MyDoom Redux: THE PROFIT MOTIVE
Latest worm has professional twist
AJC.com ^ | 1/28/04 | Bill Husted
A new computer worm called MyDoom is spreading in the United
States and abroad at a frightening rate. But that's not the really scary news.
What worries computer experts the most is the fact that
MyDoom is an example of a new breed of professionally created worms that are more difficult to detect and move faster. These
better-built worms also are used by criminals to turn a profit.
Experts say the creation of MyDoom was almost certainly
funded by e-mail spammers. The worm takes possession of a computer -- either at a home or one used in business -- and turns
the machine into a remotely controlled robot programmed to send spam e-mail messages.
With hundreds of thousands of these zombie computers sending
spam, the chances of shutting down the flow are almost zero.
While the inner workings of the worm aren't a strong departure
from earlier ones, the fact that it was professionally created with a criminal profit motive is a big shift. Instead of sloppily
made worms from amateurs, professional software writers -- motivated by money -- can create worms that will spread faster
and work more efficiently, said Roger Thompson, director of malicious-code research for TruSecure, a Herndon, Va.-based anti-virus
firm.
"I don't think the worm is especially sophisticated, but
the overall plot is very sophisticated," said Thompson. "The plot is to prepare a bunch of machines to send out spam, to own
more and more computers that can do that."
"Yeah, it definitely has ties to spammers," said Neel Mehta,
a computer scientist with Atlanta-based Internet Security Systems.
Nor is there any question that MyDoom spread like wildfire.
Medina, Ohio-based Central Command, which sells anti-virus software, said the worm multiplied so quickly that, for a time,
one of every nine e-mails was infected.
Atlanta-based EarthLink, which has more than 5 million Internet
customers, said the worm created massive volumes of e-mail on its system. At 2 a.m. Tuesday, normally a slack time, e-mail
traffic was equivalent to what "we'd expect during midday," said Dave Blumenthal, a company spokesman.
As if the news wasn't bad enough, there is a general suspicion
the worm may contain what computer scientists call a keystroke-logger program. If that's true, the creator of the worm can
monitor every keystroke made on every infected computer not protected by a firewall program. That provides access to everything
typed, including credit card numbers and passwords.
"I think there is a link to organized crime," Thompson said.
"I don't have any proof of that, but it could easily be. It could be harvesting credit card numbers ... or bank account log-ins."
Mehta said while he had seen reports the worm contained
a keystroke logger, he could not confirm them. He said computers equipped with a firewall program should be safe because the
anti-hacker software would intercept and stop the remote prying.
MyDoom's professional touch can be seen in the way the e-mail
induces the recipient to open the attachment carrying the infection. Earlier amateur-built worms promised naked pictures and
the like. MyDoom looks like an official e-mail error message you might get if an e-mail failed to transmit properly. Even
worm-smart users could be fooled, said Mehta.
Once that attachment is opened, it hijacks e-mail addresses
stored in infected computers. It then e-mails copies of itself using one of those names as the sender. So an infected e-mail
could look like a message from a friend or relative. Since it appears to be the report of a failed e-mail message, many users
may be eager to open the attachment to see which message failed.
The text for some of those messages seems properly technical.
One says: "The message contains Unicode characters and has been sent as a binary attachment."
The professionalism of all that has Thompson worried. He
foresees a new generation of worm creators who are better educated and more skilled.
"Most worm writers grow up and get a girlfriend, a job and
then stop," he said. "If there is a profit motive involved, I would expect the acts to continue."
As professionals take charge, the construction of the worms
themselves is likely to improve, making it more difficult to stop them. Mehta said professionally created worms such as MyDoom
-- also known as Novarg -- have "more features ... they have more code to them, and the code is generally of better quality."
He added, "It's not the first to have ties to professional
writers, but until about a year ago we didn't see worms that were tied to professionals."
While any fast-spreading worm causes congestion for computer
networks inside businesses and on the Internet itself, that is a byproduct of MyDoom but not the intent, Thompson said.
"Professional hackers are getting more into this," said
Mehta. "We are now seeing worms that are designed with a purpose."
Both Internet Security Systems and EarthLink believe the
peak of e-mail from the worm came Monday and early Tuesday morning and that volume is now on the decline.
CHATTER:
Skip to comments.
Latest
worm ( MyDoom ) has professional twist (Computer experts blame spammers)
AJC.com ^ | 1/28/04 | Bill
Husted
Posted on 01/29/2004 12:57:10
PM PST by honeygrl
A new computer worm called MyDoom is spreading in
the United States and abroad at a frightening rate. But that's not the really scary news.
What worries computer experts the most is the fact
that MyDoom is an example of a new breed of professionally created worms that are more difficult to detect and move faster.
These better-built worms also are used by criminals to turn a profit.
Experts say the creation of MyDoom was almost certainly
funded by e-mail spammers. The worm takes possession of a computer -- either at a home or one used in business -- and turns
the machine into a remotely controlled robot programmed to send spam e-mail messages.
With hundreds of thousands of these zombie computers
sending spam, the chances of shutting down the flow are almost zero.
While the inner workings of the worm aren't a strong
departure from earlier ones, the fact that it was professionally created with a criminal profit motive is a big shift. Instead
of sloppily made worms from amateurs, professional software writers -- motivated by money -- can create worms that will spread
faster and work more efficiently, said Roger Thompson, director of malicious-code research for TruSecure, a Herndon, Va.-based
anti-virus firm.
"I don't think the worm is especially sophisticated,
but the overall plot is very sophisticated," said Thompson. "The plot is to prepare a bunch of machines to send out spam,
to own more and more computers that can do that."
"Yeah, it definitely has ties to spammers," said
Neel Mehta, a computer scientist with Atlanta-based Internet Security Systems.
Nor is there any question that MyDoom spread like
wildfire. Medina, Ohio-based Central Command, which sells anti-virus software, said the worm multiplied so quickly that, for
a time, one of every nine e-mails was infected.
Atlanta-based EarthLink, which has more than 5 million
Internet customers, said the worm created massive volumes of e-mail on its system. At 2 a.m. Tuesday, normally a slack time,
e-mail traffic was equivalent to what "we'd expect during midday," said Dave Blumenthal, a company spokesman.
As if the news wasn't bad enough, there is a general
suspicion the worm may contain what computer scientists call a keystroke-logger program. If that's true, the creator of the
worm can monitor every keystroke made on every infected computer not protected by a firewall program. That provides access
to everything typed, including credit card numbers and passwords.
"I think there is a link to organized crime," Thompson
said. "I don't have any proof of that, but it could easily be. It could be harvesting credit card numbers ... or bank account
log-ins."
Mehta said while he had seen reports the worm contained
a keystroke logger, he could not confirm them. He said computers equipped with a firewall program should be safe because the
anti-hacker software would intercept and stop the remote prying.
MyDoom's professional touch can be seen in the way
the e-mail induces the recipient to open the attachment carrying the infection. Earlier amateur-built worms promised naked
pictures and the like. MyDoom looks like an official e-mail error message you might get if an e-mail failed to transmit properly.
Even worm-smart users could be fooled, said Mehta.
Once that attachment is opened, it hijacks e-mail
addresses stored in infected computers. It then e-mails copies of itself using one of those names as the sender. So an infected
e-mail could look like a message from a friend or relative. Since it appears to be the report of a failed e-mail message,
many users may be eager to open the attachment to see which message failed.
The text for some of those messages seems properly
technical. One says: "The message contains Unicode characters and has been sent as a binary attachment."
The professionalism of all that has Thompson worried.
He foresees a new generation of worm creators who are better educated and more skilled.
"Most worm writers grow up and get a girlfriend,
a job and then stop," he said. "If there is a profit motive involved, I would expect the acts to continue."
As professionals take charge, the construction of
the worms themselves is likely to improve, making it more difficult to stop them. Mehta said professionally created worms
such as MyDoom -- also known as Novarg -- have "more features ... they have more code to them, and the code is generally of
better quality."
He added, "It's not the first to have ties to professional
writers, but until about a year ago we didn't see worms that were tied to professionals."
While any fast-spreading worm causes congestion for
computer networks inside businesses and on the Internet itself, that is a byproduct of MyDoom but not the intent, Thompson
said.
"Professional hackers are getting more into this,"
said Mehta. "We are now seeing worms that are designed with a purpose."
Both Internet Security Systems and EarthLink believe
the peak of e-mail from the worm came Monday and early Tuesday morning and that volume is now on the decline.
TOPICS: Business/Economy; Crime/Corruption; Extended News
KEYWORDS:
Navigation: use the links
below to view more comments.
first 1-50, 51-70 next last
So it seems that professional spammers,
not the "Linux Community" is responsible.
1 posted on 01/29/2004 12:57:13 PM PST by honeygrl
[ Post Reply | Private Reply | View Replies ]
To: Golden Eagle
Ready to apologize for blaming it on
the wrong people yet?
2 posted on 01/29/2004 12:58:05 PM PST by honeygrl
[ Post Reply | Private Reply | To 1 | View Replies ]
To: honeygrl
So if you build a better worm-trap, the
'net wil beat a path to your door.
3 posted on 01/29/2004 1:00:23 PM PST by theDentist (Boston: So much Liberty, you can buy a Politician already owned by someone else.)
[ Post Reply | Private Reply | To 1 | View Replies ]
To: honeygrl
The message cannot be represented
in 7-bit ASCII encoding and has been sent as a binary attachment.
4 posted on 01/29/2004 1:03:54 PM PST by leadpencil1
[ Post Reply | Private Reply | To 1 | View Replies ]
To: honeygrl
5 posted on 01/29/2004 1:04:09 PM PST by SGCOS
[ Post Reply | Private Reply | To 1 | View Replies ]
To: honeygrl
Can't we just follow the money? And those
profiteers who have their spam sent from infected computers would pretty clearly be the guilty ones, no? Couldn't someone
just buy something from one of these spammers and see how their credit card is billed?
It shouldn't be all that difficult
to track down those who profit from this worm....
FWIW, I own a couple of domain names, and have received over 600
spam/worms since yesterday. 600.
6 posted on 01/29/2004 1:10:10 PM PST by Theo
[ Post Reply | Private Reply | To 1 | View Replies ]
To: honeygrl
That's why we need to bring back the
draw-and-quarter method of punishment, specifically for email spammers. I firmly believe that a civilized society needs to
make an example out of people who would inflict an unmitigated evil upon others for their own personal benefits.
7 posted on 01/29/2004 1:11:49 PM PST by thoughtomator ("I will do whatever the Americans want because I saw what happened in Iraq, and I was afraid"-Qadafi)
[ Post Reply | Private Reply | To 1 | View Replies ]
To: honeygrl
Would the worm cause your email to download
slow? I checked my mail earlier and it took forever to download. They were only text messages too, and only 4 total.
8 posted on 01/29/2004 1:12:31 PM PST by meanie monster
[ Post Reply | Private Reply | To 1 | View Replies ]
To: Theo
I own 1 domain name. As of yesterday
I had recieved the worm maybe 8-10 times. I haven't checked my mail yet today though. I'm kinda afraid to.. LOL I know I'm
just going to have to hit delete way too many times.
9 posted on 01/29/2004 1:14:07 PM PST by honeygrl
[ Post Reply | Private Reply | To 6 | View Replies ]
To: honeygrl
How to shut down spammers in one easy
step.
1] Fine the companies IN the ads, not the spammers.
It's as simple as that.
10 posted on 01/29/2004 1:17:52 PM PST by pcx99
[ Post Reply | Private Reply | To 1 | View Replies ]
To: thoughtomator
I always thought along the lines of chopping
off a few fingers. Leave one or two for scratching and nose picking.
Nah, never mind. Chop 'em all. Leave them a hook.
11 posted on 01/29/2004 1:22:16 PM PST by JoJo Gunn (Help control the Leftist population - have them spayed or neutered. ©)
[ Post Reply | Private Reply | To 7 | View Replies ]
To: honeygrl
Throwing a spammer in the works?
12 posted on 01/29/2004 1:23:28 PM PST by Doctor Stochastic (Vegetabilisch = chaotisch is der Charakter der Modernen. - Friedrich Schlegel)
[ Post Reply | Private Reply | To 1 | View Replies ]
To: honeygrl
So it seems that professional spammers,
not the "Linux Community" is responsible.
In all the descriptions of this virus I've found there's no mention of "organized crime" involvement.
13 posted on 01/29/2004 1:23:50 PM PST by mikegi
[ Post Reply | Private Reply | To 1 | View Replies ]
To: honeygrl
Ready to apologize for blaming it
on the wrong people yet?
I think a lot of people and businesses owe a BIG
apology, but I don't expect to see many forthcoming.
14 posted on 01/29/2004 1:26:02 PM PST by antiRepublicrat
[ Post Reply | Private Reply | To 2 | View Replies ]
To: honeygrl
Mehta said while he had seen reports
the worm contained a keystroke logger, he could not confirm them. He said computers equipped with a firewall program should
be safe because the anti-hacker software would intercept and stop the remote prying.
Gee, I can recall being flamed for saying this two
days ago.
15 posted on 01/29/2004 1:29:00 PM PST by js1138
[ Post Reply | Private Reply | To 1 | View Replies ]
To: honeygrl
I've gotten about 20 of these silly emails
already. I don't care - the worm doesn't run on my Mac., but it's annoying.
I blame the entire Microsoft OS-using community,
except the ones who say they're very, very, very sorry for using a crappy operating system that's full of security holes.
/Golden Eagle mode
16 posted on 01/29/2004 1:32:51 PM PST by Right Wing Professor
[ Post Reply | Private Reply | To 2 | View Replies ]
To: meanie monster
"Would the worm cause your email to download
slow? I checked my mail earlier and it took forever to download. They were only text messages too, and only 4 total."
I
have no idea. Have you opened any attachments lately? The only way to get it is to open an attachment containing the worm
in an email. If you have opened suspicious attachments, you may want to update your virus program and run it to be sure you
don't have it or to get rid of it. Norton Antivirus offers a 15 days trial version on their website I think.
17 posted on 01/29/2004 1:33:58 PM PST by honeygrl
[ Post Reply | Private Reply | To 8 | View Replies ]
To: Right Wing
Professor
For some reason, I have yet to receive
this worm in an email. I don't think Norton blocks them, just alerts to the presence of the worm.
I feel kinda left out.
18 posted on 01/29/2004 1:36:36 PM PST by Dog Gone
[ Post Reply | Private Reply | To 16 | View Replies ]
To: honeygrl
Experts say the creation of MyDoom
was almost certainly funded by e-mail spammers.
What size "fund" does one need to get a worm created?
Probably a six-pack.
19 posted on 01/29/2004 1:42:52 PM PST by Leroy S. Mort
[ Post Reply | Private Reply | To 1 | View Replies ]
To: Right Wing
Professor
I'm also a Mac-user, and feel no threat
from these things. Even though I'm a Mac-user, of course, I just don't open attachments or follow links unless I know what
it is and have requested it.
But over 600 of these worm/spams so far! Dang. In the past 30 minutes, I've receive 1
per minute. And I've got a pretty boring domain name....
20 posted on 01/29/2004 1:43:00 PM PST by Theo
[ Post Reply | Private Reply | To 16 | View Replies ]
To: Theo
But over 600 of these worm/spams so
far! Dang. In the past 30 minutes, I've receive 1 per minute.
I'm running a PC and I've only seen three since Monday.
Better run your Mac through a de-wormisizer.
21 posted on 01/29/2004 1:48:50 PM PST by Leroy S. Mort
[ Post Reply | Private Reply | To 20 | View Replies ]
To: honeygrl
No, I haven't opened any attachments.
Can it sneak pass zone alarm? I just upgraded ZA last month.
22 posted on 01/29/2004 1:49:24 PM PST by meanie monster
[ Post Reply | Private Reply | To 17 | View Replies ]
To: Leroy S.
Mort
I haven't opened it up on my Mac, and
it's my understanding that this is a Windows worm.
Many of the "from" fields are from the domains of Christian ministries,
which makes me think that one or more of my clients (who has my email address in their outlook address book) has an infected
computer....
23 posted on 01/29/2004 1:56:45 PM PST by Theo
[ Post Reply | Private Reply | To 21 | View Replies ]
To: honeygrl
So it seems that professional spammers,
not the "Linux Community" is responsible.
I see nothing in this article that would indicate
anyone knows who created this or for what reason (other than the DOS attacks coded against MS and SCO).
"I don't think the worm is especially sophisticated,
but the overall plot is very sophisticated," said Thompson. "The plot is to prepare a bunch of machines to send out spam,
to own more and more computers that can do that."
"Yeah, it definitely has ties to spammers," said
Neel Mehta, a computer scientist with Atlanta-based Internet Security Systems.
Okay. What spam is being sent? Or is that just conjecture?
Article doesn't say. Worms and trojans have been hijacking computers to serve as slaves in DOS attacks for years - so much
for the "sophistication" of the plot.
24 posted on 01/29/2004 1:58:00 PM PST by Leroy S. Mort
[ Post Reply | Private Reply | To 1 | View Replies ]
To: Right Wing
Professor
LOL
25 posted on 01/29/2004 2:02:59 PM PST by honeygrl
[ Post Reply | Private Reply | To 16 | View Replies ]
To: Dog Gone;
All
For some reason, I have yet to
receive this worm in an email. I don't think Norton blocks them, just alerts to the presence of the worm.
I feel kinda left out.
For some reason, I have yet to receive this
worm in an email.
Thank your lucky stars!!
The worm blocks access to popular Anti Virus Websites
like McAffee, Symantec, and Trend Micro.
I ran into a Trojan with such defensive features
last year...only a complete FDISK-DOS FORMAT type total software reinstall saved the day!
26 posted on 01/29/2004 2:04:29 PM PST by Lael (http://fourthturning.com)
[ Post Reply | Private Reply | To 18 | View Replies ]
To: meanie monster
"No, I haven't opened any attachments."
Then you should be just fine.
27 posted on 01/29/2004 2:05:00 PM PST by honeygrl
[ Post Reply | Private Reply | To 22 | View Replies ]
To: js1138
Mehta said while he had seen reports
the worm contained a keystroke logger, he could not confirm them.
A true security expert could confirm or deny the
existence of a keylogger.
28 posted on 01/29/2004 2:06:49 PM PST by Leroy S. Mort
[ Post Reply | Private Reply | To 15 | View Replies ]
To: meanie monster
Would the worm cause your email to
download slow? I checked my mail earlier and it took forever to download. They were only text messages too, and only 4 total.
The worm might be causing the slow download, but
the problem is probably not on your end. (Unless you've opened strange attachments in the last few days). It is more likely
that your ISP's mail servers are overloaded with all of the messages that the worms are sending out from infected computers.
29 posted on 01/29/2004 2:07:25 PM PST by RedWhiteBlue (<a href="http://www.michaelmoore.com" target="_blank">miserable failure)
[ Post Reply | Private Reply | To 8 | View Replies ]
To: Leroy S.
Mort
" Okay. What spam is being sent?"
So
far I've read something about it sending ads for buying Viagra online. http://www.f-secure.com/ (i think i got that right) has some details about what it did in a test environment.
They said it also has in it something along the lines of "sorry andy, nothing personal. I'm just doing my job." But that isn't
something that is displayed to anyone with it on their machine.. it's just in the program somewhere. If that link isn't right,
google "f-secure" to find the right URL.
30 posted on 01/29/2004 2:10:18 PM PST by honeygrl
[ Post Reply | Private Reply | To 24 | View Replies ]
To: honeygrl
I didn't see anything about Viagra spam
at the link you gave.
Simply doesnt make sense for it to be a spam vehicle:
1. It's scheduled to quit replicating on Feb 12th.
2. It has a payload which targets two major websites
with DDos attacks(SCO and Microsoft - depending on the variation). What possible advantage would that give it as a stealth
spam program?
31 posted on 01/29/2004 2:24:55 PM PST by Leroy S. Mort
[ Post Reply | Private Reply | To 30 | View Replies ]
To: honeygrl
So far I've read something about it
sending ads for buying Viagra online.
I get about three of those a day anyway. And there
are hundreds of messages from 19 year old girls who want me to look at their web cams. Funny thing is, their pictures all
look exactly the same. And when I email them to warn them they should be very careful about letting strangers watch them at
home, my emails bounce.
32 posted on 01/29/2004 2:25:44 PM PST by Right Wing Professor
[ Post Reply | Private Reply | To 30 | View Replies ]
To: honeygrl
This is far from any proof of anything. There
are other reports out there such as these:
http://www.upi.com/view.cfm?StoryID=20040128-081558-7375r
CHICAGO, Jan. 28 (UPI) -- Internet-based hacker-activists -- known as hacktivists
-- seem to be behind the mass e-mailing this week of the MyDoom worm, which has commandeered consumers' computers around the
globe to serve as a staging area for another, more potent attack on their primary, commercial target next month.
Computer
experts told United Press International that MyDoom -- a self-replicating string of malicious computer code -- could turn
out to be the most widespread worm of all time, topping last summer's well-known attack by the SoBig virus.
As of
Tuesday, one of every nine e-mail messages being received by the average computer user was infected with the worm, according
to research by Central Command, an anti-virus software maker in Medina, Ohio.
So far, there does not seem to be much
consumers who use personal computers running Microsoft Corp. products can do to stop the worm -- once it has infected their
systems. Computer scientists are striving to complete a cure for it.
"This worm appears to be a form of hacktivism,"
Gary Morse, president of Razorpoint Security Technology, a computer consultancy in New York City, told UPI. "It is only infecting
machines that are running Windows as their operating system, not those that are running the Mac operating system or the Solaris
operating system." ...
"They have their own flavor of Unix," an operating system for technical computing projects,
Morse said. "They are embattled with IBM and Red Hat and Novell in a fight over intellectual property rights for the software.
This has set off discussions on Web boards around the world. And it appears that someone who does not like where SCO stands
has taken matters into their own hands."
This is all part of the global, ideological war online between the backers
of the free operating system Linux, a version of Unix, and the supporters of the industry standard, Microsoft Windows, Morse
said.
http://www.internetnews.com/dev-news/article.php/3304311
The W32.Novarg.A@mm (MyDoom) virus, which has emerged as an unlikely weapon in the ongoing 'Linux War' between
SCO and the open-source community, is set to launch the DDoS attack against SCO on Feb. 1 and has a trigger date to stop spreading
on Feb. 12.
Lindon, Utah-based SCO has drawn the ire of open-source advocates in recent months because of its litigation
against Linux vendors IBM , Red Hat (Quote, Chart) and Novell (Quote, Chart), claiming that some of its code was being used
in implementations of the Linux OS.
http://edition.cnn.com/2004/TECH/internet/01/27/mydoom.spread/
A sneaky e-mail worm continued to clog Internet traffic Tuesday, spreading faster
than previous Web bugs by appearing as an innocuous error message.
The worm -- dubbed "MyDoom," "Novarg" or "WORM_MIMAIL.R"
-- was copying itself at a fierce pace, so fast that some companies were having to shut down their mail servers to stop it.
And a new clue was emerging as to the source of the infection.
Virus experts suggested MyDoom's author was a fan of
the Linux open source community, because the bug, which targets computers running Microsoft Windows, launched a Denial of
Service Attack on SCO's site. Utah-based SCO Group, which says it owns the UNIX operating system, alleges some versions of
the Linux operating system use its proprietary code.
"The MyDoom worm takes the Linux Wars to a new intensity," said
Chris Belthoff, an analyst for anti-virus firm Sophos. "It appears that the author of MyDoom may have taken the war of words
from the courtrooms and Internet message boards to a new level by unleashing this worm which attacks SCO's Web site."
Past
History would lend to that theory as well:
Embattled SCO Group's Web site hit with a 'denial of service' strike
http://www.sltrib.com/2003/Aug/08262003/business/86967.asp
Eric Raymond, president of the Open Source Initiative, called the attack
"rather sophisticated" and said he was convinced it had been launched "by an experienced Internet engineer."...
Raymond,
who published his findings on the Linux Today Web site, said the unidentified perpetrator had agreed to halt the attack, at
Raymond's request. SCO's Web site was operating again by Monday afternoon.
"I had been hoping, and actually expecting,
that the attacker would turn out to be some adolescent cracker with no real connection to the open-source community," Raymond
stated. But "I was told enough about his background and how he did it to be pretty sure he is one of us -- and I am ashamed
for all of us."
33 posted on 01/29/2004 2:26:30 PM PST by Golden Eagle
[ Post Reply | Private Reply | To 30 | View Replies ]
To: honeygrl
Computer experts blame spammers
Has anyone been looking at the full headers of their
SPAM lately? At least half of it is coming from DSL and Cable Modem systems here in the U.S. Mostly from Comcast, RR, and
Adelphia. At some point these companies will have to stop their customers from SPAMing the world.
34 posted on 01/29/2004 2:30:20 PM PST by 69ConvertibleFirebird
[ Post Reply | Private Reply | To 1 | View Replies ]
To: pcx99
Fine the companies IN the ads, not
the spammers.
Sometimes I call the toll free phone numbers that
show up in the SPAM. I give the person sh_t for about 10 minutes. They tell me that they aren't sending SPAM. When they say
that they actually mean that they hired another company to send SPAM for them or that they were hired by the SPAM company
to take orders. Anyway, a half-truth to try and deflect criticism of themselves.
I did get a hold of a local addiction treatment center
that was SPAMing my company. They swear that the salesman from the SPAM company told them that the emails would be very well
directed. The SPAMmer lied to them. After my call SPAM from them stopped.
35 posted on 01/29/2004 2:35:47 PM PST by 69ConvertibleFirebird
[ Post Reply | Private Reply | To 10 | View Replies ]
To: Leroy S.
Mort
A true security expert could confirm
or deny the existence of a keylogger.
You can't trust this worm to be the same on any two
machines. Its fundamental structure is that of a trojan that listens on a TCP port for arbitrary code segments that it is
to execute.
For example, the supposed DDOS attack on Microsoft
was not in the original worm; it was added yesterday by sending out a new worm that scans for old worms, and tells them to
update themselves with this, where "this" is whatever the guy wants to add.
Yesterday he added a DDOS attack on Microsoft. But
that's not supposed to occur until February 1. By then he could have changed the target two or three times, or deleted the
DDOS attack altogether and replaced it with a spam relay, or a thing that formats C:, or whatever he wants. Right now this
virus writer is just jerking these security guys around. "It's a DDOS attack! It'a a keystroke logger! It's a breath mint!"
You were right the first time: fundamentally, no
one really knows what this thing is for. It is a remotely-piloted executor of arbitrary code. Its "real" mission, whatever
that is, could be scheduled to arrive a week from now, or a month from now, and could be anything.
Based on comments I've seen elsewhere, the reason
they think it has to do with spammers is two-fold. First, it seems to be a professional package; the techniques used, the
way things are laid out, etc., point to a professional as opposed to a scipt kiddie or the "12-year-old genius" who writes
most of these things. Secondly, this is the New Thing among spammers. The last big worm turned out to be a collector of zombies
for use by spammers; here comes another one with similar capabilities and a built-in SMTP engine, and it appears to be a paid-for,
professionally written item. That suggests commercial, profit-making enterprise at work, as opposed to some crank who just
wants to be a vandal. They could be wrong about this of course, but they do work this problem every day and see a lot of this
stuff in the course of their work. It's "conjecture" but it's educated conjecture.
36 posted on 01/29/2004 2:43:27 PM PST by Nick Danger ( With sufficient thrust, pigs fly just fine.)
[ Post Reply | Private Reply | To 28 | View Replies ]
To: rdb3
oh yeah.. ping :)
37 posted on 01/29/2004 2:49:15 PM PST by honeygrl
[ Post Reply | Private Reply | To 36 | View Replies ]
To: 69ConvertibleFirebird
"At least half of it is coming from
DSL and Cable Modem systems"
Most likely open relays rather than the actual owner
doing it. I get around 20 attempts a day on my mail server from people looking to see if they can relay from it.
38 posted on 01/29/2004 2:49:49 PM PST by Proud_texan
[ Post Reply | Private Reply | To 34 | View Replies ]
To: Proud_texan
What is an "open relay" and why would
someone let their system be used to send SPAM?
Here is an example of the from: field with full headers
on:
Received: from c-24-1-157-18.client.comcast.net (c-24-1-157-18.client.comcast.net [24.1.157.18])
Is there any way of telling whether this IP originated
the e-mail or went through an open relay?
Either way, I forward the full message with headers
to the system that it came from, usually at abuse@_system_.com, or wherever, asking that their system stop sending SPAM. Maybe
they will terminate that IP's account. I get about 20 of these (from DSL and/or Cable Modem) per day.
39 posted on 01/29/2004 3:02:51 PM PST by 69ConvertibleFirebird
[ Post Reply | Private Reply | To 38 | View Replies ]
To: 69ConvertibleFirebird
An open relay is a mail server that allows
one to log on and send email from that server without proper credentials. They aren't as common as they were and as recently
as a couple of years ago it was pretty standard. Not unlike leaving your door unlocked in the 50s.
It's by no means comprehensive but http://www.ordb.org/
maintains a list of open relays. I don't find that IP address in their database but I do note that it's been tested for open
relay service recently, might be the owner get a dose of reality with all the spam complaints and took care of it.
Or it could be that the address was merely forged
and the IP address is totally bogus.
40 posted on 01/29/2004 3:12:19 PM PST by Proud_texan
[ Post Reply | Private Reply | To 39 | View Replies ]
To: 69ConvertibleFirebird
c-24-1-157-18.client.comcast.net (c-24-1-157-18.client.comcast.net
[24.1.157.18])
This is most likely a dial up, or DSL connection.
Send the complaint to abuse@comcast.net. My experience with this indicates that people frequently receive trial subscriptions
solely for the purpose of originating spam. Recently, a wireless spot in a hotel was used to originate spam.
Text based spam is bad enough, but when it includes
viruses and trojans, the problem is compounded. CNN suggested this current virus could cost over $250M.
Open Relays pose a problem, as do trial subscriptions,
and temporary email accounts. Even though fewer open relays exist in the US, the emergence in 3rd world countries will only
increase this problem.
The real challenge is that the existing email protocol
cannot authenticate who really sent the email. The advocates for updating the protocol are dwarfed by the advocates for keeping
the existing protocol due to the anticipated cost for making the change. Existing applications are based on the current protocol
and they would have to be changed.
The CAN-SPAM Act fails because it requires you to
identify who sent you the spam. When it comes from a 3rd world country, that will not happen. When the spammers spoof the
headers, again you cannot identify who sent the email.
41 posted on 01/29/2004 3:28:47 PM PST by rit
[ Post Reply | Private Reply | To 39 | View Replies ]
To: Nick Danger
For example, the supposed DDOS attack
on Microsoft was not in the original worm; it was added yesterday by sending out a new worm that scans for old worms, and
tells them to update themselves with this, where "this" is whatever the guy wants to add.
It's my understanding that W32.Mydoom.B (the one
that includes DoS's against both SCO AND Microsoft)is a whole new variation of W32.NovargA (the original MyDoom SCO worm)and
is not, to my knowledge, "updating" the original package in the wild. If you have information to the contrary, I'd be interested
in seeing it.
42 posted on 01/29/2004 3:32:02 PM PST by Leroy S. Mort
[ Post Reply | Private Reply | To 36 | View Replies ]
To: rit
I see a lot of spam from "spam zombie"
machines on dsl and broadband networks. They get infected with a backdoor trojan, and then the spammers will use them to send
mail from.
43 posted on 01/29/2004 3:37:06 PM PST by tacticalogic (Controlled application of force is the sincerest form of communication.)
[ Post Reply | Private Reply | To 41 | View Replies ]
To: Nick Danger
You were right the first time: fundamentally,
no one really knows what this thing is for. It is a remotely-piloted executor of arbitrary code. Its "real" mission, whatever
that is, could be scheduled to arrive a week from now, or a month from now, and could be anything.
I see your finally starting to understand the dangers
of computer criminals? That's actually the first post ever I've seen you make where may be actually starting to realize that
policing of the internet is a forgone conclusion.
There are some really bad people out there on the
net, and they used to just pirate other's property, giving it away for free all over the world, but now they're launching
bombs out there. These "loosely knit groups of hackers from around the web" (kernel.org) have to be watched closely. I'm amazed
and hopeful you're starting to see the light. More likely, just a temporary flash.
44 posted on 01/29/2004 3:41:58 PM PST by Golden Eagle
[ Post Reply | Private Reply | To 36 | View Replies ]
To: All
Most of these links are courtesy Martin Fierro:
Alternative browsers:
http://www.mozilla.org/
http://www.opera.com/
Free anti-viral protection:
http://www.grisoft.com/us/us_dwnl_free.php
Popup ad killers:
http://www.bayden.com/popper/
Close that friggin' Messenger in Windows XP:
http://grc.com/stm/ShootTheMessenger.htm
Spyware removers:
http://www.safer-networking.org/index.php?lang=en&page=download
http://www.lavasoftusa.com/
http://www.wilderssecurity.net/spywareblaster.html
Good for pre-screening & bouncing SPAM:
http://mailwasher.net/
Script Defender ( stop that nonsense from running unwelcome scripts ):
http://www.analogx.com/welcome.htm
Online virus scans:
http://housecall.antivirus.com/housecall/start_corp.asp
Trend Micro
http://www.rav.ro/scan/indexie.php
RAV
http://www.bitdefender.com/scan/license.php
Bit Defender
45 posted on 01/29/2004 3:48:31 PM PST by backhoe (--30--)
[ Post Reply | Private Reply | To 1 | View Replies ]
To: Leroy S.
Mort
is not, to my knowledge, "updating"
the original package in the wild. If you have information to the contrary, I'd be interested in seeing it.
From the discussion of Novarg.B on Symantec Security Response (see #11):
The worm also contains functionality which allows
it to install itself on systems which may have been infected by W32.Novarg.A@mm. This is accomplished as follows:
- The worm creates two to six threads working in parallel.
- Each thread scans a randomly picked class-C sized networks,
from a.b.c.1 to a.b.c.254, except that it skips networks where a=16, 224, 127 or 128.
- Between each scanned network, a thread waits 128 ms.
- Each IP in the scanned class-C is contacted on port
3127, if the connection succeeds, the worm sends an update command along with a copy of itself to be executed on the remote
machine.
So basically this guy can send out a new worm at
any time to modify the behavior of the old worms. I think it's against the law in the United States to invade someone else's
computer, but perhaps a "white hat" in some other country could send out an update that kills this thing, and then deletes
itself.
46 posted on 01/29/2004 4:00:05 PM PST by Nick Danger ( With sufficient thrust, pigs fly just fine.)
[ Post Reply | Private Reply | To 42 | View Replies ]
To: Golden Eagle
When you swim in the ocean, you enter
the food chain.
47 posted on 01/29/2004 4:00:58 PM PST by tacticalogic (Controlled application of force is the sincerest form of communication.)
[ Post Reply | Private Reply | To 44 | View Replies ]
To: backhoe
No Netscape? BTW, do you know if any
other browsers offer the 'full screen' mode with zero border like IE?
48 posted on 01/29/2004 4:03:45 PM PST by Golden Eagle
[ Post Reply | Private Reply | To 45 | View Replies ]
To: Golden Eagle
In the Microsoft Outlook product's preview
mode, if an email contains an embedded executable mime type, does it trigger automatically? Or, does the user have to open
the attachment? Clarity is appreciated.
49 posted on 01/29/2004 4:11:33 PM PST by rit
[ Post Reply | Private Reply | To 48 | View Replies ]
To: tacticalogic
I see a lot of spam from "spam zombie"
machines on dsl and broadband networks.
It's insane how infected some of these broadband
ISP's are with this stuff, a virgin system gets popped within 10 mins on a lot of them. They're going to have to better authenticate,
and the more you'll pay the sounder your service will be. You can already join one of the major ISP's and get similar protetion
now, but some would rather ride these big waves anyway. So it will never end, some will just better isolate themselves from
it.
50 posted on 01/29/2004 4:17:09 PM PST by Golden Eagle
[ Post Reply | Private Reply | To 43 | View Replies ]
Navigation: use the links
below to view more comments.
first 1-50, 51-70 next last
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent
the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption
for fair use of copyrighted works.
FreeRepublic.com
is powered by software copyright 2000-2003 Robinson-DeFehr Consulting, LLC.
Skip to comments.
Latest
worm ( MyDoom ) has professional twist (Computer experts blame spammers)
AJC.com ^ | 1/28/04 | Bill
Husted
Posted on 01/29/2004 12:57:10
PM PST by honeygrl
click here to read article
Navigation: use the links
below to view more comments.
first previous 1-50, 51-70 last
To: Golden Eagle
No Netscape? BTW, do you know if any
other browsers offer the 'full screen' mode with zero border like IE?
Oversight- I keep 7.1 on my machine and like it fine...
far as the other 2 go, I have used them in the past, but darned if I can recall offhand that border feature- I suspect you
can do it, but can't say for sure.
51 posted on 01/29/2004 4:18:20 PM PST by backhoe (--30--)
[ Post Reply | Private Reply | To 48 | View Replies ]
To: rit
My understanding is older versions of
Outlook can indeed have a 'preview pane' vulnerability where a received message can possibly autolaunch itself if it becomes
active in the preview pane, and I believe that was only related to Outlook Express, the free package included in Windows and
not the Outlook 9X, 2000, etc that comes packaged with Office, I believe it's preview pane may have always been safe although
that version is perhaps more vulnerable to HTML mail attacks.
However these would be much older, more like initial
implementations, that hopefully have long since been upgraded and would in fact be considered one of the more serious threats
that an intellegent updater like windowsupdate.com would immediately notice as severe issue.
Any modern version of
Outlook Express (normal Outlook not being affected) that came with any recent version of IE (5.1+) would probably not be susceptable.
As I said, at least that is my current understanding...
52 posted on 01/29/2004 4:24:22 PM PST by Golden Eagle
[ Post Reply | Private Reply | To 49 | View Replies ]
To: Golden Eagle
It's insane how infected some of these
broadband ISP's are with this stuff, a virgin system gets popped within 10 mins on a lot of them. They're going to have to
better authenticate, and the more you'll pay the sounder your service will be. You can already join one of the major ISP's
and get similar protetion now, but some would rather ride these big waves anyway. So it will never end, some will just better
isolate themselves from it.
At the very least, the broadband and dsl providers
ought to be stopping smtp traffic from their clients, or at least making arrangements for an authorization process to enable
it. I stop the majority of spam from hitting my mail servers by using RDNS, and blocking all the address spaces assigned to
China. AOL is testing the new SPF (Sender Permitted From) DNS extention, and I'm waiting to see how that turns out.
53 posted on 01/29/2004 4:27:01 PM PST by tacticalogic (Controlled application of force is the sincerest form of communication.)
[ Post Reply | Private Reply | To 50 | View Replies ]
To: Nick Danger
perhaps a "white hat" in some other
country could send out an update that kills this thing, and then deletes itself.
Someone did write such a thing kill the blaster worm.
Unfortunately it was so agressive, it would overload networks just from the sheer volume of scanning it was doing.
54 posted on 01/29/2004 4:31:25 PM PST by tacticalogic (Controlled application of force is the sincerest form of communication.)
[ Post Reply | Private Reply | To 46 | View Replies ]
To: tacticalogic
At the very least, the broadband and
dsl providers ought to be stopping smtp traffic from their clients, or at least making arrangements for an authorization process
to enable it.
They don't want to turn anything off, unless they
turn it all off, then the customers all raise hell and threaten to drop. The ISP's seem to be at a break even point though,
no way to add staff or features like security without raising their rates, something nobody wants, but maybe inevitable.
55 posted on 01/29/2004 4:42:36 PM PST by Golden Eagle
[ Post Reply | Private Reply | To 53 | View Replies ]
To: Golden Eagle
Thank you for the response. What about
embedded HTML with javascript and/or active-X? Is that autoenabled in the preview pane for the current versions of outlook?
56 posted on 01/29/2004 4:45:48 PM PST by rit
[ Post Reply | Private Reply | To 52 | View Replies ]
To: honeygrl
These "MyDoom" articles on FR have reminded
me to update my virus definitions every day for the past several days, and there's always something new. Usually, I update
about once a week.
57 posted on 01/29/2004 4:46:38 PM PST by wimpycat ("Black holes are where God divided by zero.")
[ Post Reply | Private Reply | To 1 | View Replies ]
To: tacticalogic
perhaps a "white hat" in some other
country could send out an update that kills this thing, and then deletes itself.
I think that may be welchia. I'm not in favor of
much vigilante justice, there's enough lose cannons out there as it is. And there's a tremendous amount of bluring of the
lines between the "black hats" and the "white hats" right now, including these 'security firms' that release newly found exploits
straight onto the open internet without first notifying the vendors and giving them a chance to build a patch first. But you
can't have a "mob rules" world out there, which it is turning into.
58 posted on 01/29/2004 4:50:34 PM PST by Golden Eagle
[ Post Reply | Private Reply | To 54 | View Replies ]
To: rit
Thank you for the response. What about
embedded HTML with javascript and/or active-X? Is that autoenabled in the preview pane for the current versions of outlook?
All the same, as far as I know. The latest versions
of Outlook with very latest patches applied won't let you open any attachment without saving it first, or at least that is
my understanding. You could be hyperlinked, but that would typically require a corrupt host for you to connect.
Of course, A/V protection is a higher level of protection,
from the client to the server on to the perimeter if you control it. With that updating signatures constantly, only the immediate
impact of a virus not yet defined by your A/V vendor and pushed to your protection points can even get to your Outlook client.
Still happens, on rare occassion even with the best perimeter defense, but then you have the other protections I've mentioned
along with user education.
59 posted on 01/29/2004 5:01:02 PM PST by Golden Eagle
[ Post Reply | Private Reply | To 56 | View Replies ]
To: wimpycat
These "MyDoom" articles on FR have
reminded me to update my virus definitions every day for the past several days, and there's always something new. Usually,
I update about once a week.
If you have any sort of permanent connection you
should update every day. Usually the mid morning to early afternoon signatures have been built to block whatever comes from
overseas that day. But you have to do this since even what may seem as extreme precaution may not be enough, as the virus
sometimes advance in front of the virus, although that actually did not seem to be the case with MyDoom, there are just a
lot of people who aren't upgrading fast enough that got caught and accidentally clicked those files. Bottom line, treat the
dangers of the internet with deserved respect, and you'll be fine.
60 posted on 01/29/2004 5:05:48 PM PST by Golden Eagle
[ Post Reply | Private Reply | To 57 | View Replies ]
To: Golden Eagle
I did a virus check & didn't have
this worm....but did find 1 other worm & 1 virus....my bosses kids use my computer & I have not run a virus check
since around Thanksgiving. It was my fault for being lazy, but I never open any attachments unless the person sending has
told me it is on the way.
I ran Mcafee & found 2....Norton told me I had none. Whats up with that?
61 posted on 01/29/2004 5:13:54 PM PST by feinswinesuksass (Drawing on my fine command of language, I said nothing.)
[ Post Reply | Private Reply | To 50 | View Replies ]
To: Golden Eagle
That's the one. I'm on a dialup, and
when blaster hit, I got infected twice during the process of trying to d/l the update. After the second time I got fed up
with it and created a 0 byte file in my Windows directory, named it msblast.exe, and made it read only.
62 posted on 01/29/2004 5:20:50 PM PST by tacticalogic (Controlled application of force is the sincerest form of communication.)
[ Post Reply | Private Reply | To 58 | View Replies ]
To: Golden Eagle
Again, thank you for the detail. This
seems to diminish the perception that the MyDoom virus was spread mostly through the auto preview mode. It is more likely
99.9% falls back on the user who explicitly opened the attachment.
Given that CNN reported the anticipated cost of MyDoom
at $250M, and that the virus has been classified as the fastest spreading virus ever, we must consider the possibility that
the reactionary A/V and filtering model is insufficent to solve the spam/virus problem.
63 posted on 01/29/2004 5:22:32 PM PST by rit
[ Post Reply | Private Reply | To 59 | View Replies ]
To: Golden Eagle
My computer automatically scans for viruses
every Friday night at 8:00. I do have a permanent connection, but my modem has a "pause" button that blocks all traffic. I
usually hit the pause button during the day while I'm at work, and before I go to bed at night.
Curiosly enough, I
do have automatic live update enabled, but I still manually run live update, and I still get new downloads. But I don't see
where it even allows me to set up a schedule to automatically download definitions.
64 posted on 01/29/2004 5:30:07 PM PST by wimpycat ("Black holes are where God divided by zero.")
[ Post Reply | Private Reply | To 60 | View Replies ]
To: feinswinesuksass
I ran Mcafee & found 2....Norton
told me I had none. Whats up with that?
Sorry to hear that, but just further proof the sneaky
bastards are getting better and better. Kids make it almost impossible to defend everything, too. ;-)
65 posted on 01/29/2004 5:56:44 PM PST by Golden Eagle
[ Post Reply | Private Reply | To 61 | View Replies ]
To: rit
Given that CNN reported the anticipated
cost of MyDoom at $250M, and that the virus has been classified as the fastest spreading virus ever, we must consider the
possibility that the reactionary A/V and filtering model is insufficent to solve the spam/virus problem.
Sorry but I think that's the wrong conclusion. First
there are always questions about the validity of these estimates, and the first ones have been from overseas sources. Second,
this attack while sophisticated was not that revolutionary, and those with adequate defenses, defenses that have been raised
recently due to other similar events, were therefore much better prepared to block it.
I think what the overall result is, even though hacker
sophistication remains high, overall protection of critical data secured by professionals is exceptional, and suffered little
damage testifying to the truths of security practice, but the mostly poorly prepared home users are receiving the brunt of
virii attacks now, and will likely in the future. Before it was both receiving damage, so we are making progress, mainly by
advances in technology and sophistication of operators. The current model is strong, by those who choose or can afford to
enforce it.
66 posted on 01/29/2004 6:06:16 PM PST by Golden Eagle
[ Post Reply | Private Reply | To 63 | View Replies ]
To: Golden Eagle
Agreed that the CNN 250M is an estimate,
but even if the damage is half, it is still too expensive for where we should be. I am questioning if A/V is the yet to
be perfected solution, or, if something more is required.
67 posted on 01/29/2004 6:52:37 PM PST by rit
[ Post Reply | Private Reply | To 66 | View Replies ]
To: Lael; Dog
Gone
I haven't gotten it either and I have
six different email accounts. On all my boxes I run Nortons and Zone Alarm Pro for the firewall. One of my ISPs run a virus
scan on email, so I feel pretty safe.
68 posted on 01/29/2004 6:57:09 PM PST by Lawgvr1955 (Sic Semper Tyrannus)
[ Post Reply | Private Reply | To 26 | View Replies ]
To: rit
I am questioning if A/V is the yet
to be perfected solution, or, if something more is required.
With proper configuration, yes it's close but technology
doesn't "close the loop" to use a technical term and user interaction is most often the final weakest link in the process,
of which there is no ultimate protection with the currently configured landscape.
69 posted on 01/29/2004 7:38:06 PM PST by Golden Eagle
[ Post Reply | Private Reply | To 67 | View Replies ]
To: Golden Eagle
Ready to 'fess up and write 100 times
"I AM VERY SORRY THAT I SPREAD SLANDERS"?
70 posted on 02/09/2004 8:08:56 AM PST by steve-b
[ Post Reply | Private Reply | To 1 | View Replies ]
Navigation: use the links
below to view more comments.
first previous 1-50, 51-70 last
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion
of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair
use of copyrighted works.
FreeRepublic.com
is powered by software copyright 2000-2003 Robinson-DeFehr Consulting, LLC.
