Catch up on stories from the past week (and beyond) at the Slashdot story archive

 



Forgot your password?
typodupeerror
×
The Internet Operating Systems Software Windows Science

MyDoom.C Making Its Way Across The Net 519

Iphtashu Fitz writes "eWeek is reporting that the latest variant of MyDoom is now making its way across the internet and may have been responsible for some disruptions to Microsofts website over the weekend. This new variant apparently doesn't spread via e-mail but instead scans for machines with an open TCP port 3127. This version appears to be a very stripped down version of its earlier cousins since it also doesn't leave a backdoor into infected machines nor does it have a shutoff date for when to stop attacking Microsoft." Reader billstewart adds links to reports at Australia's ABC News and carried by Reuters; Unloaded adds a link to CNET's coverage.
This discussion has been archived. No new comments can be posted.

MyDoom.C Making Its Way Across The Net

Comments Filter:
  • MyDoom (Score:5, Funny)

    by Paleomacus ( 666999 ) on Monday February 09, 2004 @11:30PM (#8234287)
    What a stupid name for a virus. The writer must be planning to get caught.
  • by Anonymous Coward
    My poor firewall logs, oh why does DoomJuice hate thee.
  • by k4_pacific ( 736911 ) <k4_pacific@yahoo . c om> on Monday February 09, 2004 @11:31PM (#8234298) Homepage Journal
    I would think that mydoom.c would be the source file, so it should be alot easier to reverse engineer.

    gcc mydoom.c -o mydoom ./mydoom
    • by Comatose51 ( 687974 ) on Monday February 09, 2004 @11:40PM (#8234367) Homepage
      The day when someone can pass the source code for a virus around and tell people how to compile and then run it in the email is the day I lose faith in humanity, which given what has transpired already isn't too far off. :-)
      • by KillerHamster ( 645942 ) on Tuesday February 10, 2004 @01:01AM (#8234806) Homepage
        It's often commented that the additional steps required to execute a file on Linux would likely prevent a Linux virus from taking off in the way Windows viruses often do. However, if Linux is ever widely adopted on the desktop, given the proven stupidity of the majority of computer users, I wouldn't be too surprised to see that happen.

        Subject: "Awesome Linux screensaver!"
        Body: "Check out this awesome screensaver! Follow the steps below to install it. If you can, it would be helpful to switch to your root account first."

        1. Save the attached file to your home directory.
        2. Open a command prompt window.
        3. Type: gunzip screensaver.tar.gz
        4. Type: tar xvf screensaver.tar
        5. Type: cd screensaver
        6. Type: make
        7. Type: ./install
        • Re:mydoom source (Score:4, Interesting)

          by glsunder ( 241984 ) on Tuesday February 10, 2004 @10:35AM (#8237709)
          Yes, that's true that it could include instructions on how to install the virus on linux, however, that requires that the victem can follow instructions. That wipes out the lower end of users who would have just clicked on it in windows. Plus, by making people pay more attention to what they're doing, there's a better chance that they'll think "hmm, this is fishy".

          Where you'll get into trouble, is you'll have assholes who write popular programs that require you to run as root, so every dumbass will be root. And users won't care at all. One example of software for windows like this is the sims -- it requires you run it as administrator. The sims is at the same time the most popular and most crappily written games of all time. That is scary.
    • by CrystalFalcon ( 233559 ) on Tuesday February 10, 2004 @02:02AM (#8235044) Homepage
      From Internet Storm Center [sans.org] (emphasis mine):

      A new worm, named Doomjuice and MyDoom.C by various AV vendors, was identified. It spreads by exploiting the backdoor left by MyDoom.A and MyDoom.B. After infecting a system, it leaves a copy of the Mydoom.A source in a file named 'sync-src-1.00.tbz'. Doomjuice is also set to perform a DDOS against www.microsoft.com.
  • by LostCluster ( 625375 ) * on Monday February 09, 2004 @11:32PM (#8234302)
    The original MyDoom proved that no matter how much we warn users not to run surprise executable attachments, they do any way. And also proved how many users aren't running any anti-virus at all.

    Therefore, it's not a far stretch to assume that the 50,000 to 75,000 machines that are still infected by MyDoom.A or MyDoom.B will catch DoomJuice with a 100% infection ratio. Those machines by definition do not have an anti-virus program that's been updated recently enough to capture the original MyDoom virus, so DoomJuice will be able to walk in through the backdoor at port 3127 with nobody gaurding that door.

    The author of MyDoom has basically created a network of zombies that he/she/it has full control of without the knowledge of any of the infected users. And now, this author has demonstrated the ability to send a patch-virus out with new updated instructions.

    Right now, this patch seems to not have much of a payload. But, we don't know if we've seen its full payload yet, and there's certainly the possible of DoomJuice2 coming out with a worse payload.

    To put it lightly... these 50,000 to 75,000 zombies need to be pulled from the Internet stat.
    • by Kris_J ( 10111 ) * on Monday February 09, 2004 @11:41PM (#8234377) Homepage Journal
      To put it lightly... these 50,000 to 75,000 zombies need to be pulled from the Internet stat.
      Fortunately this portscanning behaviour will show up on firewall logs much better than this email crap. Within no time, dshield.org and other similar log aggrigation services should have a nice accurate list of infected machines that they use to contact sysadmins of appropriate networks.
      • by LostCluster ( 625375 ) * on Monday February 09, 2004 @11:45PM (#8234402)
        contact sysadmins of appropriate networks

        Tech: Hello? Is this the system administrator of the house?
        Dad: Jimmy? It's a call for you.
        Tech: Hello, are you the system administrator of the hose?
        Jimmy: Yes, but my friends in school call me Jimmy.
        Tech: Okay, Jimmy. We've detected that your house has a computer that's infected by a virus.
        Jimmy: Comuputers can catch colds?
        Tech: ...
      • by csk_1975 ( 721546 ) on Tuesday February 10, 2004 @03:17AM (#8235371)
        I questioned the 50,000 to 75,000 number as it seemed totally bogus and unrelated to the number of source IPs I'm seeing scanning my two class Cs. How can I see 10-15 different source IPs every 5-10 minutes if only 50,000 computers are infected worldwide?

        ISC [incidents.org] and dshield [dshield.org] are showing the number of sources scanning port 3127 building up at an alarming rate. The number of sources seems to be increasing by about 2000 every 10 minutes, which is much more in line with the number of sources I'm seeing scanning my backwater.
    • by simetra ( 155655 ) on Monday February 09, 2004 @11:44PM (#8234393) Homepage Journal
      This is the perfect opportunity for someone to fix American Idol, by getting all those zombie computers to dial and vote for their favorite singers!
    • by SuperBanana ( 662181 ) on Monday February 09, 2004 @11:57PM (#8234480)
      And also proved how many users aren't running any anti-virus at all.

      Actually, we have the antivirus companies mostly to blame for this one; they discovered it wasn't enough to sell people the software(and that coming up with new features to get upgrades was difficult), but they had to lock them into updates too; pure corporate greed. Instead, people either don't realize they're no longer getting updates, or they think the older definitions will work just fine. I tell people either to update their subscription, or to use a mailer other than Outlook if possible and run any of the various free virus scanning tools(McAfee and Trend for example both have free web-based scanners) on a regular basis or whenever the system starts doing weird stuff.

      Lastly- some vendors dragged their feet. McAfee took almost 2-3 days to release "regular" definitions which could either be downloaded to your proxy server and then deployed to all your clients...or downloaded by clients automatically. Until they did it, you had to download special "extra" definition files, put them in certain folders, etc. Ie, impossible for the end-user, and a pain in the ass for small businesses without the tools to deploy stuff like that easily automatically.

      Therefore, it's not a far stretch to assume that the 50,000 to 75,000 machines that are still infected by MyDoom.A or MyDoom.B will catch DoomJuice with a 100% infection ratio.

      Except for all the systems behind firewalls that got infected because they got the virus via email...

      Right now, this patch seems to not have much of a payload.

      Who said anything about it being a patch? Ok, so maybe it is- but "not much of a payload" doesn't mean much, since a compressed diff can be very small...

      By the way- off-topic rant, McAfee's corporate software sucks. You can run a mirror of their definitions, but you need Windows Server to do it(2k or 2003). You can deploy sitewide policies, but you need to build it into the installer and any further changes require an overblown management system that needs Windows Server AND MS SQL Server. it gets better- unlike NAV and others, you can't do email scanning on anything except Outlook(NAV has supported POP/IMAP scanning via proxy for years). And the best part? If you get a virus alert from the on-access scan, the user can't click any of the action buttons, because get this- and I swear, this was straight from the mouth of a McAfee rep- "they'll always click ignore to make it go away". "So why did you also disable the delete and quarantine buttons as well?!?" NAV and others let you restrict what option set the user gets(so they can delete, but not ignore...or do whatever). Last but not least, their support is mostly based out of india.

      • by gad_zuki! ( 70830 ) on Tuesday February 10, 2004 @01:36AM (#8234952)
        Exactly. Lots of computers running mydoom have a working anti-virus, its just that the owners won't pay for updates or they have no clue what an update is or why it would expire.

        Granted it costs money to update virus scanners, but that should be part of the one time purchasing fee. I guess you get what you pay for, the last few dells I've played with on the residential front came with McAfee that expired in TWO months.

        You can only blame the user for so much. They were sold lemons and they have to deal with lemons. If Dell et al cared about security they would cut a deal with the people from AVG or someone who can actually provide updates for free. Not to mention start ghosting their drives with service pack one and the patches for blaster. It would cost next to nothing to toss in a disk or CDROM with 'critical updates - install before putting computer on net' if moving up to a more current ghost image is too expensive.

        Persoanlly, I don't see why ISPs can't get in on this. Everytime I switch broadband providers they send a guy out to install crap on my PC. I usually stop them, but their install packages are simple ad-ware or PPPoE drivers. Why not toss in a n anti-virus for a huge discount, if not free, if the computer doesn't have a working one? Its good for the network and its good for the customer. Yes, it shouldn't be mandatory but for the average person it would be a great opportunity to get an up to date scanner. Heck, toss in a firewall while you're at it and make sure their windows update settings are correct. They could automate this when they put their ad-ware and change the name of IE to IE provided by Comcast crap.
        • Exactly. Lots of computers running mydoom have a working anti-virus, its just that the owners won't pay for updates or they have no clue what an update is or why it would expire.

          "Your car isn't working." "Yes it is, just the wheels are missing". Sorry, I don't consider an AV app working that only catches viruses older than a week, no matter why this is so.

  • Part of the story? (Score:2, Interesting)

    by Anonymous Coward
    instead scans for machines with an open TCP port 3127

    Uh, ok.. so what is on port 3127?

    We are not all so nerdly that we memorize port tables... (emphasis on ALL)

  • Hmm... (Score:4, Insightful)

    by Cyno01 ( 573917 ) <Cyno01@hotmail.com> on Monday February 09, 2004 @11:34PM (#8234321) Homepage
    Just from the description in the /. blurb this seems to have a very different purpose from A and B. This seems like a script kiddie just for the hell of it kind of thing more than a spam tool.
  • MSN messenger? (Score:5, Interesting)

    by Quixotic ( 505 ) on Monday February 09, 2004 @11:35PM (#8234323) Homepage
    Does anyone know if it is slamming the msn messenger service as well? I havn't been able to connect to it recently, and it seems to be a network wide outage, since other people are having problems as well [trillian.cc]....
  • by jakoz ( 696484 ) on Monday February 09, 2004 @11:35PM (#8234324)
    Apart from the fact that it uses the backdoor created by MyDoom to spread, it doesnt have enough in common with MyDoom to be a variant of it, which is probably why on the CNET link it only mentions the name Doomjuice.

    The MyDoom.C name used in links such as the ABC one is probably for good headlines
  • by GeckoFood ( 585211 ) <geckofoodNO@SPAMgmail.com> on Monday February 09, 2004 @11:36PM (#8234331) Journal
    About the time the first version of this virus set sail, I noticed a huge spike in the number of Backdoor/Subseven probes against my firewall (still ongoing). Is this little bastard responsible for that, or is this caused by another issue altogether?
  • by IllogicalStudent ( 561279 ) <jsmythe79@@@hotmail...com> on Monday February 09, 2004 @11:36PM (#8234334)

    MyDoom.C's effects seem to already be felt. My girlfriend's been complaining that she can't get onto MSN all night, and sure enough messenger.msn.com is completely unresponsive, as was Hotmail a few hours ago (though, it seems to be up now). I wish I could just convince her to use Jabber.

  • No shutoff date? (Score:5, Interesting)

    by ArsonPanda ( 647069 ) on Monday February 09, 2004 @11:37PM (#8234341)
    I never understood why viruses/worms/whatever bother to include shutoff dates. "hum, I really hate SCO, so I'm going to DDoS them, but only for a few days" Why?
    • Re:No shutoff date? (Score:5, Interesting)

      by VertigoAce ( 257771 ) on Monday February 09, 2004 @11:52PM (#8234449)
      I've seen speculation that some authors do it so their previous work won't clobber whatever their new project is. It might also be useful to get around certain automated anti-virus tactics. On a university network it isn't uncommon to disconnect a computer that seems to be infected with a particular virus (ie all addresses resolve to a page telling you that your computer is infected and pointing you in the right direction). So after a few days all of the infected computers suddenly act like normal ones, ready to be infected with the next variant.
  • no backdoor (Score:5, Informative)

    by stev_mccrev ( 712012 ) on Monday February 09, 2004 @11:37PM (#8234344) Homepage

    This version appears to be a very stripped down version of it's earlier cousins since it also doesn't leave a backdoor into infected machines

    It doesn't open a backdoor, as TCP port 3127 is the port that the MyDoom.A and .B backdoor opens.

    This isn't really a variant of the same virus as it only attacks machines already infected with MyDoom, rather than spreading via email.

  • by LostCluster ( 625375 ) * on Monday February 09, 2004 @11:39PM (#8234358)
    Are there any real applications that use port 3127, or can we safely block that port at our firewalls?
    • by nmoog ( 701216 ) on Monday February 09, 2004 @11:45PM (#8234397) Homepage Journal
      Yeah, port 3127 is used for DoS attacks on Microsoft. Its best to leave it open.
    • by rusty0101 ( 565565 ) on Monday February 09, 2004 @11:48PM (#8234418) Homepage Journal
      It should be safe to block. I did a 'grep 312 /etc/services' and came back with only one hit, 3128 for Squid proxy. That should be blocked at your firewall as well, as having it available to external users can open your mail server to become a spam server if you have them both on the same network. So you could probably block the range 3120-9 with out any negative impact.

      -Rusty
    • by grub ( 11606 ) <slashdot@grub.net> on Monday February 09, 2004 @11:51PM (#8234445) Homepage Journal

      Ideally a firewall is in a default deny state. That way you can open it up for things you know you need rather than missing something and having a hole into your LAN. If you followed that advice then you wouldn't need to worry about closing the port.
      • For a company/university/personal firewall, yes, it should usually be blocking any inbound traffic that's not understood. ISPs have a much different type of user base - they should be allowing the end-to-end Internet to work, staying open to any protocols that they don't have a very good reason to block. Temporarily blocking 3127 or 1434 or whatever is often necessary if there's a big outbreak, and there are some ISPs that restrict Port 25 because they're trying to prevent their users from spamming - but
    • by Brandybuck ( 704397 ) on Tuesday February 10, 2004 @12:27AM (#8234643) Homepage Journal
      Where do you people come from! Is it time for another application of the ClueStick(tm)!

      If you're not using a specific port, close it up. That includes 3127. And everything below 3127, and everything above 3127. Close them ALL off except the ones you are specifically using.

      Now I realize that this is extremely difficult to do in Windows, but do it anyway. Repeat, do it anyway. This is your responsibility as the owner of a node on the network. And don't think you're done just because you're secured the firewall. Secure all of your client systems as well. My company got hit hard by Blaster because someone walked into the lab with a laptop.
  • by tekiegreg ( 674773 ) * <tekieg1-slashdot@yahoo.com> on Monday February 09, 2004 @11:40PM (#8234368) Homepage Journal
    I'm sure we've learned enough by now to determine how this virus works to the point where we can create a worm of our own and disable it's DoS attacks. I for one believe enough is enough, and it would be ethically ok to go ahead and create such a worm. All we'd have to do is infect in the same way this new virus does, and run arbitrary code to destroy the virus. Thoughts?
    • You do know that this is what Nachi did and it turned out to be worse than Blaster that it was sent out to get rid of. Why don't you just let the virus propigate for 48 hours then clean the disk while you are at it.
  • by bigberk ( 547360 ) <bigberk@users.pc9.org> on Monday February 09, 2004 @11:43PM (#8234387)

    Aunt Bertha switches on her 2 GHz supercomputer, and hooks up to the Internet with a connection speed that would have rivaled an ISP in the early 1990's. She sees a pretty icon in her inbox, so she points and clicks, unleashing some spammer's [spamhaus.org] latest mass-mailing creation. By the time Bertha goes and gets a triscut, she has already spammed a million Internet neighbours.

    Anyone else see why the Internet is full of crap? And if you think it's as easy to control as "blocking port 25" ... ha ha. You wish! The worm only has to send mail via the ISP's outgoing mail server (remember... the one you reminded me "I should be using" [google.ca])

    So no, controlling this spam/virus menace isn't quite that easy. Whatever method you use to legitimately send mail, the worms will follow that same method.

  • by billstewart ( 78916 ) on Monday February 09, 2004 @11:45PM (#8234399) Journal
    Unlike MyDoom, which is exploiting Microsoft weaknesses, the interesting thing about Doomjuice and Deadhat (aka Vesser [f-secure.com]) is that they're scanning for the back doors left by MyDoom.A and MyDoom.B and using them to take over. The good news is that they're only attacking infected machines (and in a way that's easy to block), but the bad news is that parasites like these can add nasty payloads to viruses that were fast but not particularly nasty themselves. (That doesn't mean that these parasites have done that, but they can.) According to the article on F-Secure, Vesser / Deadhat turns off many kinds of anti-virus and firewall software, leaving the machine more vulnerable, and adding a backdoor of its own (but protecting it with crypto, which is the proper thing for an evil virus to do :-)
  • by LnxAddct ( 679316 ) <sgk25@drexel.edu> on Monday February 09, 2004 @11:49PM (#8234426)
    Anyone know if MyDoom's protocol for port 3127 is documented anywhere? If the virus writer can send it patches, then surely we can too :) We could have this mess cleaned up in a few days if we made the patch clean the machines. Not sure if cleaning people's machines without their permission is illegal, but itd sure make a lot of people grateful. If anyone does do it make sure to sign it as a gift from the opensource community so we look really good instead of the evil people that we've been made to be.
    Regards,
    Steve
  • by hkfczrqj ( 671146 ) on Monday February 09, 2004 @11:59PM (#8234497)
    Microsoft is dying [netcraft.com].
    • Microsoft deserves to take the blunt of this attack. Preventing this type of attack is not that difficult [slashdot.org]. Microsoft decided to close off all the open ports in SP2 after blaster and Nachi, maybe this will help motivate them to take steps to combat mail worms. If MS does not secure OE than AV companies can sell an alternate secure mail client.
  • That sad part is.. (Score:5, Insightful)

    by JPriest ( 547211 ) on Tuesday February 10, 2004 @12:07AM (#8234538) Homepage
    That it is just going right past AV programs just like A, B, and every other mass mailing worm before it. Give it a few days for people to update AV progies and maybe then it they will detect the virus. What a false sense of security.

    We can't give users restricted accounts becasue it stops them from doing things like installing valid software. But don't you think it is time we took steps to sandbox the email applications?

  • by Undefined Parameter ( 726857 ) <fuel4freedom@ya h o o .com> on Tuesday February 10, 2004 @12:13AM (#8234570)
    I own two Macs, so don't take this as a troll, please.

    Right now, Macs are feeling the effects of this virus, too; it's slowing down internet connections for ALL platforms thanks to the fact that it's indiscriminately flooding networks with "noise" in trying to find other machines with the MyDoom-opened port. To my knowledge, it doesn't stop searching, either.

    And a "counter-virus" would only make things worse. Sure, you eventually stop the original worm(s), but you also do more damage and risk opening up a can of worms in doing so. Not only is YOUR "counter-virus" going to add to the network congestion, but it may well become a problem itself if it's not written just right. In other words, the cure might be worse than the disease.

    For the short term, we need an education campaign. Teach the standard (and sub-standard) users of the world how to identify a virus, how to prevent getting infected, and why they should care. As the old saying goes, "you can give a man a fish, and feed him for a day, or you can teach a man to fish and feed him for a lifetime."

    ~UP
  • by tepples ( 727027 ) <.tepples. .at. .gmail.com.> on Tuesday February 10, 2004 @12:15AM (#8234581) Homepage Journal

    Doomjuice distributes source code for MyDoom.A [f-secure.com]

    Making this one of the first high-profile open-source viruses?

    <zealot cause="BSD">The first being a license rather than a piece of software, namely the GNU General Public Virus.</zealot>

  • eternal return (Score:5, Interesting)

    by veg_all ( 22581 ) on Tuesday February 10, 2004 @12:18AM (#8234598)
    I was fascinated by the zombifying worms, spreading across the internet making unsuspecting hosts into proxy spam servers, but now I'm beginning to wonder if worm harvesters will have to be written and (by mutual agreement) released onto the net. I still get code red droping by all the time (it can have my default.ida, for all I care; I'm through with it), and new kiddies write them at such an increasing pace that one New York Times article about worms recently needed two slashdot articles by the time it was posted. Might they start (at some point in the future) to actually start to "clog" the internet? Hell, they already do; the network where I work was brought to a crawl more than once over the last year because of them (and the idiots who administer the network, but that's another rant). Anyway, when worms constitute more than 50% of the traffic more than 50% of the time, some regulatory body is going to propose spidering worm-eaters. It'll be like "core wars" all over again (everything comes full circle sooner or later).
  • Wonderful (Score:5, Funny)

    by ngyahloon ( 655557 ) on Tuesday February 10, 2004 @12:19AM (#8234606) Homepage
    A Microsoft spokesman said Monday that any performance problems on the company's site are likely related to countermeasures the company took to evade the MyDoom.B DDoS attack and not an attack from machines infected with the latest variant."

    So in other words, to prevent MyDoom from DDoSing Microsoft's website, Microsoft decides to DDoS themselves instead. What a wonderful world!
  • by bstadil ( 7110 ) on Tuesday February 10, 2004 @12:25AM (#8234636) Homepage
    The mind buggles. Today Gartner published a report [designtechnica.com]trying to tell the world that Microsoft's Security is improving.

    • I'm no Microsoft supporter but you can not blame them for this one. Someone had to install a program (virus) to become infected. The spread of this virus and its variants are a result of ignorant computer users who happen to be on the Windows platform.

      Blaster on the other hand was a result of a security flaw in Windows.
  • crap (Score:5, Funny)

    by MisterFancypants ( 615129 ) on Tuesday February 10, 2004 @12:31AM (#8234663)
    First Half Life 2, now the C source of Doom 3 is out in the wild... Damn, now we'll never see these games.
  • Maybe one day (Score:5, Insightful)

    by andih8u ( 639841 ) on Tuesday February 10, 2004 @12:53AM (#8234769)
    Cable and DSL companies will give out a nice little hardware firewall ala Linksys or Netgear along with their cable/dsl modems. Hell, Toshiba even makes a cable modem with a built in 4 port switch/firewall. Giving these users a broadband connection and no education on the dangers of the internet is like giving a Ferrari to someone who can't drive.

    I know the ISP isn't untimately responsible for their users actions, but they'd be doing themselves a big favor by eliminating most of that traffic. During the heyday of the Blaster virus I was getting a few port 53 requests per second from infected machines on Verizon's dsl...that's quite an additional load on their network.
  • by rspress ( 623984 ) on Tuesday February 10, 2004 @12:54AM (#8234773) Homepage
    How about MyWindows.xp?

    Actually Microsoft should be advertising the fact that it is the best OS on the planet for virus development and deployment. It would look good on the Windows vs Linux propaganda.

  • Port 3127 (Score:5, Informative)

    by retro128 ( 318602 ) on Tuesday February 10, 2004 @01:34AM (#8234948)
    What the submission missed, but is worth noting, is that port 3127 is one of the ports that MyDoom.A opens when it infects a machine. In other words, MyDoom.C is exploiting the hole that MyDoom.A opened.

    The writeup from Symantec is here. [symantec.com]
  • by codemachine ( 245871 ) on Tuesday February 10, 2004 @01:49AM (#8234996)
    Next thing you know, we'll see this on Windows Update:

    MyDoom.C - A critical update for the MyDoom virus is now available. This update fixes the flaw that prevented infected machines from launching DOS attacks at microsoft.com past the expiry date. Install this update if you need microsoft.com DOSing capabilities.
  • myDoom[a-z] (Score:4, Funny)

    by MrBallistic ( 88770 ) on Tuesday February 10, 2004 @02:31AM (#8235169) Homepage
    do we have to wait for myDoom.z to come out before we start on numbers? i'm still waiting for myDoom 3 to finally get released over here ;)

  • backscatter (Score:4, Interesting)

    by Tom ( 822 ) on Tuesday February 10, 2004 @04:13AM (#8235542) Homepage Journal
    Anyone got a good SpamAssassin or procmail rule to filter out the backscatter?

    I couldn't care less if it weren't for the flood of "you sent us an infected mail" spam that has been flooding my inbox for days because some stupid morons don't know that auto-notifications on virus scanners should be smashes, crucified, cooked in hot oil and quartered before being shot through the head with a shotgun because all the recent viruses fake the damn sender address.
    • Re:backscatter (Score:3, Informative)

      by hacker ( 14635 )
      :0 B
      * ^*Content-Disposition: attachment;
      * filename=".*\.(pif|scr|bat|cmd|com)"
      /var/spool/m ail/SPAM
      :0 B
      * ^UEsDBAoAAAAAA...OzDKJx\+eAFgAAABYAA
      /var/spool/m ail/virus
  • by KC7GR ( 473279 ) on Tuesday February 10, 2004 @10:50AM (#8237913) Homepage Journal
    ...That the image of Einstein on the Slashdot header for this article isn't really an image of Einstein. Noooo, not at all. It's actually a composite representation of what SysAdmins worldwide look like after they get through battling Yet Another Worm, applying the Redmond Empire's Patch(es)-of-the-Month, reminding Clueless (L)users not to click on the pretty executable that came in their E-mail... well, you get the idea...

  • by mrex ( 25183 ) on Tuesday February 10, 2004 @11:46AM (#8238736)
    Isn't it obvious why MyDoom.C was released? The intricacy makes it fairly apparent that its either the original author or someone connected with it. Why would they release another variant of their own tool?

    After the release of MyDoom.A, there was more than a little speculation that the true hidden purpose of these e-mail worms was to spawn a network of zombied PCs to use for spamming. The 'A' version made it a little too obvious, even with the included red herrings of DoS attacks against SCO and MS. Uh oh. And now Mr. Spammer is getting a little antsy -- has the FBI made the same connection many in the infosec scene have? Uh oh. Time to cover your tracks.

    What better way to do that than to release another version of your virus that throws all the investigations off the trail, looking for some OSS Loving Blackhat who'd want to DoS SCO instead of the criminal head of a spam gang trying to enlarge his empire?

    And before anyone suggests I put on a tin foil hat...go gather some statistics. Specifically, make a chart of the release of e-mail worms, and another chart of the accuracy-rate of DNSBLs. You'll see, as I did, that as DNSBL accuracy reaches 100% (they contain all currently-zombied hosts), boom, out comes another e-mail worm. The release of MyDoom seems to have gone off poorly -- admins received warning and were prepared, not very many machines (relatively) were infected, and a lot of attention from the infosec community was directed at the source of the releases. I'm sure purely by coincidence, my DNSBL hit rate remains high, and spams by a certain well known individual who I believe to be responsible for this don't seem to be coming at nearly the volume one would expect from such a prolific scumbag.

"The great question... which I have not been able to answer... is, `What does woman want?'" -- Sigmund Freud

Working...