[ISN] Virus attack on Microsoft sites fizzles, expert says virus was badly written

From: InfoSec News (isn@private)
Date: Wed Feb 04 2004 - 01:54:42 PST

  • Next message: InfoSec News: "[ISN] DallasCon Network Security Boot Camp"

    http://www.canada.com/technology/story.html?id=6C29A5E1-9C5B-4EEC-BE98-0D3D5F0B434C
    
    STEVE MERTL   
    Canadian Press  
    February 03, 2004
    
    VANCOUVER (CP) - An assault on Microsoft Corp. web sites appears to
    have fizzled because hackers used a poorly written virus, a Canadian
    antivirus expert said Tuesday.
    
    The attack by the Mydoom.B virus was supposed to start flooding key
    Microsoft web sites with access requests starting Tuesday afternoon.  
    But instead of armies of so-called zombie personal computers
    unleashing the onslaught, the attacking force was relatively small.
    
    "It seems like the attack was poorly coded and a complete failure,"  
    said Jack Sebbag, Canadian general manager and vice-president of
    Network Associates Inc.
    
    "It had less than 4,000 or 5,000 PCs trying to attack the web site.  
    It's basically become an absolute non-issue for Microsoft."
    
    A variant of the virus known as Novarg.A crippled the web site of
    Utah-based SCO Group on Sunday when more than 100,000 personal
    computers taken over by the worm swamped it in what's called a
    distributed denial-of-service attack.
    
    Sebbag said that attack was continuing but appeared to be waning.
    
    "It's very tough to maintain the kind of assault that the worm is
    destined to accomplish," he said.
    
    "With each day that passes, with each hour that passes, more and more
    people are cleaning up the worm from their PCs by either not opening
    up the virus or finally updating their antivirus software."
    
    Microsoft had already taken countermeasures, including alerting users
    of its products and setting up alternate web sites where those
    infected with Mydoom.B could get help to clean their systems.
    
    No one from the Redmond, Wash., software giant was immediately
    available to comment but spokeswoman Amy Petty said in an e-mail that
    the company's web sites remained accessible.
    
    "While we are unable to discuss the specific remedies we took to
    prevent the DDOS attack, we did make it a priority to ensure that
    Microsoft web sites, such as Windows Update, remained fully available
    to our customers," said Petty.
    
    She also said a critical security update bulletin released for
    Microsoft's Internet Explorer program was not related to Mydoom.B.
    
    The update was aimed at closing another security loophole in Explorer,
    making it harder for hackers to steal web information such as user
    names and passwords.
    
    Novarg.A and Mydoom.B used a different, if not entirely new approach
    to attacking web sites.
    
    Previous well-known denial-of-service attacks such as Code Red and
    Nimbda ordered zombie computers to overwhelm a site's numeric Internet
    protocol or IP address. That could easily be changed while retaining
    the web site's name, such as Microsoft.com.
    
    Mydoom and Novarg went after the URL or universal resource locator,
    which includes the name itself, forcing victims to rename their web
    sites to blunt the attack.
    
    SCO set up an alternate site and Microsoft also gave customers another
    site to access in case its main sites were compromised.
    
    "Think of it this way. If a burglar targets your home address it's
    unlikely you're going to move," said Michael Murphy, Canadian general
    manager of Symantec, which makes Norton antivirus software.
    
    "But if a crank caller continually calls your telephone number you can
    always get a new telephone number."
    
    Sebbag, whose firm produces McAfee antivirus programs, said SCO
    suffered little actual harm despite the heavy attack because it was
    not doing much business on Superbowl Sunday.
    
    "Had this happened to Microsoft on a weekday I'd imagine the cost
    would have been a lot more significant to that organization," he said.
    
    But while the worst appeared to be over, Sebbag said the doesn't mean
    the Internet won't face another, perhaps better-written variant.
    
    "There may be a Mydoom.C or Mydoom.D."
    
    Sebbag was also concerned the success of the SCO attack might
    encourage other "malicious code-writers" with a grudge to target
    organizations they don't like.
    
    It's believed SCO was hit because it's in a legal fight over aspects
    of Linux, a freely available operating system that some hope will
    challenge the dominance of Microsoft Windows.
    
    "Eight, nine, 10 years ago, these were 13-year-old kids who couldn't
    get a date who were writing these worms," said Sebbag.
    
    "These are guys who are 21, 22 years old now with access to better
    tools and a fully populated Internet, with reasons to hate
    organizations or ties with certain political affiliates who now have
    the power to launch these type of attacks."
    
    
    
    -
    ISN is currently hosted by Attrition.org
    
    To unsubscribe email majordomo@private with 'unsubscribe isn'
    in the BODY of the mail.
    



    This archive was generated by hypermail 2b30 : Wed Feb 04 2004 - 04:28:15 PST