Slashdot Mirror


MyDoom Seeks to Destroy Antivirus Firms

Khoo writes "Worm writers are threatening to attack antivirus companies F-Secure, Symantec, Trend Micro and McAfee. In the latest version of MyDoom--MyDoom.AE--the authors embedded a message ridiculing rival worm Netsky and promising to attack the antivirus companies."

1 of 284 comments (clear)

  1. Thoughts and musings on releasing malicious code by gd23ka · · Score: 5, Interesting

    Thoughts and musings on how to release malicious code onto the internet while being physically present in a state hostile to the United States of America and targetting assets of that hostile state, causing a maximum of damage while making it nearly impossible to be traced or identified.

    First of all, access to the internet has to be completely anonymous. Many people have used their personal internet access or the one at work. Malicious code _will_ be traced back to the orginating internet access by security agencies of states hostile against the United States of America.

    Anonymous access to the internet is easily possible from:
    a) unsecured wireless access points
    b) internet cafes

    Since many public and private places in states that are hostile to the United States are nowadays under 24h covert video surveillance, unsecured wireless access points are safest. The safest way to use an unsecured access point would be from a car travelling at the maximum speed possible for a notebook on board to find a path through an unsecured access point to the internet. The malicious code package however should not be released directly to the internet but onto the first vulnerable system after the AP that has access to the internet. When using the AP the physical MAC-address of the wireless adaptor must not be used for obvious reasons, the card should be programmed with a new MAC-address. After releasing the malicious code package the notebook should immediately securely erase all traces of the malicious code package, the delivery system and the secure eraser. The secure erasure of the mentioned components should also be triggerable by a single keypress. The notebook should be kept under sufficient power and in a state where secure erasure can be triggered at all times (disable screensaver, power low standby etc.). The secure erasure should also be triggered when the notebook is about to enter a state where the secure erasure can not be triggered and completed (low power, etc.). The notebook should not be hooked up to the car's battery nor should any antennas or fixtures be evident that reveal the notebook is being actively used in the car. The warmth of the notebook in operation is not explainable therefore appropiate navigational software and a GPS mouse should be present. It is important to avoid areas where the car could leave identifiable tire tracks. If possible avoid entering zones of known video surveillance or zones where searches by hostile forces can be expected. I know this sounds paranoid but shit happens.

    The malicious code should be wrapped into an installer that hides the malicious code onto the first vulnerable target after the access point for a period of at least six days and release the malicious code to the internet preferably on the evening of the friday following the minimum six days.

    All code, excluding the delivery system and secure erasure code, should hide on the system using state of the art techniques (filesystem filters, hooking registry access, manipulation of NT kernel data areas).

    If the malicious code happens to be a worm, a very slow rate of infection is advised as well as a novel vulnerability being exploited. This is in the hope that the worm will over months penetrate into sensitive intranets without being discovered. As the clock of a given node can not be depended on for accurate time/date information the worm instance should not rely on it to measure time. Instead time should be measured by cpu cycles, poweron/poweroff cycles etc. Systems belonging to a state hostile to the United States of America can be recognized through characteristics discovered through prior intelligence.

    All development and testing that takes place while located in a state hostile against the United States of America should be confined to one system. Backups must use state of the art encryption must be accounted for and be destroyed after being superseded. If you (unwisely) choose to keep the final version of the code after the attack, encrypt it with a xor of r