[ISN] MyDoom sparks talks of security's future

From: William Knowles (wk@private)
Date: Tue Feb 03 2004 - 03:50:27 PST

  • Next message: William Knowles: "[ISN] Microsoft Patches Serious IE Flaw"

    http://news.com.com/2100-7349_3-5152165.html
    
    By Robert Lemos 
    Staff Writer, CNET News.com
    February 2, 2004
    
    The virus, which has combined many old attack techniques into a
    successful package, was hardly blunted by antivirus programs during
    the first few hours of its exponential spread.
    
    That's a problem, said Shlomo Touboul, CEO of security software maker
    Finjan Software.
    
    "The MyDoom attack should never have propagated so far into the
    Internet," he said. "It is obvious that we need another layer (of
    software) to protect during the first hours of attack."
    
    Despite a deep understanding of how such viruses spread, security
    experts seem to be at a loss at how to stop them. Popular antivirus
    technology is generally ineffectual against many of the attacks until
    an update is downloaded by the user. Moreover, even though antivirus
    software is the most popular security technology in use--about 99
    percent of corporations use it, according to the Computer Security
    Institute--many home users still don't use the software.
    
    "Many people don't even have the software," said Bruce Schneier, chief
    technology officer for Counterpane Internet Security. "And for those
    that do, the first few hours of an epidemic is a race against time."
    
    MyDoom spread through e-mail a week ago, infecting a new computer
    every time an unwary user opened the attached filed containing the
    program. As many as 2 million computers may have been infected. The
    original virus was programmed to attack The SCO Group's Web site last
    Sunday, while a variant is scheduled to target Microsoft on Tuesday.
    
    E-mail service provider MessageLabs has quarantined more than 17
    million e-mail messages in a week, said Alex Shipp, senior antivirus
    technologist for the company. From data captured early in the
    epidemic, MessageLabs says that for every Internet address with an
    infected PC behind it, eight e-mails are sent, on average, to one of
    the company's customers.
    
    However, even though companies are still seeing massive quantities of
    e-mail messages bearing the MyDoom virus, the spread has slowed,
    stressed Shipp.
    
    "I don't think that there are going to be many more people who are
    left to get infected," he said. "It has gotten most of the available
    pool of (unwary) people to open it."
    
    The rapid spread opens new questions about how users and companies
    should defend themselves against the next virus. New software may not
    be the solution, Counterpane's Schneier said. Instead, the balance
    between usability and security may have to be re-evaluated.
    
    "It's a fundamental question," he said. "Is the ability to execute
    attachments from Outlook a feature or a bug? I think it is a bug."
    
    Unless such threats are dealt with, many more computers connected to
    the Internet may be compromised. While MyDoom infects PCs and turns
    them into platforms from which to attack other PCs and to send spam,
    other attacks could be possible and even more devastating, said Paul
    Mockapetris, chairman and chief scientist for Internet technology firm
    Nominum.
    
    "People should anticipate that (the attacker) is going to point these
    hacked PCs at other sites--that's coming," he said. "What's going to
    be the security of all Web sites if those attacks get more prevalent?"
    
    Already, SCO is feeling the pain. The company's Web site is the
    primary denial-of-service target of PCs infected with the original
    version of the MyDoom virus. At 8:09 PST on Sunday morning, infected
    PCs were programmed to deluge the site with data.
    
    The attack, which effectively shuts down a site by flooding it with a
    deluge of information, is hard to stop, said Blake Stowell, a
    spokesman for SCO.
    
    "You have to try and think creatively about how to solve the problem,"  
    he said. "Is it something that you have to throw money at it or to
    think creatively and come up with a technical solution?"
    
    After trying to keep its site up, SCO took its address out of the
    domain name system, the global yellow pages for the Internet. It's now
    referring people to a new Web site.
    
    The same thing could happen to Microsoft's main Web site, starting
    Tuesday. A second variant of the MyDoom virus, which has hasn't spread
    as far as the original, will begin sending data to the software
    giant's site. Microsoft would not comment Monday on its defenses,
    except to say that the company had prepared for the attack.
    
    Other security experts believed Microsoft would fare better than SCO.
    
    "It just goes to show what possibilities exist out there," said
    Vincent Gullotto, vice president of antivirus research for security
    company Network Associates. "When this was supposed to happen to
    Microsoft last year, I think they dealt with it in a more effective
    manner."
    
    
    
    -
    ISN is currently hosted by Attrition.org
    
    To unsubscribe email majordomo@private with 'unsubscribe isn'
    in the BODY of the mail.
    



    This archive was generated by hypermail 2b30 : Tue Feb 03 2004 - 07:16:30 PST