Slashdot Mirror
MyDoom.C Making Its Way Across The Net
Iphtashu Fitz writes "eWeek is reporting that the latest variant of MyDoom is now making its way across the internet and may have been responsible for some disruptions to Microsofts website over the weekend. This new variant apparently doesn't spread via e-mail but instead scans for machines with an open TCP port 3127. This version appears to be a very stripped down version of its earlier cousins since it also doesn't leave a backdoor into infected machines nor does it have a shutoff date for when to stop attacking Microsoft." Reader billstewart adds links to reports at Australia's ABC News and carried by Reuters; Unloaded adds a link to CNET's coverage.
The original MyDoom proved that no matter how much we warn users not to run surprise executable attachments, they do any way. And also proved how many users aren't running any anti-virus at all.
Therefore, it's not a far stretch to assume that the 50,000 to 75,000 machines that are still infected by MyDoom.A or MyDoom.B will catch DoomJuice with a 100% infection ratio. Those machines by definition do not have an anti-virus program that's been updated recently enough to capture the original MyDoom virus, so DoomJuice will be able to walk in through the backdoor at port 3127 with nobody gaurding that door.
The author of MyDoom has basically created a network of zombies that he/she/it has full control of without the knowledge of any of the infected users. And now, this author has demonstrated the ability to send a patch-virus out with new updated instructions.
Right now, this patch seems to not have much of a payload. But, we don't know if we've seen its full payload yet, and there's certainly the possible of DoomJuice2 coming out with a worse payload.
To put it lightly... these 50,000 to 75,000 zombies need to be pulled from the Internet stat.
Just from the description in the /. blurb this seems to have a very different purpose from A and B. This seems like a script kiddie just for the hell of it kind of thing more than a spam tool.
"Sic Semper Tyrannosaurus Rex."
Apart from the fact that it uses the backdoor created by MyDoom to spread, it doesnt have enough in common with MyDoom to be a variant of it, which is probably why on the CNET link it only mentions the name Doomjuice.
The MyDoom.C name used in links such as the ABC one is probably for good headlines
Aunt Bertha switches on her 2 GHz supercomputer, and hooks up to the Internet with a connection speed that would have rivaled an ISP in the early 1990's. She sees a pretty icon in her inbox, so she points and clicks, unleashing some spammer's latest mass-mailing creation. By the time Bertha goes and gets a triscut, she has already spammed a million Internet neighbours.
Anyone else see why the Internet is full of crap? And if you think it's as easy to control as "blocking port 25" ... ha ha. You wish! The worm only has to send mail via the ISP's outgoing mail server (remember... the one you reminded me "I should be using")
So no, controlling this spam/virus menace isn't quite that easy. Whatever method you use to legitimately send mail, the worms will follow that same method.
We can't give users restricted accounts becasue it stops them from doing things like installing valid software. But don't you think it is time we took steps to sandbox the email applications?
Saying Java is nice because it works on all OS's is like saying that anal sex is nice because it works on all genders.
With the increase in talk about online voting, I think we have a little more to be afraid of than "American Idol" getting fixed.
You should block all incoming ports you dont need. Only open ones for services you deliberately run, like a game server or ftp or whatever..
At home I have only ssh exposed to the world, and on a nonstandard port at that. From there I can ppp over ssh and do whatever I want. Fine for a home network at least.
Outgoing ports I only monitor logs from now and then, to make sure a virus/trojan didnt find its way on to my wifes, or one of the kids boxes.
I don't need no instructions to know how to rock!!!!
Help fight continental drift.
Where do you people come from! Is it time for another application of the ClueStick(tm)!
If you're not using a specific port, close it up. That includes 3127. And everything below 3127, and everything above 3127. Close them ALL off except the ones you are specifically using.
Now I realize that this is extremely difficult to do in Windows, but do it anyway. Repeat, do it anyway. This is your responsibility as the owner of a node on the network. And don't think you're done just because you're secured the firewall. Secure all of your client systems as well. My company got hit hard by Blaster because someone walked into the lab with a laptop.
Don't blame me, I didn't vote for either of them!
Cable and DSL companies will give out a nice little hardware firewall ala Linksys or Netgear along with their cable/dsl modems. Hell, Toshiba even makes a cable modem with a built in 4 port switch/firewall. Giving these users a broadband connection and no education on the dangers of the internet is like giving a Ferrari to someone who can't drive.
I know the ISP isn't untimately responsible for their users actions, but they'd be doing themselves a big favor by eliminating most of that traffic. During the heyday of the Blaster virus I was getting a few port 53 requests per second from infected machines on Verizon's dsl...that's quite an additional load on their network.
slashdot, news for crazed liberal socialist zealots
I'm no Microsoft supporter but you can not blame them for this one. Someone had to install a program (virus) to become infected. The spread of this virus and its variants are a result of ignorant computer users who happen to be on the Windows platform.
Blaster on the other hand was a result of a security flaw in Windows.
Microsoft deserves to take the blunt of this attack. Preventing this type of attack is not that difficult. Microsoft decided to close off all the open ports in SP2 after blaster and Nachi, maybe this will help motivate them to take steps to combat mail worms. If MS does not secure OE than AV companies can sell an alternate secure mail client.
Saying Java is nice because it works on all OS's is like saying that anal sex is nice because it works on all genders.
This sounds just like the firewall admin who said We never have been hacked or even been tried to be hacked. This guy will almost absolutely surely have missed some attacks and does not watch his logfiles.
How can you say that you never had a virus when you never used an AV-scanner? Some viruses may not be noticable when on your system.
[--- PGP key and more on http://www.root42.de ---]
You don't even need the file extension with Unix.
No, but you do need to have run chmod u+x on the file... By default files aren't executable. Scripts (executable text files) are run by the interpreter which is specified on the first line of the script. Binary files have a magic number, which is used to determine the appropriate way to load and run them.