Slashdot Mirror
MyDoom Seeks to Destroy Antivirus Firms
Khoo writes "Worm writers are threatening to attack antivirus companies F-Secure, Symantec, Trend Micro and McAfee.
In the latest version of MyDoom--MyDoom.AE--the authors embedded a message ridiculing rival worm Netsky and promising to attack the antivirus companies."
Isn't this like the virus companies threating to shoot themselves....? Oh, hang on, they don't really write all the virii... :)
"If A equals success, then the formua is A=X+Y+Z. X is work. Y is play. Z is keep your mouth shut" - A Einstein.
Maybe they can destory Live Update so that Symantec can finally create a copy that isn't a resource hog.... wait....
*sighs*
nevermind
UID 1000000 is just around the corner.
... if all of these viruses were something more then a rip-off of a rip-off of a rip-off of someone elses code.
"When life gives you lemons, don't make lemonade. Make life take the lemons back!" -- Cave Johnson
Hey Netsky! Nice code, did your mommmy write it for you?!
Do you want to use the antivirus product of a company whose network goes down due to a virus?
Evolution or ID?
Really was just a matter of time before an assault. It's a war. Virii vs. the White ('blood cell') Knights. The worst disease in the world is AIDS, not because it kills directly, but because it inhibits immunity entirely. After your anti-virus software is nuked, the most basic of hacks could nail your pc.
The only way to destroy Anti-virus firm is to stop writing viri. The more the viri, the more $$$ for AV companies.
I have OS X and us users need to quit trash talking. To many of us don't use antivirus software. And, yes, despite it being an amazingly secure setup there are holes as in any system. So, lets not provoke the smart virus writers who can write one for OS X if they put enough time and effort in. Lets stay low key as long as possible
Evolution or ID?
We don't really want to boost the ego of those jacks, do we?
And hopefully, Taco won't repost the same story in a few days...
<sarcasm/>
I seriously doubt Virus company write their own virus and release into the wild. There are enough virus already. They could hardly keep up. What I worry most is not about the attack toward the anti-virus company, all the anti-virus provider have to do is to set up temporary ip to dodge any Live update DoS. Similar to what Microsoft have done in the past. However, What sort of signal is this sort of news giving to the rest of the coder? Making virus make you more powerful? I have heard somewhere that if you control 10,000 machince on the internet, you are unstopable. That only lead me to wonder how many people out there actually control that amount of machince, and worst yet. What if they join together as an alliances and destory anything in their path for immature reason? Dalnet came to mind.. don't know anything else that have been heavily damaged by DoS. Can anyone else point out?
I think it's time to panic. We know virus writers always tell the truth and would never engage in deception or hyperbole. Therefore this must be true.
I reccomend we immediately declare western civilization over to beat them to the punch.
There, got my sarcasm out for the day. Now to go to work and refuel it.
"The Sage treasures Unity and measures all things by it" - Lao Tzu
Unfortunate but true. Just as WMD was used as an excuse for Iraq, Viruses will justify a new draconian Patriot Act II that really will do nothing to stop virus writers but will do everything to control law abiding citizens.
Take the cheese to sickbay, the doctor should see it as soon as possible - B'Elanna Torres, "Learning Curve"
I considered modding you down to help keep your message "low key"...
I'm not sure those bigger AV companies will be able to protect themselves. They are slow in responding to threats much less threats against themselves.
3 316511)
I put together this report for our project team recently. The sources are MCI, Verisign, et al (mostly, esecurityplanet.com article -- yes, google makes reports easy/fun).
Wait time for AV fix
(source: http://www.esecurityplanet.com/views/article.php/
Below marks the average wait time from release of virus to each company providing definitions to find/clean
H:M Anti-Virus Program
06:51 Kaspersky
08:21 Bitdefender
08:45 Virusbuster
09:08 F-Secure
09:16 F-Prot
09:16 RAV
09:24 AntiVir
10:31 Quickheal
10:52 InoculateIT-CA
11:30 Ikarus
12:00 AVG
12:17 Avast
12:22 Sophos
12:31 Dr. Web
13:06 Trend Micro
13:10 Norman
13:59 Command
14:04 Panda
17:16 Esafe
24:12 A2
26:11 McAfee
27:10 Symantec
29:45 InoculateIT-VET
The averages vary from about 7 hours per virus to more than one full day (almost 30 hours). It's important to note two things about the figures in the table above:
Some of the programs were able to detect some of the viruses in the testing period heuristically -- without needing an update. Ikarus, Quickheal, and Virusbuster were able to do this with the Dumaru.Y virus, whereas Norman and RAV were able to do it with Bagle.B. In those cases, the anti-virus program was assigned a response time of zero for that one virus. This reduced those vendors' average response times.
On the other hand, A2 had not posted a signature for the Bagle.B virus within three days, when the test period ended. This program, therefore, was assigned a response time of 35 hours in this instance. If this virus had not been considered in the statistics, A2's average response time would have been reduced to 15:26 rather than 24:12.
Hours to saturation/Dollar damage done by:
Klez 2.5 hours $9B
Sobig 10 hours $14B
2003 overall virus damage $89B
Average cost to patch and protect one workstation (includes AV, PM & FW): $234.
Global spam decreased in August 2004 due to hurricanes (FL is the largest producer of global spam).
"All great things are simple & expressed in a single word: freedom, justice, honor, duty, mercy, hope." --Churchill
Why hadn't this happened sooner (if it really does happen)? I know companies like Microsoft and SCO are understandable targets fir these cretin, but wouldn't you think that their natural enemy would be the anti-viri firms? If this does come off, am anxious to see what the reaction is.
My
"i thought we settled this a long time ago, the term varies depending on the number... viri for one, virii for two, viriii for three, viriv for four, virv for five, and so on..."
I read somewhere that MyDoom was named because the virus when viewed in an ASCII viewer contains an amount of freetext that was meant to say 'mydomain' but instead it was mis-spelt in the virus to say 'mydoomain' - hence MyDoom.
The threat of a DOS attack is quite mild to actually writing truly malicious code. Something along the lines of repartitioning the harddrive and reformat the drives upon reboot. The viruses that we have seen have been mainly to slow or disconnect the victim from the network. I feel there could be worse scenarios that could happen besides what we have seen thus far.
I think you'll find the plural is 'viruses'
yeah sure, next time you gonna tell us that the plural of box is boxes and not boxen...
How to install antivirus software on Mac OS X:
fink install clamav
Of course, then you'll have to add a cron job or something to run it periodically, or you can just run it by hand over things you've downloaded.
- chrish
Just so they can use their produts to protect themselfs from viruses. I would trust an Anti-Virus Company more if they were runinning OpenBSD or some other Secure OS. Yea sure they make anti-virus for windows but that is because they know that windows is insecure. Becideds if someone wants a virus to spread they just kill the updates for the anti-virus.
If something is so important that you feel the need to post it on the internet... It probably isn't that important.
So much for the traditional arguments made by virus writers that they're trying to force better security practices. Either that, or running anti-virus software isn't considered a security practice by virus writers.
Nah, ... maybe I am too paranoid, this time...
If programs would be read like poetry, most programmers would be Vogons.
He should include his full résumé, address and phone number in the next one.
One line blog. I hear that they're called Twitters now.
If the MyDoom writers want to mess up antivirus companies, why don't they just do it and be totally quiet about it? The only thing worse than an attack is one that you don't see coming. To top that off, they could have made a different virus to attack antivirus firms and make the antivirus firms think it was the netsky writers that did it. And then someone could make a movie about it and play it on TNT because they know drama.
This is the very reason why depending upon anti-virus software is dangerous. Anti-virus software causes people to become less careful about computer security. Becoming less careful about computer security because you have anti-virus software is something like driving less carefully because you believe that airbags will keep you safe in the event of a car accident.
Sometimes I wonder if it wouldn't be cheaper to just revamp the whole IT infrastructure.
...) and up-to-date legislation to procecute virus writer and so on.
....) and move to something decent (PowerPC? Heck, even MS goes to PowerPC for the future XBOX, so why not for PC's...)
Let's say all companies in all countries, the governements and the IT suppliers join hands and pay into one large "IT fund" or donate research time and development for a joint new technology.
At the same time governements all over the world passes legislation to increase the reponsibility of IT vendors like e.g. Microsoft (faster bug fixes required by law, free bug fixes, longer free support, better en safer Windows code,
We use these measures to:
1) Get rid of x86/WinTel and all its legacy technology and software (no more ISA, no more IRQ, no more Win/DOS compatibility,
2) Get rid of Windows altogether and create a decent replacemnt for it without legacy and backwards compatability
3) All governements by Apple Machines and Mac OS X at huge discounts: already a huge step forward in security of our personal information and files.
I think this would enhance competition, drive the economy forward, foster future new developments and maybe get rid of monopolies and get decent competition in the IT market... and be a lot cheaper than the combined cost of all anti-virus licenses, and hidden costs of lost productivity and fall-out of current attacks...
I know... I know... I'm dreaming eh... Some forces would be against this... Damn....
I am just the average Joe, who is brainwashed by such renowned companies as Microsoft into believing that it is not the software companies that make the mistakes, but the people who make the things that cause the mistakes to trigger!
Slashdot: stuff for news, nerds that matter, matter for news, stuff that nerd
Don't ever mention again internet and secure in one sentence. it isn't secure and never will be. Just as commuting to work will never be secure. There are only different levels of security: if you go by car (Windows), bike (Amiga ;)), bus (Linux) or train (OS X).
A virus that performs a Denial of Service attack against the "automatic update" servers used to keep the client av software up to date?
You then have a virus that is attacking the 1 thing that can "defeat" it, thus the virus "wins" as it has effectivly knocked out the source of the antidote (providing the virus is able to spread at a very fast rate for the initial 12 or so hours).
There is quite a lot of research on the web regarding the speed at which viruses spread and the # of hosts infected in the first X hours, which makes for interesting reading.
To do it properly the virus shouldnt have any hardcoded IP addresses or domain names but instead seek the server name(s) from the (registry|av-binary|where ever it is stored). Other virus have failed in the past because l33t master coders were stupid enough to hard code a list of IP addresses.
A fast spreading virus that could do as described IMO would be a truely "successful" ground breaking virus, and it would certainly be interesting to see how the AV companies react to that.
(Im NOT suggesting, nor encouraging it to be done, just looking at an idea from a problem solving / technical implementation POV).
Jason
I wish I still had the e-mails handy, but I once communicated with a reformed Mac virus writer in the mid-90's. (The Mac platform had a minor virus epidemic in the late-80's to early-90's before the Windows platform overshadowed it.)
His explanation at the time was that both the Mac and Windows APIs felt very "constrained" at the time, and he wanted to experiment with what parts of the OS functionality were usable in certain contexts. IIRC, he was one of the first to exploit an old "UI drawing resource" security flaw that was patched during the System 7 era.
Prior to the 'Net, most virus writers wrote the things out of curiosity or accident, since a computer's primary function is to simply copy and move numerical data. That's essential what a virus or worm is: a mere data replicator. Now that most PC are connected to a worldwide network, unvetted data copying is considered dangerous by many. This is partly why some in the business and media worlds regard P2P sharing and open source as part of the same "underground" as virus writing and software piracy. Most end users nowadays have completely forgotten that computers are simply Xerox copiers at a fundamental level.
Those who complain about affect & effect on
One virus. Two or more viruses. No other plural is acceptable.
i ru s.html
"Virii" is wrong.
"Viri" is wrong.
"Viriii" is wrong.
"Virodes" is wrong.
"Virusen" is wrong.
"Viruss" is wrong.
"Virus" as the plural is wrong unless you're speaking Latin, and even then it's not really a plural so much as a collective singular noun.
ANYTHING THAT IS NOT "VIRUSES" IS WRONG.
http://www.linuxmafia.com/~rick/faq/plural-of-v
I am fully in support of a keyboard that, whenever the letters "v" "i" "r" "i" "i" are typed sequentially, then administers a fatal electric shock to the typist.
Quidquid latine dictum sit, altum sonatur.
My Doom3 is better than your MyDoom! Nyeah!
Um, this isn't "Slashdot, news for english majors..."
Let's not over-simplify things.
For a start, not everyone that writes a virus is an idiot. Yes, there are hundreds of script kiddies re-using someone else's virus code, but somewhere down the line, there's a black hat who is coming up with some pretty smart code. Let's not group together all virus writers as idiots and thus underestimate the threat they pose, which is probably greater than ever.
Secondly, they may have little command of the English language, but there's a fair chance they are not native English speakers. The majority of new viruses these days seem to be eminating from Russia, China, and South Korea (by no coincidence, the relatively unpoliced areas of the internet). Don't take their poor English syntax as a sign of stupidity!
It seems we may be in grave danger of tarring all virus writers with the same brush. These guys may be black hats but they are not all stupid. Let's not leave ourselves vulnerable by assuming that they are.
apterous.org
These viruses/worms don't do a damn thing.
You know what would be a great virus/worm? One that totally fucks up the partitions on your hard drive forcing you to reformat and lose all your data.
Now THAT would be a funny virus. Imagine that getting spread across corporate america... you think it cost a lot to take 3 minutes out of the day to update virus defs and do a scan? Wait till you need to take hours out to reformat and reinstall.
These are what worms/viruses should be. Not this "Hacked by chinese" bullshit.
We have secretly replaced these Slashdot mods' sense of humor with a rusty nail. Let's see if they notice!!
Of course, the reason Linux and OS X are virus-free isn't obscurity, it's because they are fundamentally better-designed and more-secure systems. User permissions, lack of access to low-level ports, and few services running by default all contribute to a fundamentally more secure platform.
I don't know what kind of crack I was on, but I suspect it was decaf.
In my experience, it should be at the top of the list.
So, lets not provoke the smart virus writers who can write one for OS X if they put enough time and effort in. Lets stay low key as long as possible
We need a good Mac OS X virus to get us out of the '0' column.
As it is people can claim there simply isn't anybody interested in writing Mac OS X viruses. At least if we got one they'd have to admit it's just damn hard.
My God, it's Full of Source!
OUTSIDE_IP=$(dig +short my.ip @outsideip.net)
Thoughts and musings on how to release malicious code onto the internet while being physically present in a state hostile to the United States of America and targetting assets of that hostile state, causing a maximum of damage while making it nearly impossible to be traced or identified.
First of all, access to the internet has to be completely anonymous. Many people have used their personal internet access or the one at work. Malicious code _will_ be traced back to the orginating internet access by security agencies of states hostile against the United States of America.
Anonymous access to the internet is easily possible from:
a) unsecured wireless access points
b) internet cafes
Since many public and private places in states that are hostile to the United States are nowadays under 24h covert video surveillance, unsecured wireless access points are safest. The safest way to use an unsecured access point would be from a car travelling at the maximum speed possible for a notebook on board to find a path through an unsecured access point to the internet. The malicious code package however should not be released directly to the internet but onto the first vulnerable system after the AP that has access to the internet. When using the AP the physical MAC-address of the wireless adaptor must not be used for obvious reasons, the card should be programmed with a new MAC-address. After releasing the malicious code package the notebook should immediately securely erase all traces of the malicious code package, the delivery system and the secure eraser. The secure erasure of the mentioned components should also be triggerable by a single keypress. The notebook should be kept under sufficient power and in a state where secure erasure can be triggered at all times (disable screensaver, power low standby etc.). The secure erasure should also be triggered when the notebook is about to enter a state where the secure erasure can not be triggered and completed (low power, etc.). The notebook should not be hooked up to the car's battery nor should any antennas or fixtures be evident that reveal the notebook is being actively used in the car. The warmth of the notebook in operation is not explainable therefore appropiate navigational software and a GPS mouse should be present. It is important to avoid areas where the car could leave identifiable tire tracks. If possible avoid entering zones of known video surveillance or zones where searches by hostile forces can be expected. I know this sounds paranoid but shit happens.
The malicious code should be wrapped into an installer that hides the malicious code onto the first vulnerable target after the access point for a period of at least six days and release the malicious code to the internet preferably on the evening of the friday following the minimum six days.
All code, excluding the delivery system and secure erasure code, should hide on the system using state of the art techniques (filesystem filters, hooking registry access, manipulation of NT kernel data areas).
If the malicious code happens to be a worm, a very slow rate of infection is advised as well as a novel vulnerability being exploited. This is in the hope that the worm will over months penetrate into sensitive intranets without being discovered. As the clock of a given node can not be depended on for accurate time/date information the worm instance should not rely on it to measure time. Instead time should be measured by cpu cycles, poweron/poweroff cycles etc. Systems belonging to a state hostile to the United States of America can be recognized through characteristics discovered through prior intelligence.
All development and testing that takes place while located in a state hostile against the United States of America should be confined to one system. Backups must use state of the art encryption must be accounted for and be destroyed after being superseded. If you (unwisely) choose to keep the final version of the code after the attack, encrypt it with a xor of r
Maybe not too smart either.
There are plenty of new viruses out there all the time. There is plenty of attention to the nastiness out there, which is good for the market. So some company would tweak their tool so it adds a tiny bit to the general insecure situation.
They'd have to arrange for internal secrecy so few people get to know the issue.
They're ready to take a hit when the next guy does a comparative batch test for viruses and declares their product unsafe.
They can't leave a paper/email trail so you can find out about the bad intent. Or a trail in the sourcetree.
They have to watch out extra for disgruntled ex-employees who want to get even.
It would complicate jobs unnecessarily. And the shareholders would not agree. No good intentions implied.
It could pay more to hype the existing security issues. If it's possible to add to the existing hype.
Yeah, well, you are talking about regimes where the consequences of being discovered are a certain and painful death, I think being paranoid is probably pretty good advice...
But XORing against a random byte stream is not very good advice, because it is much more difficult than you might expect to generate such a random byte stream. Hint: The random number generator that comes with your compiler is not good enough.