Slashdot Mirror
MyDoom.C Making Its Way Across The Net
Iphtashu Fitz writes "eWeek is reporting that the latest variant of MyDoom is now making its way across the internet and may have been responsible for some disruptions to Microsofts website over the weekend. This new variant apparently doesn't spread via e-mail but instead scans for machines with an open TCP port 3127. This version appears to be a very stripped down version of its earlier cousins since it also doesn't leave a backdoor into infected machines nor does it have a shutoff date for when to stop attacking Microsoft." Reader billstewart adds links to reports at Australia's ABC News and carried by Reuters; Unloaded adds a link to CNET's coverage.
The original MyDoom proved that no matter how much we warn users not to run surprise executable attachments, they do any way. And also proved how many users aren't running any anti-virus at all.
Therefore, it's not a far stretch to assume that the 50,000 to 75,000 machines that are still infected by MyDoom.A or MyDoom.B will catch DoomJuice with a 100% infection ratio. Those machines by definition do not have an anti-virus program that's been updated recently enough to capture the original MyDoom virus, so DoomJuice will be able to walk in through the backdoor at port 3127 with nobody gaurding that door.
The author of MyDoom has basically created a network of zombies that he/she/it has full control of without the knowledge of any of the infected users. And now, this author has demonstrated the ability to send a patch-virus out with new updated instructions.
Right now, this patch seems to not have much of a payload. But, we don't know if we've seen its full payload yet, and there's certainly the possible of DoomJuice2 coming out with a worse payload.
To put it lightly... these 50,000 to 75,000 zombies need to be pulled from the Internet stat.
Just from the description in the /. blurb this seems to have a very different purpose from A and B. This seems like a script kiddie just for the hell of it kind of thing more than a spam tool.
"Sic Semper Tyrannosaurus Rex."
Apart from the fact that it uses the backdoor created by MyDoom to spread, it doesnt have enough in common with MyDoom to be a variant of it, which is probably why on the CNET link it only mentions the name Doomjuice.
The MyDoom.C name used in links such as the ABC one is probably for good headlines
After that article a couple of days ago about the hackers, I was wondering how new potential "script kiddies" would react... would they go in search of viruses and start sending them out, inspired by the article? Oh well, it doesn't matter. Now, for a horrible joke! What did the dog call the cat who was an amateur hacker? A script kitty! (sigh)
I'm sure we've learned enough by now to determine how this virus works to the point where we can create a worm of our own and disable it's DoS attacks. I for one believe enough is enough, and it would be ethically ok to go ahead and create such a worm. All we'd have to do is infect in the same way this new virus does, and run arbitrary code to destroy the virus. Thoughts?
...in bed
Aunt Bertha switches on her 2 GHz supercomputer, and hooks up to the Internet with a connection speed that would have rivaled an ISP in the early 1990's. She sees a pretty icon in her inbox, so she points and clicks, unleashing some spammer's latest mass-mailing creation. By the time Bertha goes and gets a triscut, she has already spammed a million Internet neighbours.
Anyone else see why the Internet is full of crap? And if you think it's as easy to control as "blocking port 25" ... ha ha. You wish! The worm only has to send mail via the ISP's outgoing mail server (remember... the one you reminded me "I should be using")
So no, controlling this spam/virus menace isn't quite that easy. Whatever method you use to legitimately send mail, the worms will follow that same method.
We can't give users restricted accounts becasue it stops them from doing things like installing valid software. But don't you think it is time we took steps to sandbox the email applications?
Saying Java is nice because it works on all OS's is like saying that anal sex is nice because it works on all genders.
With the increase in talk about online voting, I think we have a little more to be afraid of than "American Idol" getting fixed.
You should block all incoming ports you dont need. Only open ones for services you deliberately run, like a game server or ftp or whatever..
At home I have only ssh exposed to the world, and on a nonstandard port at that. From there I can ppp over ssh and do whatever I want. Fine for a home network at least.
Outgoing ports I only monitor logs from now and then, to make sure a virus/trojan didnt find its way on to my wifes, or one of the kids boxes.
I don't need no instructions to know how to rock!!!!
Help fight continental drift.
Where do you people come from! Is it time for another application of the ClueStick(tm)!
If you're not using a specific port, close it up. That includes 3127. And everything below 3127, and everything above 3127. Close them ALL off except the ones you are specifically using.
Now I realize that this is extremely difficult to do in Windows, but do it anyway. Repeat, do it anyway. This is your responsibility as the owner of a node on the network. And don't think you're done just because you're secured the firewall. Secure all of your client systems as well. My company got hit hard by Blaster because someone walked into the lab with a laptop.
Don't blame me, I didn't vote for either of them!
I party blame Netscape and other email proggies that send forwards or replies as attachments rather than as inline quoted text
Yes, but you can turn that off. Evolution did that. Turning it off was one of the first things I did.
Educating the "general user" about virii has come a good way, but some people still need some lessons. Sadly, I think the great majority of users that still spread these viruses are simply negligent (they know better but really don't care). Maybe I'm too techsupport-bitter.
I wanted to read it first, thus I did /etc/services | less /etc/services | grep 3127 :)
cat
cat
using up arrow and delete rather than back arrow, just a habit I'm in to. Plus, it's hard to think in the 100F+ heat
Cable and DSL companies will give out a nice little hardware firewall ala Linksys or Netgear along with their cable/dsl modems. Hell, Toshiba even makes a cable modem with a built in 4 port switch/firewall. Giving these users a broadband connection and no education on the dangers of the internet is like giving a Ferrari to someone who can't drive.
I know the ISP isn't untimately responsible for their users actions, but they'd be doing themselves a big favor by eliminating most of that traffic. During the heyday of the Blaster virus I was getting a few port 53 requests per second from infected machines on Verizon's dsl...that's quite an additional load on their network.
slashdot, news for crazed liberal socialist zealots
Haven't you denial-of-information-service people learned a damned thing? If port 25 is blocked, we'd just get SMTP-over-HTTP within 6 months.
I'm no Microsoft supporter but you can not blame them for this one. Someone had to install a program (virus) to become infected. The spread of this virus and its variants are a result of ignorant computer users who happen to be on the Windows platform.
Blaster on the other hand was a result of a security flaw in Windows.
Anyone who writes this would probably be accused of writing the original virus. As an added bonus, if the writer is a U.S. citizen, the terrorist enhancement would apply, and this means he or she might accept a plea regardless of guilt.
You misspelled "dumbasses". (MyDoom doesn't exploit software weaknesses but idiot users who click on everything that looks like it could make funny noises when clicked.)
Free as in mason.
Microsoft deserves to take the blunt of this attack. Preventing this type of attack is not that difficult. Microsoft decided to close off all the open ports in SP2 after blaster and Nachi, maybe this will help motivate them to take steps to combat mail worms. If MS does not secure OE than AV companies can sell an alternate secure mail client.
Saying Java is nice because it works on all OS's is like saying that anal sex is nice because it works on all genders.
Or, since you've never used any anti-virus software, you'r not aware that the machine has been infected by a virus... :-D
But yes, a little caution goes a long way, just don't expect it to save your back all the time. I've learned the hard way that every once in a while you're confronted with something you didn't know could be a problem and you're bitten.
Still, props for being so vigilant.
Karma? What's that again?
This sounds just like the firewall admin who said We never have been hacked or even been tried to be hacked. This guy will almost absolutely surely have missed some attacks and does not watch his logfiles.
How can you say that you never had a virus when you never used an AV-scanner? Some viruses may not be noticable when on your system.
[--- PGP key and more on http://www.root42.de ---]
Why can't women be like Hedy Lamarr - beautiful, talented and inventors of frequency-hopping spread-spectrum techn
You don't even need the file extension with Unix.
No, but you do need to have run chmod u+x on the file... By default files aren't executable. Scripts (executable text files) are run by the interpreter which is specified on the first line of the script. Binary files have a magic number, which is used to determine the appropriate way to load and run them.
I am more amazed that neither SCO nor Microsoft didn't start tailing their http logs, and firing a disinfector back at hits that match the fingerprint of the ddos thread spool. I know, I know... hackback is bad, but in this case...
Microsoft could get away with it, and call it part of their new Windows Update.
I actually wanted to do this on our campus when Blaster hit. The code was out there to exploit the RPC vulnerabilities. If you only patch systems which are actively trying to infect you (from your own subnet), it's not going to get out of hand. I called it "managed desktops". Maybe it's not as conventional as SMS or ZENWorks, but it would be effective. Besides, it's not hacking if you do it to your own systems.
I wanted to give a little pop-up for the users which gave them 2 choices:
Do you want to be managed by
() The University
() Hackers
Giving users a choice is just the right way to handle things. You can't just go around forcing your opinions on them.
Isn't it obvious why MyDoom.C was released? The intricacy makes it fairly apparent that its either the original author or someone connected with it. Why would they release another variant of their own tool?
After the release of MyDoom.A, there was more than a little speculation that the true hidden purpose of these e-mail worms was to spawn a network of zombied PCs to use for spamming. The 'A' version made it a little too obvious, even with the included red herrings of DoS attacks against SCO and MS. Uh oh. And now Mr. Spammer is getting a little antsy -- has the FBI made the same connection many in the infosec scene have? Uh oh. Time to cover your tracks.
What better way to do that than to release another version of your virus that throws all the investigations off the trail, looking for some OSS Loving Blackhat who'd want to DoS SCO instead of the criminal head of a spam gang trying to enlarge his empire?
And before anyone suggests I put on a tin foil hat...go gather some statistics. Specifically, make a chart of the release of e-mail worms, and another chart of the accuracy-rate of DNSBLs. You'll see, as I did, that as DNSBL accuracy reaches 100% (they contain all currently-zombied hosts), boom, out comes another e-mail worm. The release of MyDoom seems to have gone off poorly -- admins received warning and were prepared, not very many machines (relatively) were infected, and a lot of attention from the infosec community was directed at the source of the releases. I'm sure purely by coincidence, my DNSBL hit rate remains high, and spams by a certain well known individual who I believe to be responsible for this don't seem to be coming at nearly the volume one would expect from such a prolific scumbag.