Both Real and Quicktime do the same thing: install an auto-run user agent if you spawn their player. I use Startup Cop to disable it. I despise any application that insists on acting like a virus once its run and that's exactly what these two programs do.
Real installs a script called "TkBellExe", and Quicktime installs "QTTask.exe", neither of which need to be autorun upon bootup. This crap has to stop!
What would have been cool in this instance would be to direct www.sco.com to some network that could try to handle the traffic and perform an audit estimating how many computers are actually infected. Basically an "official idiot count" of people on the net who execute unknown file attachments.
One assumes that every source of the worm propagating e-mail exposes the IP address of a compromised computer. I'm surprised someone hasn't written a script through the back door to either wipe out the virus or pop-up some, "Hey you're a moron" message. Obviously that wouldn't be any more legal than the worm itself, but it begs the question if "infections" on the Internet may eventually be treated like real-world outbreaks which force higher authorities to administer treatment.
removed it from the DNS
on
SCO Offline
·
· Score: 1
nslookup www.sco.com
Searching for A record for www.sco.com at l.root-servers.net: Got referral to I.GTLD-SERVERS.NET. [took 95 ms] Searching for A record for www.sco.com at I.GTLD-SERVERS.NET.: Got referral to c7ns1.center7.com. [took 152 ms] Searching for A record for www.sco.com at c7ns1.center7.com.: Reports that no A records exist. [took 100 ms]
Answer: No A records exist for www.sco.com. [Neg TTL=1800 seconds]
Details: c7ns1.center7.com. (an authoritative nameserver for sco.com.) says that there are no A records for www.sco.com. The E-mail address in charge of the sco.com. zone is: hostmaster@caldera.com.
Here's a classic example of how the high-tech complexity translates into additional revenue for sleazy corporations:
If you get a cell phone, after awhile you may find that it isn't working as well as it used to. I ran into this problem with my Sprint phone. The phone seemed to be functioning fine, but it would have more trouble finding a signal and would drop calls more often. When I complained to Sprint customer service, they tried to sell me on a new, "better" phone.
I noticed that a cell tower near my house was having maintenance done on it and a temporary tower was set up in its place. I asked if this might have anything to do with my problems, and it was only then, the rep suggested I update the "roam list" on the phone. This was a free, five-minute deal at the Sprint store and as soon as that was done, my phone worked better than ever! I've subsequently found out you can update your roam list on some service providers by pressing a simple *-key sequence on the phone.
I suspect that tens of thousands of people have been hood-winked into buying a new phone when they merely needed to update the phone's firmware or roam list for free.
In January, British radio station BRMB is fined 15,000 for holding a contest in which entrants are challenged to see who can sit on a block of ice the longest, with the winner getting free concert tickets. The station got the idea from a New Zealand website, but unlike the Kiwis, the Brits use dry ice, which, at -109 degrees Fahrenheit, is unkind to human flesh. Three participants are hospitalized.
I saw an episode of MTV's "Real World/Road Rules challenge" where they had the contestants do the same thing.
Speaking of dumbass moments, has anyone noticed that the "Real World" just gets worse and worse? They make a tv show now where they toss a bunch of (some underage) kids in a house and stock it with alcohol and watch them get sick and act stupid. It's almost criminal. But I guess that's the trend on TV now.
If you're serious about running any Internet-related business, you wouldn't be hanging off of Comcast's network. Thousands of systems have been fed up with them letting spammers run wild and they've added their IP space to their blacklists. You'd do yourself a favor to distance yourself from this organization.
Comcast is one of the largest sources of spam in the United States. When are they going to crack down on the spamming activity of their users? They are basically the last large ISP that hasn't put a cap on the proxy relaying crap that's been going on domestically which allows spammers to run wild in their vast IP space.
I think this is a great idea. If you know of anyone who has compiled a list of relays that are using these idiotic AV bouncing messages, please post them so we can add them to our filters.
The auto-response from AV software isn't spam, its the server trying to warn you that an attachment you might have cared about didn't make it to the destination.
In order for most of those filters to work, they have to be updated with new virus definitions. At the time they identify this new virus, they can also identify whether the header information is legitimate and worth responding to. In the case of anti-spam companies that ignore this information, they ARE spamming and contributing to the problem. There is no excuse.
If you are an anti-virus company and you update your system to recognize MyDoom, you know that the from address is not accurate. So if you bounce e-mails to the source, you are incompetent, a spammer, or both.
Has ANYBODY ever seen a worm that propagated itself via e-mail and reliably used the proper "from" address? I know there are exceptions but 99.9% of the anti-virus spam is completely out of line. You have to assume either these companies are totally incompetent, or they're using this as an excuse to promote themselves and their services, which is basically spamming in any definition of the word.
Re:easy way to stop this: don't accept port 25 DUL
on
More MyDoom Gloom
·
· Score: 1
That would also stop all of my outgoing legitimate email.
If you are running an SMTP relay from a recognized DUL IP block, you're already having thousands of systems block your mail. There are more than a dozen DUL RBLs out there that are compiling these IP blocks to restrict SMTP traffic.
Re:easy way to stop this: don't accept port 25 DUL
on
More MyDoom Gloom
·
· Score: 1
...and put us one step closer to the corporate controlled, content-provider Internet and take us one step away from the way things were actually designed to work.
Gotta love idealism. Cherish it while you can.
We're already in a corporate-controlled world. Most of the major ISPs and corporations are rifling through peoples' mail. My ISP doesn't do any of that, which is why I am seeking a non-content-related solution: to protect peoples' privacy.
I think it's better in the long run, and more in the spirit of the Internet, to regulate where mail is coming from, as opposed to what's in the message.
Most resource-efficient way to deal with this
on
More MyDoom Gloom
·
· Score: 2, Insightful
I recommend that other ISPs do what we're doing to deal with this. The problem with using content-based filtering is that it constantly needs updating and still costs you bandwidth and system resources.
The propagation of this worm is not unlike the propagation of spam. The ISPs are doing a piss-poor job of regulating the smtp traffic of their non-business customers.
My solution to this is very simple, and all I ask is that the large ISPs separate their DUL IP space from any legitimate mail relays they operate.
For example, we're seeing a ton of spam originate from Videotron in Canada. An IPWHOIS shows that this is one of their major blocks:
Le Groupe Videotron Ltee VL-2BL 24.200.0.0 - 24.203.255.255
The easy thing to do is put 4 lines in my/etc/mail/access file to block those 4 class Bs, and bingo... I've shut out more than 250,000 IPs from sending me spam or worms. I modify the error message to redirect inquiries to a web page with a form that legitimate users can use to whitelist their IP/relay.
Using this method, I take the burden off my network. If you are selective about the IP blocks you ban, you can really whittle this down to almost no bouncing of legitimate mail.
Many ISPs are using DUL RBLs to accomplish the same thing, but the problem is that this requires more resources and huge databases of every possible IP. If you know that an ISP has allocated a large number of IP space to customers who shouldn't be operating their own SMTP relay, you can bypass this and just cut them off.
Generally speaking, I employ this method primarily with Asian and Middle-Eastern IP blocks where I don't normally expect any mail traffic in the first place, so the collateral is minimal if any.
Now if you have DSL or Cable and you've hung your own SMTP relay on your home network, yes, you might have some problems with this method, but it only takes a few seconds to request whitelist authorization and then it's done. Spammers aren't going through this trouble and if they do, I can track them when they try to make these requests.
If more ISPs employed this technique, it would be very effective. I am convinced that many large ISPs, including AOL are already doing this in one form or another: being very picky about accepting certain types of traffic from certain IP blocks.
The next evolution of RBLs will probably involve something like what I'm doing... which is the ultimate movement to a whitelist system where you deny the most-henous sources and make them request acceptance. It's a lot easier to maintain a small list of authorized SMTP relays among a very large blacklisted DUL IP space.
I've seen many worms that aren't even that sophisticated. They don't even bother with the MX record, they just grab the IP for the hostname and assume there's an SMTP server there. More often than not, they're right.
Why block port 25? How much of that 25 traffic do they know is SPAM? If I were a spammer, I could just get a co-location somewhere in asia (or just about anywhere else), ssh over, and do my dirty work from there.
Feel free dude. I think that's a great idea. It would make my life so much easier:
I can filter all your IPs with great ease and then choose which relays I want to allow. It's a lot easier than trying to block you from the IP mess in the United States.
Re:A million zombied machines for anyones use
on
More MyDoom Gloom
·
· Score: 3, Insightful
As soon as this information was known, the FBI should send agents to Worldcom, Sprint and all the other backbone providers with instructions to log all port 3127 traffic immediately.
Unfortunately, I have a feeling somewhere, some authority is typing "virus writer's home address" into Google.
Re:Why is this an issue?
on
More MyDoom Gloom
·
· Score: 2, Interesting
Why is this so hard for other people to do that this virus is actually getting through to their clients?
1. Nowadays your average computer user is a moron.
I'm sure you and everyone else knows some hopeless PC user who uses Outlook, can't help but click on some attachment, believes everything they read online, or does not patch their Windows on a regular basis. All it takes is a few of these n00bs to make life miserable for others in one form or another.
2. Filtering on the client side doesn't really address the larger problem of these scripts consuming *tremendous* amounts of bandwidth, network and system resources.
If you're an end-user, you can't appreciate how much fun it is to manage a server that is getting hammered with this crap. Even if you block it out, you still have to deal with reduced performance and limited bandwidth available to all your users because of yet another unpatched MS hole or irresponsible ISP.
And of course, whenever there's another announcement of a "virus" every person with a PC who can't get it to work right is convinced that the "virus" is the culprit.
in order for worm/spammers to profit from spam, they have to put some link back to themselves in the spam, don't they? doesn't that make them a bit easier to track down than
How many spammers have you tracked down lately?
Spammers will use the same IP forwarding and misdirection techniques to install software on an infected machine. So far, none of the authorities seem to be able to catch any of them.
Slashdot Mirror
Too bad they aren't running FreeBSD ; )
Both Real and Quicktime do the same thing: install an auto-run user agent if you spawn their player. I use Startup Cop to disable it. I despise any application that insists on acting like a virus once its run and that's exactly what these two programs do.
Real installs a script called "TkBellExe", and Quicktime installs "QTTask.exe", neither of which need to be autorun upon bootup. This crap has to stop!
What would have been cool in this instance would be to direct www.sco.com to some network that could try to handle the traffic and perform an audit estimating how many computers are actually infected. Basically an "official idiot count" of people on the net who execute unknown file attachments.
One assumes that every source of the worm propagating e-mail exposes the IP address of a compromised computer. I'm surprised someone hasn't written a script through the back door to either wipe out the virus or pop-up some, "Hey you're a moron" message. Obviously that wouldn't be any more legal than the worm itself, but it begs the question if "infections" on the Internet may eventually be treated like real-world outbreaks which force higher authorities to administer treatment.
nslookup www.sco.com
Searching for A record for www.sco.com at l.root-servers.net: Got referral to I.GTLD-SERVERS.NET. [took 95 ms]
Searching for A record for www.sco.com at I.GTLD-SERVERS.NET.: Got referral to c7ns1.center7.com. [took 152 ms]
Searching for A record for www.sco.com at c7ns1.center7.com.: Reports that no A records exist. [took 100 ms]
Answer:
No A records exist for www.sco.com. [Neg TTL=1800 seconds]
Details:
c7ns1.center7.com. (an authoritative nameserver for sco.com.) says that there are no A records for www.sco.com.
The E-mail address in charge of the sco.com. zone is: hostmaster@caldera.com.
I submitted this story the other day and it was rejected -- what's with you people? One of your moderators has a real itchy trigger finger.
Where is this post? I contacted Comcast's security department and asked for such a list and they refused.
Here's a classic example of how the high-tech complexity translates into additional revenue for sleazy corporations:
If you get a cell phone, after awhile you may find that it isn't working as well as it used to. I ran into this problem with my Sprint phone. The phone seemed to be functioning fine, but it would have more trouble finding a signal and would drop calls more often. When I complained to Sprint customer service, they tried to sell me on a new, "better" phone.
I noticed that a cell tower near my house was having maintenance done on it and a temporary tower was set up in its place. I asked if this might have anything to do with my problems, and it was only then, the rep suggested I update the "roam list" on the phone. This was a free, five-minute deal at the Sprint store and as soon as that was done, my phone worked better than ever! I've subsequently found out you can update your roam list on some service providers by pressing a simple *-key sequence on the phone.
I suspect that tens of thousands of people have been hood-winked into buying a new phone when they merely needed to update the phone's firmware or roam list for free.
Oops let me qualify that I don't think the MTV show used dry ice, not that regular ice was any less stupid IMO.
In January, British radio station BRMB is fined 15,000 for holding a contest in which entrants are challenged to see who can sit on a block of ice the longest, with the winner getting free concert tickets. The station got the idea from a New Zealand website, but unlike the Kiwis, the Brits use dry ice, which, at -109 degrees Fahrenheit, is unkind to human flesh. Three participants are hospitalized.
I saw an episode of MTV's "Real World/Road Rules challenge" where they had the contestants do the same thing.
Speaking of dumbass moments, has anyone noticed that the "Real World" just gets worse and worse? They make a tv show now where they toss a bunch of (some underage) kids in a house and stock it with alcohol and watch them get sick and act stupid. It's almost criminal. But I guess that's the trend on TV now.
If you're serious about running any Internet-related business, you wouldn't be hanging off of Comcast's network. Thousands of systems have been fed up with them letting spammers run wild and they've added their IP space to their blacklists. You'd do yourself a favor to distance yourself from this organization.
Comcast is one of the largest sources of spam in the United States. When are they going to crack down on the spamming activity of their users? They are basically the last large ISP that hasn't put a cap on the proxy relaying crap that's been going on domestically which allows spammers to run wild in their vast IP space.
A sampling of the increased wasted bandwidth and resources my system has dealt with in the last week:
24-hour period, number of bounces
Jan 22, 794
Jan 23, 843
Jan 24, 872
Jan 25, 936
Jan 26, 5472
Jan 27, 19426
Jan 28, 20468
I've had more of an increase in AV Company spam than I have in propagation of the worm!
I think this is a great idea. If you know of anyone who has compiled a list of relays that are using these idiotic AV bouncing messages, please post them so we can add them to our filters.
The auto-response from AV software isn't spam, its the server trying to warn you that an attachment you might have cared about didn't make it to the destination.
In order for most of those filters to work, they have to be updated with new virus definitions. At the time they identify this new virus, they can also identify whether the header information is legitimate and worth responding to. In the case of anti-spam companies that ignore this information, they ARE spamming and contributing to the problem. There is no excuse.
If you are an anti-virus company and you update your system to recognize MyDoom, you know that the from address is not accurate. So if you bounce e-mails to the source, you are incompetent, a spammer, or both.
Has ANYBODY ever seen a worm that propagated itself via e-mail and reliably used the proper "from" address? I know there are exceptions but 99.9% of the anti-virus spam is completely out of line. You have to assume either these companies are totally incompetent, or they're using this as an excuse to promote themselves and their services, which is basically spamming in any definition of the word.
That would also stop all of my outgoing legitimate email.
If you are running an SMTP relay from a recognized DUL IP block, you're already having thousands of systems block your mail. There are more than a dozen DUL RBLs out there that are compiling these IP blocks to restrict SMTP traffic.
...and put us one step closer to the corporate controlled, content-provider Internet and take us one step away from the way things were actually designed to work.
Gotta love idealism. Cherish it while you can.
We're already in a corporate-controlled world. Most of the major ISPs and corporations are rifling through peoples' mail. My ISP doesn't do any of that, which is why I am seeking a non-content-related solution: to protect peoples' privacy.
I think it's better in the long run, and more in the spirit of the Internet, to regulate where mail is coming from, as opposed to what's in the message.
I recommend that other ISPs do what we're doing to deal with this. The problem with using content-based filtering is that it constantly needs updating and still costs you bandwidth and system resources.
/etc/mail/access file to block those 4 class Bs, and bingo... I've shut out more than 250,000 IPs from sending me spam or worms. I modify the error message to redirect inquiries to a web page with a form that legitimate users can use to whitelist their IP/relay.
The propagation of this worm is not unlike the propagation of spam. The ISPs are doing a piss-poor job of regulating the smtp traffic of their non-business customers.
My solution to this is very simple, and all I ask is that the large ISPs separate their DUL IP space from any legitimate mail relays they operate.
For example, we're seeing a ton of spam originate from Videotron in Canada. An IPWHOIS shows that this is one of their major blocks:
Le Groupe Videotron Ltee VL-2BL
24.200.0.0 - 24.203.255.255
The easy thing to do is put 4 lines in my
Using this method, I take the burden off my network. If you are selective about the IP blocks you ban, you can really whittle this down to almost no bouncing of legitimate mail.
Many ISPs are using DUL RBLs to accomplish the same thing, but the problem is that this requires more resources and huge databases of every possible IP. If you know that an ISP has allocated a large number of IP space to customers who shouldn't be operating their own SMTP relay, you can bypass this and just cut them off.
Generally speaking, I employ this method primarily with Asian and Middle-Eastern IP blocks where I don't normally expect any mail traffic in the first place, so the collateral is minimal if any.
Now if you have DSL or Cable and you've hung your own SMTP relay on your home network, yes, you might have some problems with this method, but it only takes a few seconds to request whitelist authorization and then it's done. Spammers aren't going through this trouble and if they do, I can track them when they try to make these requests.
If more ISPs employed this technique, it would be very effective. I am convinced that many large ISPs, including AOL are already doing this in one form or another: being very picky about accepting certain types of traffic from certain IP blocks.
The next evolution of RBLs will probably involve something like what I'm doing... which is the ultimate movement to a whitelist system where you deny the most-henous sources and make them request acceptance. It's a lot easier to maintain a small list of authorized SMTP relays among a very large blacklisted DUL IP space.
I've seen many worms that aren't even that sophisticated. They don't even bother with the MX record, they just grab the IP for the hostname and assume there's an SMTP server there. More often than not, they're right.
Why block port 25? How much of that 25 traffic do they know is SPAM? If I were a spammer, I could just get a co-location somewhere in asia (or just about anywhere else), ssh over, and do my dirty work from there.
Feel free dude. I think that's a great idea. It would make my life so much easier:
CONNECT:210 550 piss-off non-whitelisted network
CONNECT:218 550 piss-off non-whitelisted network
CONNECT:61 550 piss-off non-whitelisted network
I can filter all your IPs with great ease and then choose which relays I want to allow. It's a lot easier than trying to block you from the IP mess in the United States.
As soon as this information was known, the FBI should send agents to Worldcom, Sprint and all the other backbone providers with instructions to log all port 3127 traffic immediately.
Unfortunately, I have a feeling somewhere, some authority is typing "virus writer's home address" into Google.
Wow, and you say this came from a FOX affilliate?
Imagine that.
Why is this so hard for other people to do that this virus is actually getting through to their clients?
1. Nowadays your average computer user is a moron.
I'm sure you and everyone else knows some hopeless PC user who uses Outlook, can't help but click on some attachment, believes everything they read online, or does not patch their Windows on a regular basis. All it takes is a few of these n00bs to make life miserable for others in one form or another.
2. Filtering on the client side doesn't really address the larger problem of these scripts consuming *tremendous* amounts of bandwidth, network and system resources.
If you're an end-user, you can't appreciate how much fun it is to manage a server that is getting hammered with this crap. Even if you block it out, you still have to deal with reduced performance and limited bandwidth available to all your users because of yet another unpatched MS hole or irresponsible ISP.
And of course, whenever there's another announcement of a "virus" every person with a PC who can't get it to work right is convinced that the "virus" is the culprit.
Hooray!
If only the number one spamming, virus-propagating piece-of-shit ISP in the country: COMCAST would do the same, we likely wouldn't have this problem.
in order for worm/spammers to profit from spam, they have to put some link back to themselves in the spam, don't they? doesn't that make them a bit easier to track down than
How many spammers have you tracked down lately?
Spammers will use the same IP forwarding and misdirection techniques to install software on an infected machine. So far, none of the authorities seem to be able to catch any of them.