[ISN] MyDoom dies today

From: InfoSec News (isn@private)
Date: Thu Feb 12 2004 - 04:50:32 PST

  • Next message: InfoSec News: "Re: [ISN] MyDoom author may be covering tracks"

    http://www.theregister.co.uk/content/56/35516.html
    
    By John Leyden
    Posted: 12/02/2004
    
    MyDoom-A is programmed to stop spreading today, marking the end of
    arguably the worst email-borne viral epidemic to date.
    
    MessageLabs, the email filtering firm, blocked the virus 43,979,281
    times in the two weeks since its first appearance in late January. At
    the height of the epidemic, one in 12 emails the firm scanned were
    viral.
    
    At the height of the Sobig-F pandemic last August one in 17 emails
    scanned by MessageLabs were viral. MessageLabs has blocked 33 million
    copies of SoBig-F, so MyDoom-A is the worst virus in terms of sheer
    weight of numbers too.
    
    MyDoom-A was programmed to launch a denial of service attack against
    www.sco.com from infected machines. This - along with its spread -
    will cease today (see below for caveat*).
    
    However the back door component of the virus has no time limit; it is
    still running on pox-ridden PCs.
    
    Infected machines still need to be identified and decontaminated. This
    is doubly important because the recently-released Doomjuice worm uses
    this back door access to direct infected machines to packet
    Microsoft’s Web site.
    
    MyDoom-A infected anything between 400,000 and one million PCs,
    according to sundry estimates from AV firms. On Tuesday, Feb 10,
    67,000 IP addresses were actively scanning to and from port 3127, the
    back door left open by MyDoom-A, according to the SANS Institute's
    Internet Storm Center. This suggests many users have cleaned up their
    act.
    
    Worst ever Windows worm - till the next one, anyway
    
    MyDoom-A has outstripped Love Bug, SirCam and even Sobig-F in
    prevalence, but its overall impact is smaller than that of Slammer and
    Blaster. In scanning for fresh victims, Blaster generated copious
    quantities of traffic that had a measurable effect on Internet
    performance.
    
    This is small comfort for the numerous users with prominent Net
    addresses, like us at The Reg. We were carpet bombed by the worm,
    whose email spoofing tactics created mass confusion and a tsunami of
    virus-related auto-responder spam.
    
    Some AV packages have configurable alert responses but many AV systems
    will automatically send virus sender alerts to users who did not send
    the virus and are not infected. This causes more network traffic and
    waste valuable time as users look to disinfect uninfected machines.  
    That's to say nothing of the wider legal and business implications of
    falsely accusing someone (potentially a business partner) of spreading
    a virus.
    
    There are various theories about why MyDoom-A spread so rapidly. The
    multi-threaded nature of its spreading routines means that infected
    machines generated more crap. The worm was programmed to avoid sending
    itself to AV firms, Microsoft, government or the military – a tactic
    apparently designed to avoid the early detection of the worm. MyDoom
    used subtle social engineering tricks, for example impersonating
    standard email system messages, as a way of fooling unwary users into
    opening malicious attachments.
    
    Some AV firms say the virus simply “got lucky”.
    
    Forgive us if that doesn't make us feel any better - it’s only a
    matter of time before a similarly effective piece of malware is next
    released.
    
    The effects of the worm raises yet again questions about the
    effectiveness of traditional AV scanner software. What SoBig-F and now
    MyDoom-A have shown is that these technologies are powerless at
    restraining a prolific email worm.
    
    
    * The worm will stop packeting SCO and cease spreading from infected
      machines following the first system reboot after 02:28:57 GMT today.  
      It will continue to spread from machines whose system clock is set
      incorrectly so what we'll see is MyDoom-A tailing off to background
      noise levels rather than disappearing entirely.
    
    
    
    -
    ISN is currently hosted by Attrition.org
    
    To unsubscribe email majordomo@private with 'unsubscribe isn'
    in the BODY of the mail.
    



    This archive was generated by hypermail 2b30 : Thu Feb 12 2004 - 08:04:09 PST