MyDoom Seeks to Destroy Antivirus Firms

Khoo writes "Worm writers are threatening to attack antivirus companies F-Secure, Symantec, Trend Micro and McAfee. In the latest version of MyDoom--MyDoom.AE--the authors embedded a message ridiculing rival worm Netsky and promising to attack the antivirus companies."

Ehh...

[DreddUK]

Isn't this like the virus companies threating to shoot themselves....? Oh, hang on, they don't really write all the virii... :)

Re:Ehh...

[macdaddy357]

I just hope they keep Monkeypoo from spreading far and wide! Here is the mail circulating about it

VIRUS WARNING:

Attention: Computer Labs Inc., makers of Virucide antivirus software have identified a highly dangerous new Trojan worm, MONKEYPOO. It will usually appear in an e-mail with the subject, "Congratulations.You have won!" it will then prompt you to click a link to collect your cash prize. It can also freely spread across networks.

Monkeypoo will read your address book, and mail a copy of itself to every address it finds, and it will look like you sent it. It will then invoke the secret self-destruct command held over from the original IBM PC's 8086 command set. This short line of code will cause the processor, ram, hard drive and any floppy drives to spin out of control and overheat until key components melt together, and will most likely cause a fire.

James Winklee, a former IBM programmer had this to say. "We developed the self-destruct code so government agencies such as the FBI and CIA could quickly and completely destroy compromised computer systems before an enemy could get their hands on classified information. When we saw how violently a PC executing the command burst into flames, we decided not to publish it's existence. It has been kept a secret successfully until now. If you get infected with the Monkeypoo Trojan worm, you may notice your computer going completely haywire. Physically unplug it from power as fast as you can, and send it in for repair. Only a professional can remove this one."

While Computer Labs Inc and other antivirus software makers are working on a solution, they haven't got one a home user could successfully run yet. "This is the worst kind of malicious code I have ever seen." said Marcus Polan of Computer labs Inc. Use extreme caution.

It is important that as many computer users as possible receive this warning, so send it out to as many people as you can. The entire Internet and every PC connected to it is at risk.

Scary stuff huh?

Re:Ehh...

[fluffybacon]

I hate those hoax warnings, but this one is important!!

Please send this to everyone on your e-mail list - both male and female!

If a man comes to your front door and says he is conducting a survey and asks you to show him your arse, do not show him your arse.

This is a scam; he only wants to see your arse.

I wish I'd gotten this yesterday. I feel so stupid and cheap.

Re:Ehh...

[Mr.+Bad+Example]

> It's real! My brother's friend's cousin's uncle's grandparents got it!

And hanging from the CD-ROM tray was...a hook!

Live Update

[UID1000000]

Maybe they can destory Live Update so that Symantec can finally create a copy that isn't a resource hog.... wait....

*sighs*

nevermind

virii calling each other out...

[Spydr]

Hey Netsky! Nice code, did your mommmy write it for you?!

Re:virii calling each other out...

[jrod2027]

Hey Netsky! Nice code, did your mommmy write it for you?!

Hey MyDoom! Yes she did, and she just pwned you!

think about it....

[millahtime]

Do you want to use the antivirus product of a company whose network goes down due to a virus?

Re:think about it....

[Tenebrious1]

Do you want to use the antivirus product of a company whose network goes down due to a virus?

Any company's computers, even the best AV writers, are vulnerable to 1st day infections. Any company could get slammed if an unknown virus is introduced directly into their networks. So what would matter to me is not that they were taken down, but how quickly they are able to get their systems back online. That's indicative of how quickly they can get updates online and out to the rest of us who may be suffering the same fate.

Destroy ??

[MHleads]

The only way to destroy Anti-virus firm is to stop writing viri. The more the viri, the more $$$ for AV companies.

Re:Destroy ??

They already stopped writing "viri" and "virii", because most people who aren't affecting some ridiculous air of pseudo-intelligence write viruses instead.

Anyway, true viruses are damn hard to find nowadays. Most AV programs protect against trojans and worms, not file-infecting viruses. Any AV company worth a damn has turned into a general security company (take note that symantec also owns bugtraq, for example). Long as people break into places, we're going to have locks....

Re:Just a bunch of horse crap...

[millahtime]

I have OS X and us users need to quit trash talking. To many of us don't use antivirus software. And, yes, despite it being an amazingly secure setup there are holes as in any system. So, lets not provoke the smart virus writers who can write one for OS X if they put enough time and effort in. Lets stay low key as long as possible

N3ws for n3rds, Stuff best left unheard ...

[Delirium+Tremens]

Maybe, just maybe, we should not give those guys any free publicity... Wouldn't this actually be a good news to skip and left untold?
We don't really want to boost the ego of those jacks, do we?

And hopefully, Taco won't repost the same story in a few days...
<sarcasm/>

TANGERINE ALERT!

[Badgerman]

I think it's time to panic. We know virus writers always tell the truth and would never engage in deception or hyperbole. Therefore this must be true.

I reccomend we immediately declare western civilization over to beat them to the punch.

There, got my sarcasm out for the day. Now to go to work and refuel it.

Re:Thanks, guys

[eclectro]

Unfortunate but true. Just as WMD was used as an excuse for Iraq, Viruses will justify a new draconian Patriot Act II that really will do nothing to stop virus writers but will do everything to control law abiding citizens.

Virus Facts

[Himring]

I'm not sure those bigger AV companies will be able to protect themselves. They are slow in responding to threats much less threats against themselves.

I put together this report for our project team recently. The sources are MCI, Verisign, et al (mostly, esecurityplanet.com article -- yes, google makes reports easy/fun).

Wait time for AV fix
(source: http://www.esecurityplanet.com/views/article.php/3 316511)
Below marks the average wait time from release of virus to each company providing definitions to find/clean

H:M Anti-Virus Program
06:51 Kaspersky
08:21 Bitdefender
08:45 Virusbuster
09:08 F-Secure
09:16 F-Prot
09:16 RAV
09:24 AntiVir
10:31 Quickheal
10:52 InoculateIT-CA
11:30 Ikarus
12:00 AVG
12:17 Avast
12:22 Sophos
12:31 Dr. Web
13:06 Trend Micro
13:10 Norman
13:59 Command
14:04 Panda
17:16 Esafe
24:12 A2
26:11 McAfee
27:10 Symantec
29:45 InoculateIT-VET

The averages vary from about 7 hours per virus to more than one full day (almost 30 hours). It's important to note two things about the figures in the table above:

Some of the programs were able to detect some of the viruses in the testing period heuristically -- without needing an update. Ikarus, Quickheal, and Virusbuster were able to do this with the Dumaru.Y virus, whereas Norman and RAV were able to do it with Bagle.B. In those cases, the anti-virus program was assigned a response time of zero for that one virus. This reduced those vendors' average response times.

On the other hand, A2 had not posted a signature for the Bagle.B virus within three days, when the test period ended. This program, therefore, was assigned a response time of 35 hours in this instance. If this virus had not been considered in the statistics, A2's average response time would have been reduced to 15:26 rather than 24:12.

Hours to saturation/Dollar damage done by:

Klez 2.5 hours $9B
Sobig 10 hours $14B

2003 overall virus damage $89B

Average cost to patch and protect one workstation (includes AV, PM & FW): $234.

Global spam decreased in August 2004 due to hurricanes (FL is the largest producer of global spam).

Re:VIRUSES calling each other out...

"i thought we settled this a long time ago, the term varies depending on the number... viri for one, virii for two, viriii for three, viriv for four, virv for five, and so on..."

Re:Virii???

[nick-less]

I think you'll find the plural is 'viruses'

yeah sure, next time you gonna tell us that the plural of box is boxes and not boxen...

Why tell them?

[Gary+Destruction]

If the MyDoom writers want to mess up antivirus companies, why don't they just do it and be totally quiet about it? The only thing worse than an attack is one that you don't see coming. To top that off, they could have made a different virus to attack antivirus firms and make the antivirus firms think it was the netsky writers that did it. And then someone could make a movie about it and play it on TNT because they know drama.

Anti-Virus software is dangerous

[Secrity]

This is the very reason why depending upon anti-virus software is dangerous. Anti-virus software causes people to become less careful about computer security. Becoming less careful about computer security because you have anti-virus software is something like driving less carefully because you believe that airbags will keep you safe in the event of a car accident.

Without a doubt, I would

[thrill12]

I am just the average Joe, who is brainwashed by such renowned companies as Microsoft into believing that it is not the software companies that make the mistakes, but the people who make the things that cause the mistakes to trigger!

Re:Mild threat

[Patrik_AKA_RedX]

A DOS-attack isn't "quite mild" when your business depends on your internet connection (e.g. Amazone). Not to mention the bill for all that extra traffic.

English, motherfucka, do you speak it?

[syrinx]

One virus. Two or more viruses. No other plural is acceptable.

"Virii" is wrong.
"Viri" is wrong.
"Viriii" is wrong.
"Virodes" is wrong.
"Virusen" is wrong.
"Viruss" is wrong.
"Virus" as the plural is wrong unless you're speaking Latin, and even then it's not really a plural so much as a collective singular noun.
ANYTHING THAT IS NOT "VIRUSES" IS WRONG.

http://www.linuxmafia.com/~rick/faq/plural-of-vi ru s.html

I am fully in support of a keyboard that, whenever the letters "v" "i" "r" "i" "i" are typed sequentially, then administers a fatal electric shock to the typist.

Thoughts and musings on releasing malicious code

[gd23ka]

Thoughts and musings on how to release malicious code onto the internet while being physically present in a state hostile to the United States of America and targetting assets of that hostile state, causing a maximum of damage while making it nearly impossible to be traced or identified.

First of all, access to the internet has to be completely anonymous. Many people have used their personal internet access or the one at work. Malicious code _will_ be traced back to the orginating internet access by security agencies of states hostile against the United States of America.

Anonymous access to the internet is easily possible from:
a) unsecured wireless access points
b) internet cafes

Since many public and private places in states that are hostile to the United States are nowadays under 24h covert video surveillance, unsecured wireless access points are safest. The safest way to use an unsecured access point would be from a car travelling at the maximum speed possible for a notebook on board to find a path through an unsecured access point to the internet. The malicious code package however should not be released directly to the internet but onto the first vulnerable system after the AP that has access to the internet. When using the AP the physical MAC-address of the wireless adaptor must not be used for obvious reasons, the card should be programmed with a new MAC-address. After releasing the malicious code package the notebook should immediately securely erase all traces of the malicious code package, the delivery system and the secure eraser. The secure erasure of the mentioned components should also be triggerable by a single keypress. The notebook should be kept under sufficient power and in a state where secure erasure can be triggered at all times (disable screensaver, power low standby etc.). The secure erasure should also be triggered when the notebook is about to enter a state where the secure erasure can not be triggered and completed (low power, etc.). The notebook should not be hooked up to the car's battery nor should any antennas or fixtures be evident that reveal the notebook is being actively used in the car. The warmth of the notebook in operation is not explainable therefore appropiate navigational software and a GPS mouse should be present. It is important to avoid areas where the car could leave identifiable tire tracks. If possible avoid entering zones of known video surveillance or zones where searches by hostile forces can be expected. I know this sounds paranoid but shit happens.

The malicious code should be wrapped into an installer that hides the malicious code onto the first vulnerable target after the access point for a period of at least six days and release the malicious code to the internet preferably on the evening of the friday following the minimum six days.

All code, excluding the delivery system and secure erasure code, should hide on the system using state of the art techniques (filesystem filters, hooking registry access, manipulation of NT kernel data areas).

If the malicious code happens to be a worm, a very slow rate of infection is advised as well as a novel vulnerability being exploited. This is in the hope that the worm will over months penetrate into sensitive intranets without being discovered. As the clock of a given node can not be depended on for accurate time/date information the worm instance should not rely on it to measure time. Instead time should be measured by cpu cycles, poweron/poweroff cycles etc. Systems belonging to a state hostile to the United States of America can be recognized through characteristics discovered through prior intelligence.

All development and testing that takes place while located in a state hostile against the United States of America should be confined to one system. Backups must use state of the art encryption must be accounted for and be destroyed after being superseded. If you (unwisely) choose to keep the final version of the code after the attack, encrypt it with a xor of r