Slashdot Mirror
MyDoom.C Making Its Way Across The Net
Iphtashu Fitz writes "eWeek is reporting that the latest variant of MyDoom is now making its way across the internet and may have been responsible for some disruptions to Microsofts website over the weekend. This new variant apparently doesn't spread via e-mail but instead scans for machines with an open TCP port 3127. This version appears to be a very stripped down version of its earlier cousins since it also doesn't leave a backdoor into infected machines nor does it have a shutoff date for when to stop attacking Microsoft." Reader billstewart adds links to reports at Australia's ABC News and carried by Reuters; Unloaded adds a link to CNET's coverage.
What a stupid name for a virus. The writer must be planning to get caught.
My poor firewall logs, oh why does DoomJuice hate thee.
I would think that mydoom.c would be the source file, so it should be alot easier to reverse engineer.
./mydoom
gcc mydoom.c -o mydoom
Unknown host pong.
The original MyDoom proved that no matter how much we warn users not to run surprise executable attachments, they do any way. And also proved how many users aren't running any anti-virus at all.
Therefore, it's not a far stretch to assume that the 50,000 to 75,000 machines that are still infected by MyDoom.A or MyDoom.B will catch DoomJuice with a 100% infection ratio. Those machines by definition do not have an anti-virus program that's been updated recently enough to capture the original MyDoom virus, so DoomJuice will be able to walk in through the backdoor at port 3127 with nobody gaurding that door.
The author of MyDoom has basically created a network of zombies that he/she/it has full control of without the knowledge of any of the infected users. And now, this author has demonstrated the ability to send a patch-virus out with new updated instructions.
Right now, this patch seems to not have much of a payload. But, we don't know if we've seen its full payload yet, and there's certainly the possible of DoomJuice2 coming out with a worse payload.
To put it lightly... these 50,000 to 75,000 zombies need to be pulled from the Internet stat.
Uh, ok.. so what is on port 3127?
We are not all so nerdly that we memorize port tables... (emphasis on ALL)
Anyone infected by email virii should have their internet access revoked for being too damn stupid. Stop opening every fucking attachment you get, morons!
Did you happen to notice the part where it said This new variant apparently doesn't spread via e-mail but instead scans for machines with an open TCP port 3127?
Just from the description in the /. blurb this seems to have a very different purpose from A and B. This seems like a script kiddie just for the hell of it kind of thing more than a spam tool.
"Sic Semper Tyrannosaurus Rex."
Does anyone know if it is slamming the msn messenger service as well? I havn't been able to connect to it recently, and it seems to be a network wide outage, since other people are having problems as well....
--
Apart from the fact that it uses the backdoor created by MyDoom to spread, it doesnt have enough in common with MyDoom to be a variant of it, which is probably why on the CNET link it only mentions the name Doomjuice.
The MyDoom.C name used in links such as the ABC one is probably for good headlines
About the time the first version of this virus set sail, I noticed a huge spike in the number of Backdoor/Subseven probes against my firewall (still ongoing). Is this little bastard responsible for that, or is this caused by another issue altogether?
Be excellent to each other. And... PARTY ON, DUDES!
MyDoom.C's effects seem to already be felt. My girlfriend's been complaining that she can't get onto MSN all night, and sure enough messenger.msn.com is completely unresponsive, as was Hotmail a few hours ago (though, it seems to be up now). I wish I could just convince her to use Jabber.
But Maaa! Everyone else has a
I never understood why viruses/worms/whatever bother to include shutoff dates. "hum, I really hate SCO, so I'm going to DDoS them, but only for a few days" Why?
--I don't want the world, I just want your half.
This version appears to be a very stripped down version of it's earlier cousins since it also doesn't leave a backdoor into infected machines
It doesn't open a backdoor, as TCP port 3127 is the port that the MyDoom.A and .B backdoor opens.
This isn't really a variant of the same virus as it only attacks machines already infected with MyDoom, rather than spreading via email.
Did you happen to notice the part where it said This new variant relies upon a backdoor left in place by the original email spread virus.
I'm not sure what to think about this: How many times can you tell people never to open attachments until you just give up and accept that a certain casualty rate is to be expected? (As a sidenote -- I party blame Netscape and other email proggies that send forwards or replies as attachments rather than as inline quoted text. This makes uses accustomed to opening attachments).
Are there any real applications that use port 3127, or can we safely block that port at our firewalls?
I'm sure we've learned enough by now to determine how this virus works to the point where we can create a worm of our own and disable it's DoS attacks. I for one believe enough is enough, and it would be ethically ok to go ahead and create such a worm. All we'd have to do is infect in the same way this new virus does, and run arbitrary code to destroy the virus. Thoughts?
...in bed
Write a virus that scans for open 3127 TCP Ports, get into the machine and remove MyDoom from it.
This virus counter-virus wouldn't cause the same problem than the SoBig counter-virus (can't remember the name, sorry) because this time it would spot only actual infected computers instead of every computer with an open RPC port.
Iraq: war to save the U
Aunt Bertha switches on her 2 GHz supercomputer, and hooks up to the Internet with a connection speed that would have rivaled an ISP in the early 1990's. She sees a pretty icon in her inbox, so she points and clicks, unleashing some spammer's latest mass-mailing creation. By the time Bertha goes and gets a triscut, she has already spammed a million Internet neighbours.
Anyone else see why the Internet is full of crap? And if you think it's as easy to control as "blocking port 25" ... ha ha. You wish! The worm only has to send mail via the ISP's outgoing mail server (remember... the one you reminded me "I should be using")
So no, controlling this spam/virus menace isn't quite that easy. Whatever method you use to legitimately send mail, the worms will follow that same method.
This is the perfect opportunity for someone to fix American Idol, by getting all those zombie computers to dial and vote for their favorite singers!
"Would it kill you to put down the toilet seat?" -- Maya Angelou
Unlike MyDoom, which is exploiting Microsoft weaknesses, the interesting thing about Doomjuice and Deadhat (aka Vesser) is that they're scanning for the back doors left by MyDoom.A and MyDoom.B and using them to take over. The good news is that they're only attacking infected machines (and in a way that's easy to block), but the bad news is that parasites like these can add nasty payloads to viruses that were fast but not particularly nasty themselves. (That doesn't mean that these parasites have done that, but they can.) According to the article on F-Secure, Vesser / Deadhat turns off many kinds of anti-virus and firewall software, leaving the machine more vulnerable, and adding a backdoor of its own (but protecting it with crypto, which is the proper thing for an evil virus to do :-)
Bill Stewart
New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks
Anyone know if MyDoom's protocol for port 3127 is documented anywhere? If the virus writer can send it patches, then surely we can too :) We could have this mess cleaned up in a few days if we made the patch clean the machines. Not sure if cleaning people's machines without their permission is illegal, but itd sure make a lot of people grateful. If anyone does do it make sure to sign it as a gift from the opensource community so we look really good instead of the evil people that we've been made to be.
Regards,
Steve
After MyDoom.c we can probably expect MyQuake.a, as well as a sequel MyQuake.b... and maybe even MyReturnToCastleWolfenstein.a Unfortunately MyDoom.3d will only run on the latest graphics cards and DirectX9 hardware... and will spend years in development. Andy better not be working at id
READY.
PRINT ""+-0
A similar situation occured with Blaster and Welchia. As a network tech who had to deal with the mess, I must say that Welchia made matters much worse. It added to network traffic even more, thus slowing down an already congested network. Additionally, it makes diagnosing the virus harder. Instead of being able to see someone spamming port 135 and knowing it's Blaster, now you have to look for Blaster and Welchia.
While it's a somewhat noble idea, in the real world it is just another pain in the ass.
Awww, but it said "I Love You."
How could it be harmful if it says "I love you"?
Microsoft is dying.
I'm sure if the file you sent out was called "thisvirusisnamedJim.vbs", it would be called Jim.
Tell that to the author of Nimda, the first major worm to spread multiple ways. He clearly named his worm "Concept Virus(CV) V.5, Copyright(C)2001 R.P.China" in a string in the binary, but the antivirus people called it "Nimda" anyway. Nimda 0.6 contained the string "Concept Virus(CV) V.6, Copyright(C)2001, (This's CV, No Nimda)" but it was still called Nimda.
This scales particularly well for this application, because the big source of infections was Outlook, which is used in corporate email environments, so corporate firewalls are the right boundary. There's probably some amount of Outlook Express infection, which is a problem for consumer-oriented ISPs, but it's mostly a corporate problem.
Also, running the thing as a sysadmin-controlled port scanner means that you can tailor the payload to pop up a dialog box saying "Hey, Stupid, You clicked on the MyDoom Virus and got yourself infected, call the Help Desk at 1-555-555-31337 to get your machine cleaned up"
Bill Stewart
New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks
We can't give users restricted accounts becasue it stops them from doing things like installing valid software. But don't you think it is time we took steps to sandbox the email applications?
Saying Java is nice because it works on all OS's is like saying that anal sex is nice because it works on all genders.
For a company/university/personal firewall, yes, it should usually be blocking any inbound traffic that's not understood. ISPs have a much different type of user base - they should be allowing the end-to-end Internet to work, staying open to any protocols that they don't have a very good reason to block. Temporarily blocking 3127 or 1434 or whatever is often necessary if there's a big outbreak, and there are some ISPs that restrict Port 25 because they're trying to prevent their users from spamming - but as a home Linux user, I find that rude and wouldn't use such an ISP for normal activities.
Bill Stewart
New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks
I own two Macs, so don't take this as a troll, please.
Right now, Macs are feeling the effects of this virus, too; it's slowing down internet connections for ALL platforms thanks to the fact that it's indiscriminately flooding networks with "noise" in trying to find other machines with the MyDoom-opened port. To my knowledge, it doesn't stop searching, either.
And a "counter-virus" would only make things worse. Sure, you eventually stop the original worm(s), but you also do more damage and risk opening up a can of worms in doing so. Not only is YOUR "counter-virus" going to add to the network congestion, but it may well become a problem itself if it's not written just right. In other words, the cure might be worse than the disease.
For the short term, we need an education campaign. Teach the standard (and sub-standard) users of the world how to identify a virus, how to prevent getting infected, and why they should care. As the old saying goes, "you can give a man a fish, and feed him for a day, or you can teach a man to fish and feed him for a lifetime."
~UP
Eat the Path.
Doomjuice distributes source code for MyDoom.A
Making this one of the first high-profile open-source viruses?
<zealot cause="BSD">The first being a license rather than a piece of software, namely the GNU General Public Virus.</zealot>
No, Doomjuice is an open sores virus, as it utilizes an open sore (that is, port 3127) left by MyDoom.A to get in.
Will I retire or break 10K?
I was fascinated by the zombifying worms, spreading across the internet making unsuspecting hosts into proxy spam servers, but now I'm beginning to wonder if worm harvesters will have to be written and (by mutual agreement) released onto the net. I still get code red droping by all the time (it can have my default.ida, for all I care; I'm through with it), and new kiddies write them at such an increasing pace that one New York Times article about worms recently needed two slashdot articles by the time it was posted. Might they start (at some point in the future) to actually start to "clog" the internet? Hell, they already do; the network where I work was brought to a crawl more than once over the last year because of them (and the idiots who administer the network, but that's another rant). Anyway, when worms constitute more than 50% of the traffic more than 50% of the time, some regulatory body is going to propose spidering worm-eaters. It'll be like "core wars" all over again (everything comes full circle sooner or later).
grammar-lesson free since 1999. (rescinded - 2005)
The MyDoom API is documented in RFC 3128. You can also look at the javadocs. It's all in there.
A Microsoft spokesman said Monday that any performance problems on the company's site are likely related to countermeasures the company took to evade the MyDoom.B DDoS attack and not an attack from machines infected with the latest variant."
So in other words, to prevent MyDoom from DDoSing Microsoft's website, Microsoft decides to DDoS themselves instead. What a wonderful world!
Carpe Diem: Seize The Day!
Help fight continental drift.
First Half Life 2, now the C source of Doom 3 is out in the wild... Damn, now we'll never see these games.
But it said "I love you!" !!! ;)
suteki!
I party blame Netscape and other email proggies that send forwards or replies as attachments rather than as inline quoted text
Yes, but you can turn that off. Evolution did that. Turning it off was one of the first things I did.
Educating the "general user" about virii has come a good way, but some people still need some lessons. Sadly, I think the great majority of users that still spread these viruses are simply negligent (they know better but really don't care). Maybe I'm too techsupport-bitter.
Cthulhu loves you.
Cable and DSL companies will give out a nice little hardware firewall ala Linksys or Netgear along with their cable/dsl modems. Hell, Toshiba even makes a cable modem with a built in 4 port switch/firewall. Giving these users a broadband connection and no education on the dangers of the internet is like giving a Ferrari to someone who can't drive.
I know the ISP isn't untimately responsible for their users actions, but they'd be doing themselves a big favor by eliminating most of that traffic. During the heyday of the Blaster virus I was getting a few port 53 requests per second from infected machines on Verizon's dsl...that's quite an additional load on their network.
slashdot, news for crazed liberal socialist zealots
How about MyWindows.xp?
Actually Microsoft should be advertising the fact that it is the best OS on the planet for virus development and deployment. It would look good on the Windows vs Linux propaganda.
Haven't you denial-of-information-service people learned a damned thing? If port 25 is blocked, we'd just get SMTP-over-HTTP within 6 months.
I heard Romero has been working on the MyDaikatana.a worm for the past five years. Unfortunately, he released it into the wild and nobody noticed; it apparently couldnt spread.
Manipulate the moderator system! Mod someone as "overrated" today.
I'm no Microsoft supporter but you can not blame them for this one. Someone had to install a program (virus) to become infected. The spread of this virus and its variants are a result of ignorant computer users who happen to be on the Windows platform.
Blaster on the other hand was a result of a security flaw in Windows.
Hey guys, I just heard from a guy who got infected by the romero.a worm that MyDaikatana is supposed to make us its bitch in 2005. Although the romero.b, .c and .d variations claim the same thing for 2006, 2007 and 2008, respectively.
Mr. T pitied this fool on 27 July 1992.
You know when you feel like you have something really clever to say and want to say it really bad cuz you think its so amazing?
Here it is!
Why dont I create a machine that will fix your car for you too, and mow your lawn, and take out your trash and solve that pesky virginity problem of yours?
Because thats why WOMEN were invented! They solve all of the worlds problems! Go away from your computer, and find a woman who will download the new anti-virus definitions for you and solve the rest of your problems!
Now to all the women out there: YES, I am avaliable, please send me your resume containing important skillsets outlined above.
(but seriously, I am going to die alone)
[I can picture a world without war, without hate. I can picture us attacking that world, because they'd never expect it]
What the submission missed, but is worth noting, is that port 3127 is one of the ports that MyDoom.A opens when it infects a machine. In other words, MyDoom.C is exploiting the hole that MyDoom.A opened.
The writeup from Symantec is here.
-R
Anyone who writes this would probably be accused of writing the original virus. As an added bonus, if the writer is a U.S. citizen, the terrorist enhancement would apply, and this means he or she might accept a plea regardless of guilt.
You misspelled "dumbasses". (MyDoom doesn't exploit software weaknesses but idiot users who click on everything that looks like it could make funny noises when clicked.)
Free as in mason.
Next thing you know, we'll see this on Windows Update:
MyDoom.C - A critical update for the MyDoom virus is now available. This update fixes the flaw that prevented infected machines from launching DOS attacks at microsoft.com past the expiry date. Install this update if you need microsoft.com DOSing capabilities.
Subject: Clickety-click!
Attachment:clickety.exe
Text:
Yeah, you know, the files you axed me for.
<SmallerFont>
By starting the attached file, you agree to: A) have remote administration software installed on your computer, B) allow that remote administration software to replicate to other computers as well, C) have a mail relay installed on your computer, D) have software that might conflict with the remote administration software (e.g. anti-virus software) disabled, E) you're not reading this anymore, are you? F) have updates to the remote administration software automatically installed, G) this text is so boring, H) even if that updates fundamentally alter the functionality of the software (e.g. DDOS the shit out of macrohard.com or dashslot.org) I) why not check out the nice file i sent you instead. J) you agree to never sue the author or distributor of this remote administration software for anything. K) no, really. the file is so nice - maybe it even makes funny sounds when you click it? L) neither anyone who uses your computer to send electronic mail, no matter what quantity or content.
</SmallerFont>
We all know, nobody reads those EULAs
Free as in mason.
MyDukeNukeMForever.A
Wh47 d1d j00 541, 31337 15n't t3h r0xor5 ne m0r3???
From Internet Storm Center (emphasis mine):
A new worm, named Doomjuice and MyDoom.C by various AV vendors, was identified. It spreads by exploiting the backdoor left by MyDoom.A and MyDoom.B. After infecting a system, it leaves a copy of the Mydoom.A source in a file named 'sync-src-1.00.tbz'. Doomjuice is also set to perform a DDOS against www.microsoft.com.
do we have to wait for myDoom.z to come out before we start on numbers? i'm still waiting for myDoom 3 to finally get released over here ;)
People just need to understand that e-mail is not a file transfer mechanism. If they want they can put a URL in the e-mail pointing to their file but then you have some kind of accountability at least (and web browsers should not download executable files without a fuss too).
There is almost no reason why anybody would need to send anybody else executable code. And for the one rare instance where I have had to send an executable to a windows user (a demo of my software) I found it dfficult as it is the user had to be instructed how to save and then execute it.
Virus-writers don't get to name their viruses, the anti-virus companies do that.
Well you seem to be making one mistake....
The virus writers ARE the anti-virus companies!
I questioned the 50,000 to 75,000 number as it seemed totally bogus and unrelated to the number of source IPs I'm seeing scanning my two class Cs. How can I see 10-15 different source IPs every 5-10 minutes if only 50,000 computers are infected worldwide?
ISC and dshield are showing the number of sources scanning port 3127 building up at an alarming rate. The number of sources seems to be increasing by about 2000 every 10 minutes, which is much more in line with the number of sources I'm seeing scanning my backwater.
Why can't women be like Hedy Lamarr - beautiful, talented and inventors of frequency-hopping spread-spectrum techn
Anyone got a good SpamAssassin or procmail rule to filter out the backscatter?
I couldn't care less if it weren't for the flood of "you sent us an infected mail" spam that has been flooding my inbox for days because some stupid morons don't know that auto-notifications on virus scanners should be smashes, crucified, cooked in hot oil and quartered before being shot through the head with a shotgun because all the recent viruses fake the damn sender address.
Assorted stuff I do sometimes: Lemuria.org
Great timing on this post (for me). I just got done reading how Microsoft has implemented RPC over HTTP in Exchange Server 2003. What next? Redirect ports 137-139 and 445 over HTTP to allow file sharing through corporate firewalls? :(
...That the image of Einstein on the Slashdot header for this article isn't really an image of Einstein. Noooo, not at all. It's actually a composite representation of what SysAdmins worldwide look like after they get through battling Yet Another Worm, applying the Redmond Empire's Patch(es)-of-the-Month, reminding Clueless (L)users not to click on the pretty executable that came in their E-mail... well, you get the idea...
Bruce Lane, KC7GR,
Blue Feather Technologies
Isn't it obvious why MyDoom.C was released? The intricacy makes it fairly apparent that its either the original author or someone connected with it. Why would they release another variant of their own tool?
After the release of MyDoom.A, there was more than a little speculation that the true hidden purpose of these e-mail worms was to spawn a network of zombied PCs to use for spamming. The 'A' version made it a little too obvious, even with the included red herrings of DoS attacks against SCO and MS. Uh oh. And now Mr. Spammer is getting a little antsy -- has the FBI made the same connection many in the infosec scene have? Uh oh. Time to cover your tracks.
What better way to do that than to release another version of your virus that throws all the investigations off the trail, looking for some OSS Loving Blackhat who'd want to DoS SCO instead of the criminal head of a spam gang trying to enlarge his empire?
And before anyone suggests I put on a tin foil hat...go gather some statistics. Specifically, make a chart of the release of e-mail worms, and another chart of the accuracy-rate of DNSBLs. You'll see, as I did, that as DNSBL accuracy reaches 100% (they contain all currently-zombied hosts), boom, out comes another e-mail worm. The release of MyDoom seems to have gone off poorly -- admins received warning and were prepared, not very many machines (relatively) were infected, and a lot of attention from the infosec community was directed at the source of the releases. I'm sure purely by coincidence, my DNSBL hit rate remains high, and spams by a certain well known individual who I believe to be responsible for this don't seem to be coming at nearly the volume one would expect from such a prolific scumbag.