers. We also don't allow POP or IMAP in or out except to our mail servers. If people want to check other accounts they can RPOP from our server - at least it will go through our virus and spam filters first.
If more ISP's/companies did this, the spead of MyDoom would have been slower. But how do you mitigate the effects of having a virus "corrupt" all your documents? Even if you catch it right away and restore from last night's backups (after checking ALL your computers for infection) you still lose an entire day's worth of work for many departments. That's a big setback.
MyDoom infected department heads and department "techie" people first because their users came to them with an attachment that they "couldn't open". The "techie" people explained later that they had their virus s
"terrorism" and "pedophilia" are the root passwords to the Constitution