MyDoom Seeks to Destroy Antivirus Firms
Khoo writes "Worm writers are threatening to attack antivirus companies F-Secure, Symantec, Trend Micro and McAfee.
In the latest version of MyDoom--MyDoom.AE--the authors embedded a message ridiculing rival worm Netsky and promising to attack the antivirus companies."
... if all of these viruses were something more then a rip-off of a rip-off of a rip-off of someone elses code.
"When life gives you lemons, don't make lemonade. Make life take the lemons back!" -- Cave Johnson
Do you want to use the antivirus product of a company whose network goes down due to a virus?
Evolution or ID?
Really was just a matter of time before an assault. It's a war. Virii vs. the White ('blood cell') Knights. The worst disease in the world is AIDS, not because it kills directly, but because it inhibits immunity entirely. After your anti-virus software is nuked, the most basic of hacks could nail your pc.
I read somewhere that MyDoom was named because the virus when viewed in an ASCII viewer contains an amount of freetext that was meant to say 'mydomain' but instead it was mis-spelt in the virus to say 'mydoomain' - hence MyDoom.
So much for the traditional arguments made by virus writers that they're trying to force better security practices. Either that, or running anti-virus software isn't considered a security practice by virus writers.
I wish I still had the e-mails handy, but I once communicated with a reformed Mac virus writer in the mid-90's. (The Mac platform had a minor virus epidemic in the late-80's to early-90's before the Windows platform overshadowed it.)
His explanation at the time was that both the Mac and Windows APIs felt very "constrained" at the time, and he wanted to experiment with what parts of the OS functionality were usable in certain contexts. IIRC, he was one of the first to exploit an old "UI drawing resource" security flaw that was patched during the System 7 era.
Prior to the 'Net, most virus writers wrote the things out of curiosity or accident, since a computer's primary function is to simply copy and move numerical data. That's essential what a virus or worm is: a mere data replicator. Now that most PC are connected to a worldwide network, unvetted data copying is considered dangerous by many. This is partly why some in the business and media worlds regard P2P sharing and open source as part of the same "underground" as virus writing and software piracy. Most end users nowadays have completely forgotten that computers are simply Xerox copiers at a fundamental level.
Those who complain about affect & effect on
Thoughts and musings on how to release malicious code onto the internet while being physically present in a state hostile to the United States of America and targetting assets of that hostile state, causing a maximum of damage while making it nearly impossible to be traced or identified.
First of all, access to the internet has to be completely anonymous. Many people have used their personal internet access or the one at work. Malicious code _will_ be traced back to the orginating internet access by security agencies of states hostile against the United States of America.
Anonymous access to the internet is easily possible from:
a) unsecured wireless access points
b) internet cafes
Since many public and private places in states that are hostile to the United States are nowadays under 24h covert video surveillance, unsecured wireless access points are safest. The safest way to use an unsecured access point would be from a car travelling at the maximum speed possible for a notebook on board to find a path through an unsecured access point to the internet. The malicious code package however should not be released directly to the internet but onto the first vulnerable system after the AP that has access to the internet. When using the AP the physical MAC-address of the wireless adaptor must not be used for obvious reasons, the card should be programmed with a new MAC-address. After releasing the malicious code package the notebook should immediately securely erase all traces of the malicious code package, the delivery system and the secure eraser. The secure erasure of the mentioned components should also be triggerable by a single keypress. The notebook should be kept under sufficient power and in a state where secure erasure can be triggered at all times (disable screensaver, power low standby etc.). The secure erasure should also be triggered when the notebook is about to enter a state where the secure erasure can not be triggered and completed (low power, etc.). The notebook should not be hooked up to the car's battery nor should any antennas or fixtures be evident that reveal the notebook is being actively used in the car. The warmth of the notebook in operation is not explainable therefore appropiate navigational software and a GPS mouse should be present. It is important to avoid areas where the car could leave identifiable tire tracks. If possible avoid entering zones of known video surveillance or zones where searches by hostile forces can be expected. I know this sounds paranoid but shit happens.
The malicious code should be wrapped into an installer that hides the malicious code onto the first vulnerable target after the access point for a period of at least six days and release the malicious code to the internet preferably on the evening of the friday following the minimum six days.
All code, excluding the delivery system and secure erasure code, should hide on the system using state of the art techniques (filesystem filters, hooking registry access, manipulation of NT kernel data areas).
If the malicious code happens to be a worm, a very slow rate of infection is advised as well as a novel vulnerability being exploited. This is in the hope that the worm will over months penetrate into sensitive intranets without being discovered. As the clock of a given node can not be depended on for accurate time/date information the worm instance should not rely on it to measure time. Instead time should be measured by cpu cycles, poweron/poweroff cycles etc. Systems belonging to a state hostile to the United States of America can be recognized through characteristics discovered through prior intelligence.
All development and testing that takes place while located in a state hostile against the United States of America should be confined to one system. Backups must use state of the art encryption must be accounted for and be destroyed after being superseded. If you (unwisely) choose to keep the final version of the code after the attack, encrypt it with a xor of r