WebCrime

THE PROFIT MOTIVE: MyDoom Redux:

Home
THE PROFIT MOTIVE: MyDoom Redux:
MALICIOUS CODE
HORROR STORIES
SPYWARE
SPOOFING
ANTHRAX
VIRUSES BY OTHER NAMES
PROGRAMMING VIA BIOLOGICAL ENGINEERING TECHNIQUES
MYDOOM
WORMS
KEYLOGGER
SPYWARE
HYBRIDS
ANTHRAX ON THE INTERNET
ANTHRAX CHATTER
CELLPHONE VIRUS CHATTER
VIRUS CHATTER
ANTHRAX CHATTER
MICROSOFT CHATTER
"link=bacillus"
MSBLASTER
PHISHING
SWEN
FIREWALLS
TERMS GLOSSARY
MALICIOUS SCRIPTS: THE STATE OF THE ART DELIVERY METHOD
RESOURCES: FIGHTING BACK - FREE UTILITIES
CODE RED
WHAT'S IN A NAME
MICROSOFT
NIMDA
ANTHRAX-NIMDA CONNECTION
SCRIPT KIDDIES VRS ENGINEERS
THE UNLIKELY LADDS
VIRUS ALLERTS
IDENTITY THEFT
HEADS OFF
HEADSUP

 
 

MyDoom Redux: THE PROFIT MOTIVE

Latest worm has professional twist
AJC.com ^ | 1/28/04 | Bill Husted

 

A new computer worm called MyDoom is spreading in the United States and abroad at a frightening rate. But that's not the really scary news.

What worries computer experts the most is the fact that MyDoom is an example of a new breed of professionally created worms that are more difficult to detect and move faster. These better-built worms also are used by criminals to turn a profit.

Experts say the creation of MyDoom was almost certainly funded by e-mail spammers. The worm takes possession of a computer -- either at a home or one used in business -- and turns the machine into a remotely controlled robot programmed to send spam e-mail messages.

With hundreds of thousands of these zombie computers sending spam, the chances of shutting down the flow are almost zero.

While the inner workings of the worm aren't a strong departure from earlier ones, the fact that it was professionally created with a criminal profit motive is a big shift. Instead of sloppily made worms from amateurs, professional software writers -- motivated by money -- can create worms that will spread faster and work more efficiently, said Roger Thompson, director of malicious-code research for TruSecure, a Herndon, Va.-based anti-virus firm.

"I don't think the worm is especially sophisticated, but the overall plot is very sophisticated," said Thompson. "The plot is to prepare a bunch of machines to send out spam, to own more and more computers that can do that."

"Yeah, it definitely has ties to spammers," said Neel Mehta, a computer scientist with Atlanta-based Internet Security Systems.

Nor is there any question that MyDoom spread like wildfire. Medina, Ohio-based Central Command, which sells anti-virus software, said the worm multiplied so quickly that, for a time, one of every nine e-mails was infected.

Atlanta-based EarthLink, which has more than 5 million Internet customers, said the worm created massive volumes of e-mail on its system. At 2 a.m. Tuesday, normally a slack time, e-mail traffic was equivalent to what "we'd expect during midday," said Dave Blumenthal, a company spokesman.

As if the news wasn't bad enough, there is a general suspicion the worm may contain what computer scientists call a keystroke-logger program. If that's true, the creator of the worm can monitor every keystroke made on every infected computer not protected by a firewall program. That provides access to everything typed, including credit card numbers and passwords.

"I think there is a link to organized crime," Thompson said. "I don't have any proof of that, but it could easily be. It could be harvesting credit card numbers ... or bank account log-ins."

Mehta said while he had seen reports the worm contained a keystroke logger, he could not confirm them. He said computers equipped with a firewall program should be safe because the anti-hacker software would intercept and stop the remote prying.

MyDoom's professional touch can be seen in the way the e-mail induces the recipient to open the attachment carrying the infection. Earlier amateur-built worms promised naked pictures and the like. MyDoom looks like an official e-mail error message you might get if an e-mail failed to transmit properly. Even worm-smart users could be fooled, said Mehta.

Once that attachment is opened, it hijacks e-mail addresses stored in infected computers. It then e-mails copies of itself using one of those names as the sender. So an infected e-mail could look like a message from a friend or relative. Since it appears to be the report of a failed e-mail message, many users may be eager to open the attachment to see which message failed.

The text for some of those messages seems properly technical. One says: "The message contains Unicode characters and has been sent as a binary attachment."

The professionalism of all that has Thompson worried. He foresees a new generation of worm creators who are better educated and more skilled.

"Most worm writers grow up and get a girlfriend, a job and then stop," he said. "If there is a profit motive involved, I would expect the acts to continue."

As professionals take charge, the construction of the worms themselves is likely to improve, making it more difficult to stop them. Mehta said professionally created worms such as MyDoom -- also known as Novarg -- have "more features ... they have more code to them, and the code is generally of better quality."

He added, "It's not the first to have ties to professional writers, but until about a year ago we didn't see worms that were tied to professionals."

While any fast-spreading worm causes congestion for computer networks inside businesses and on the Internet itself, that is a byproduct of MyDoom but not the intent, Thompson said.

"Professional hackers are getting more into this," said Mehta. "We are now seeing worms that are designed with a purpose."

Both Internet Security Systems and EarthLink believe the peak of e-mail from the worm came Monday and early Tuesday morning and that volume is now on the decline.

 

 

 CHATTER:

 

 

 

 

 

Free Republic
Home Browse Search

 

News/Activism
Topics Post Article


Skip to comments.

Latest worm ( MyDoom ) has professional twist (Computer experts blame spammers)
AJC.com ^ | 1/28/04 | Bill Husted

Posted on 01/29/2004 12:57:10 PM PST by honeygrl

A new computer worm called MyDoom is spreading in the United States and abroad at a frightening rate. But that's not the really scary news.

What worries computer experts the most is the fact that MyDoom is an example of a new breed of professionally created worms that are more difficult to detect and move faster. These better-built worms also are used by criminals to turn a profit.

Experts say the creation of MyDoom was almost certainly funded by e-mail spammers. The worm takes possession of a computer -- either at a home or one used in business -- and turns the machine into a remotely controlled robot programmed to send spam e-mail messages.

With hundreds of thousands of these zombie computers sending spam, the chances of shutting down the flow are almost zero.

While the inner workings of the worm aren't a strong departure from earlier ones, the fact that it was professionally created with a criminal profit motive is a big shift. Instead of sloppily made worms from amateurs, professional software writers -- motivated by money -- can create worms that will spread faster and work more efficiently, said Roger Thompson, director of malicious-code research for TruSecure, a Herndon, Va.-based anti-virus firm.

"I don't think the worm is especially sophisticated, but the overall plot is very sophisticated," said Thompson. "The plot is to prepare a bunch of machines to send out spam, to own more and more computers that can do that."

"Yeah, it definitely has ties to spammers," said Neel Mehta, a computer scientist with Atlanta-based Internet Security Systems.

Nor is there any question that MyDoom spread like wildfire. Medina, Ohio-based Central Command, which sells anti-virus software, said the worm multiplied so quickly that, for a time, one of every nine e-mails was infected.

Atlanta-based EarthLink, which has more than 5 million Internet customers, said the worm created massive volumes of e-mail on its system. At 2 a.m. Tuesday, normally a slack time, e-mail traffic was equivalent to what "we'd expect during midday," said Dave Blumenthal, a company spokesman.

As if the news wasn't bad enough, there is a general suspicion the worm may contain what computer scientists call a keystroke-logger program. If that's true, the creator of the worm can monitor every keystroke made on every infected computer not protected by a firewall program. That provides access to everything typed, including credit card numbers and passwords.

"I think there is a link to organized crime," Thompson said. "I don't have any proof of that, but it could easily be. It could be harvesting credit card numbers ... or bank account log-ins."

Mehta said while he had seen reports the worm contained a keystroke logger, he could not confirm them. He said computers equipped with a firewall program should be safe because the anti-hacker software would intercept and stop the remote prying.

MyDoom's professional touch can be seen in the way the e-mail induces the recipient to open the attachment carrying the infection. Earlier amateur-built worms promised naked pictures and the like. MyDoom looks like an official e-mail error message you might get if an e-mail failed to transmit properly. Even worm-smart users could be fooled, said Mehta.

Once that attachment is opened, it hijacks e-mail addresses stored in infected computers. It then e-mails copies of itself using one of those names as the sender. So an infected e-mail could look like a message from a friend or relative. Since it appears to be the report of a failed e-mail message, many users may be eager to open the attachment to see which message failed.

The text for some of those messages seems properly technical. One says: "The message contains Unicode characters and has been sent as a binary attachment."

The professionalism of all that has Thompson worried. He foresees a new generation of worm creators who are better educated and more skilled.

"Most worm writers grow up and get a girlfriend, a job and then stop," he said. "If there is a profit motive involved, I would expect the acts to continue."

As professionals take charge, the construction of the worms themselves is likely to improve, making it more difficult to stop them. Mehta said professionally created worms such as MyDoom -- also known as Novarg -- have "more features ... they have more code to them, and the code is generally of better quality."

He added, "It's not the first to have ties to professional writers, but until about a year ago we didn't see worms that were tied to professionals."

While any fast-spreading worm causes congestion for computer networks inside businesses and on the Internet itself, that is a byproduct of MyDoom but not the intent, Thompson said.

"Professional hackers are getting more into this," said Mehta. "We are now seeing worms that are designed with a purpose."

Both Internet Security Systems and EarthLink believe the peak of e-mail from the worm came Monday and early Tuesday morning and that volume is now on the decline.


TOPICS: Business/Economy; Crime/Corruption; Extended News
KEYWORDS:


Navigation: use the links below to view more comments.
first 1-5051-70 next last


So it seems that professional spammers, not the "Linux Community" is responsible.

1 posted on 01/29/2004 12:57:13 PM PST by honeygrl

[ Post Reply | Private Reply | View Replies ]


To: Golden Eagle

Ready to apologize for blaming it on the wrong people yet?

2 posted on 01/29/2004 12:58:05 PM PST by honeygrl

[ Post Reply | Private Reply | To 1 | View Replies ]


To: honeygrl

So if you build a better worm-trap, the 'net wil beat a path to your door.

3 posted on 01/29/2004 1:00:23 PM PST by theDentist (Boston: So much Liberty, you can buy a Politician already owned by someone else.)

[ Post Reply | Private Reply | To 1 | View Replies ]


To: honeygrl

The message cannot be represented in 7-bit ASCII encoding and has been sent as a binary attachment.

4 posted on 01/29/2004 1:03:54 PM PST by leadpencil1

[ Post Reply | Private Reply | To 1 | View Replies ]


To: honeygrl


5 posted on 01/29/2004 1:04:09 PM PST by SGCOS

[ Post Reply | Private Reply | To 1 | View Replies ]


To: honeygrl

Can't we just follow the money? And those profiteers who have their spam sent from infected computers would pretty clearly be the guilty ones, no? Couldn't someone just buy something from one of these spammers and see how their credit card is billed?

It shouldn't be all that difficult to track down those who profit from this worm....

FWIW, I own a couple of domain names, and have received over 600 spam/worms since yesterday. 600.

6 posted on 01/29/2004 1:10:10 PM PST by Theo

[ Post Reply | Private Reply | To 1 | View Replies ]


To: honeygrl

That's why we need to bring back the draw-and-quarter method of punishment, specifically for email spammers. I firmly believe that a civilized society needs to make an example out of people who would inflict an unmitigated evil upon others for their own personal benefits.

7 posted on 01/29/2004 1:11:49 PM PST by thoughtomator ("I will do whatever the Americans want because I saw what happened in Iraq, and I was afraid"-Qadafi)

[ Post Reply | Private Reply | To 1 | View Replies ]


To: honeygrl

Would the worm cause your email to download slow? I checked my mail earlier and it took forever to download. They were only text messages too, and only 4 total.

8 posted on 01/29/2004 1:12:31 PM PST by meanie monster

[ Post Reply | Private Reply | To 1 | View Replies ]


To: Theo

I own 1 domain name. As of yesterday I had recieved the worm maybe 8-10 times. I haven't checked my mail yet today though. I'm kinda afraid to.. LOL I know I'm just going to have to hit delete way too many times.

9 posted on 01/29/2004 1:14:07 PM PST by honeygrl

[ Post Reply | Private Reply | To 6 | View Replies ]


To: honeygrl

How to shut down spammers in one easy step.

1] Fine the companies IN the ads, not the spammers.

It's as simple as that.

10 posted on 01/29/2004 1:17:52 PM PST by pcx99

[ Post Reply | Private Reply | To 1 | View Replies ]


To: thoughtomator

I always thought along the lines of chopping off a few fingers. Leave one or two for scratching and nose picking.

Nah, never mind. Chop 'em all. Leave them a hook.

11 posted on 01/29/2004 1:22:16 PM PST by JoJo Gunn (Help control the Leftist population - have them spayed or neutered. )

[ Post Reply | Private Reply | To 7 | View Replies ]


To: honeygrl

Throwing a spammer in the works?

12 posted on 01/29/2004 1:23:28 PM PST by Doctor Stochastic (Vegetabilisch = chaotisch is der Charakter der Modernen. - Friedrich Schlegel)

[ Post Reply | Private Reply | To 1 | View Replies ]


To: honeygrl

So it seems that professional spammers, not the "Linux Community" is responsible.

In all the descriptions of this virus I've found there's no mention of "organized crime" involvement.

13 posted on 01/29/2004 1:23:50 PM PST by mikegi

[ Post Reply | Private Reply | To 1 | View Replies ]


To: honeygrl

Ready to apologize for blaming it on the wrong people yet?

I think a lot of people and businesses owe a BIG apology, but I don't expect to see many forthcoming.

14 posted on 01/29/2004 1:26:02 PM PST by antiRepublicrat

[ Post Reply | Private Reply | To 2 | View Replies ]


To: honeygrl

Mehta said while he had seen reports the worm contained a keystroke logger, he could not confirm them. He said computers equipped with a firewall program should be safe because the anti-hacker software would intercept and stop the remote prying.

Gee, I can recall being flamed for saying this two days ago.

15 posted on 01/29/2004 1:29:00 PM PST by js1138

[ Post Reply | Private Reply | To 1 | View Replies ]


To: honeygrl

I've gotten about 20 of these silly emails already. I don't care - the worm doesn't run on my Mac., but it's annoying.

I blame the entire Microsoft OS-using community, except the ones who say they're very, very, very sorry for using a crappy operating system that's full of security holes.

/Golden Eagle mode

16 posted on 01/29/2004 1:32:51 PM PST by Right Wing Professor

[ Post Reply | Private Reply | To 2 | View Replies ]


To: meanie monster

"Would the worm cause your email to download slow? I checked my mail earlier and it took forever to download. They were only text messages too, and only 4 total."

I have no idea. Have you opened any attachments lately? The only way to get it is to open an attachment containing the worm in an email. If you have opened suspicious attachments, you may want to update your virus program and run it to be sure you don't have it or to get rid of it. Norton Antivirus offers a 15 days trial version on their website I think.

17 posted on 01/29/2004 1:33:58 PM PST by honeygrl

[ Post Reply | Private Reply | To 8 | View Replies ]


To: Right Wing Professor

For some reason, I have yet to receive this worm in an email. I don't think Norton blocks them, just alerts to the presence of the worm.

I feel kinda left out.

18 posted on 01/29/2004 1:36:36 PM PST by Dog Gone

[ Post Reply | Private Reply | To 16 | View Replies ]


To: honeygrl

Experts say the creation of MyDoom was almost certainly funded by e-mail spammers.

What size "fund" does one need to get a worm created? Probably a six-pack.

19 posted on 01/29/2004 1:42:52 PM PST by Leroy S. Mort

[ Post Reply | Private Reply | To 1 | View Replies ]


To: Right Wing Professor

I'm also a Mac-user, and feel no threat from these things. Even though I'm a Mac-user, of course, I just don't open attachments or follow links unless I know what it is and have requested it.

But over 600 of these worm/spams so far! Dang. In the past 30 minutes, I've receive 1 per minute. And I've got a pretty boring domain name....

20 posted on 01/29/2004 1:43:00 PM PST by Theo

[ Post Reply | Private Reply | To 16 | View Replies ]


To: Theo

But over 600 of these worm/spams so far! Dang. In the past 30 minutes, I've receive 1 per minute.

I'm running a PC and I've only seen three since Monday. Better run your Mac through a de-wormisizer.

21 posted on 01/29/2004 1:48:50 PM PST by Leroy S. Mort

[ Post Reply | Private Reply | To 20 | View Replies ]


To: honeygrl

No, I haven't opened any attachments. Can it sneak pass zone alarm? I just upgraded ZA last month.

22 posted on 01/29/2004 1:49:24 PM PST by meanie monster

[ Post Reply | Private Reply | To 17 | View Replies ]


To: Leroy S. Mort

I haven't opened it up on my Mac, and it's my understanding that this is a Windows worm.

Many of the "from" fields are from the domains of Christian ministries, which makes me think that one or more of my clients (who has my email address in their outlook address book) has an infected computer....

23 posted on 01/29/2004 1:56:45 PM PST by Theo

[ Post Reply | Private Reply | To 21 | View Replies ]


To: honeygrl

So it seems that professional spammers, not the "Linux Community" is responsible.

I see nothing in this article that would indicate anyone knows who created this or for what reason (other than the DOS attacks coded against MS and SCO).

"I don't think the worm is especially sophisticated, but the overall plot is very sophisticated," said Thompson. "The plot is to prepare a bunch of machines to send out spam, to own more and more computers that can do that."

"Yeah, it definitely has ties to spammers," said Neel Mehta, a computer scientist with Atlanta-based Internet Security Systems.

Okay. What spam is being sent? Or is that just conjecture? Article doesn't say. Worms and trojans have been hijacking computers to serve as slaves in DOS attacks for years - so much for the "sophistication" of the plot.

24 posted on 01/29/2004 1:58:00 PM PST by Leroy S. Mort

[ Post Reply | Private Reply | To 1 | View Replies ]


To: Right Wing Professor

LOL

25 posted on 01/29/2004 2:02:59 PM PST by honeygrl

[ Post Reply | Private Reply | To 16 | View Replies ]


To: Dog Gone; All

For some reason, I have yet to receive this worm in an email. I don't think Norton blocks them, just alerts to the presence of the worm.

I feel kinda left out.

For some reason, I have yet to receive this worm in an email.

Thank your lucky stars!!

The worm blocks access to popular Anti Virus Websites like McAffee, Symantec, and Trend Micro.

I ran into a Trojan with such defensive features last year...only a complete FDISK-DOS FORMAT type total software reinstall saved the day!

26 posted on 01/29/2004 2:04:29 PM PST by Lael (http://fourthturning.com)

[ Post Reply | Private Reply | To 18 | View Replies ]


To: meanie monster

"No, I haven't opened any attachments."

Then you should be just fine.

27 posted on 01/29/2004 2:05:00 PM PST by honeygrl

[ Post Reply | Private Reply | To 22 | View Replies ]


To: js1138

Mehta said while he had seen reports the worm contained a keystroke logger, he could not confirm them.

A true security expert could confirm or deny the existence of a keylogger.

28 posted on 01/29/2004 2:06:49 PM PST by Leroy S. Mort

[ Post Reply | Private Reply | To 15 | View Replies ]


To: meanie monster

Would the worm cause your email to download slow? I checked my mail earlier and it took forever to download. They were only text messages too, and only 4 total.

The worm might be causing the slow download, but the problem is probably not on your end. (Unless you've opened strange attachments in the last few days). It is more likely that your ISP's mail servers are overloaded with all of the messages that the worms are sending out from infected computers.

29 posted on 01/29/2004 2:07:25 PM PST by RedWhiteBlue (<a href="http://www.michaelmoore.com" target="_blank">miserable failure)

[ Post Reply | Private Reply | To 8 | View Replies ]


To: Leroy S. Mort

" Okay. What spam is being sent?"

So far I've read something about it sending ads for buying Viagra online.
http://www.f-secure.com/ (i think i got that right) has some details about what it did in a test environment. They said it also has in it something along the lines of "sorry andy, nothing personal. I'm just doing my job." But that isn't something that is displayed to anyone with it on their machine.. it's just in the program somewhere. If that link isn't right, google "f-secure" to find the right URL.

30 posted on 01/29/2004 2:10:18 PM PST by honeygrl

[ Post Reply | Private Reply | To 24 | View Replies ]


To: honeygrl

I didn't see anything about Viagra spam at the link you gave.

Simply doesnt make sense for it to be a spam vehicle:

1. It's scheduled to quit replicating on Feb 12th.

2. It has a payload which targets two major websites with DDos attacks(SCO and Microsoft - depending on the variation). What possible advantage would that give it as a stealth spam program?

31 posted on 01/29/2004 2:24:55 PM PST by Leroy S. Mort

[ Post Reply | Private Reply | To 30 | View Replies ]


To: honeygrl

So far I've read something about it sending ads for buying Viagra online.

I get about three of those a day anyway. And there are hundreds of messages from 19 year old girls who want me to look at their web cams. Funny thing is, their pictures all look exactly the same. And when I email them to warn them they should be very careful about letting strangers watch them at home, my emails bounce.

32 posted on 01/29/2004 2:25:44 PM PST by Right Wing Professor

[ Post Reply | Private Reply | To 30 | View Replies ]


To: honeygrl

This is far from any proof of anything. There are other reports out there such as these:

http://www.upi.com/view.cfm?StoryID=20040128-081558-7375r

CHICAGO, Jan. 28 (UPI) -- Internet-based hacker-activists -- known as hacktivists -- seem to be behind the mass e-mailing this week of the MyDoom worm, which has commandeered consumers' computers around the globe to serve as a staging area for another, more potent attack on their primary, commercial target next month.

Computer experts told United Press International that MyDoom -- a self-replicating string of malicious computer code -- could turn out to be the most widespread worm of all time, topping last summer's well-known attack by the SoBig virus.

As of Tuesday, one of every nine e-mail messages being received by the average computer user was infected with the worm, according to research by Central Command, an anti-virus software maker in Medina, Ohio.

So far, there does not seem to be much consumers who use personal computers running Microsoft Corp. products can do to stop the worm -- once it has infected their systems. Computer scientists are striving to complete a cure for it.

"This worm appears to be a form of hacktivism," Gary Morse, president of Razorpoint Security Technology, a computer consultancy in New York City, told UPI. "It is only infecting machines that are running Windows as their operating system, not those that are running the Mac operating system or the Solaris operating system." ...

"They have their own flavor of Unix," an operating system for technical computing projects, Morse said. "They are embattled with IBM and Red Hat and Novell in a fight over intellectual property rights for the software. This has set off discussions on Web boards around the world. And it appears that someone who does not like where SCO stands has taken matters into their own hands."

This is all part of the global, ideological war online between the backers of the free operating system Linux, a version of Unix, and the supporters of the industry standard, Microsoft Windows, Morse said.

http://www.internetnews.com/dev-news/article.php/3304311

The
W32.Novarg.A@mm (MyDoom) virus, which has emerged as an unlikely weapon in the ongoing 'Linux War' between SCO and the open-source community, is set to launch the DDoS attack against SCO on Feb. 1 and has a trigger date to stop spreading on Feb. 12.

Lindon, Utah-based SCO has drawn the ire of open-source advocates in recent months because of its litigation against Linux vendors IBM , Red Hat (Quote, Chart) and Novell (Quote, Chart), claiming that some of its code was being used in implementations of the Linux OS.


http://edition.cnn.com/2004/TECH/internet/01/27/mydoom.spread/

A sneaky e-mail worm continued to clog Internet traffic Tuesday, spreading faster than previous Web bugs by appearing as an innocuous error message.

The worm -- dubbed "MyDoom," "Novarg" or "WORM_MIMAIL.R" -- was copying itself at a fierce pace, so fast that some companies were having to shut down their mail servers to stop it. And a new clue was emerging as to the source of the infection.

Virus experts suggested MyDoom's author was a fan of the Linux open source community, because the bug, which targets computers running Microsoft Windows, launched a Denial of Service Attack on SCO's site. Utah-based SCO Group, which says it owns the UNIX operating system, alleges some versions of the Linux operating system use its proprietary code.

"The MyDoom worm takes the Linux Wars to a new intensity," said Chris Belthoff, an analyst for anti-virus firm Sophos. "It appears that the author of MyDoom may have taken the war of words from the courtrooms and Internet message boards to a new level by unleashing this worm which attacks SCO's Web site."

Past History would lend to that theory as well:

Embattled SCO Group's Web site hit with a 'denial of service' strike

http://www.sltrib.com/2003/Aug/08262003/business/86967.asp

Eric Raymond, president of the Open Source Initiative, called the attack "rather sophisticated" and said he was convinced it had been launched "by an experienced Internet engineer."...

Raymond, who published his findings on the Linux Today Web site, said the unidentified perpetrator had agreed to halt the attack, at Raymond's request. SCO's Web site was operating again by Monday afternoon.

"I had been hoping, and actually expecting, that the attacker would turn out to be some adolescent cracker with no real connection to the open-source community," Raymond stated. But "I was told enough about his background and how he did it to be pretty sure he is one of us -- and I am ashamed for all of us."

33 posted on 01/29/2004 2:26:30 PM PST by Golden Eagle

[ Post Reply | Private Reply | To 30 | View Replies ]


To: honeygrl

Computer experts blame spammers

Has anyone been looking at the full headers of their SPAM lately? At least half of it is coming from DSL and Cable Modem systems here in the U.S. Mostly from Comcast, RR, and Adelphia. At some point these companies will have to stop their customers from SPAMing the world.

34 posted on 01/29/2004 2:30:20 PM PST by 69ConvertibleFirebird

[ Post Reply | Private Reply | To 1 | View Replies ]


To: pcx99

Fine the companies IN the ads, not the spammers.

Sometimes I call the toll free phone numbers that show up in the SPAM. I give the person sh_t for about 10 minutes. They tell me that they aren't sending SPAM. When they say that they actually mean that they hired another company to send SPAM for them or that they were hired by the SPAM company to take orders. Anyway, a half-truth to try and deflect criticism of themselves.

I did get a hold of a local addiction treatment center that was SPAMing my company. They swear that the salesman from the SPAM company told them that the emails would be very well directed. The SPAMmer lied to them. After my call SPAM from them stopped.

35 posted on 01/29/2004 2:35:47 PM PST by 69ConvertibleFirebird

[ Post Reply | Private Reply | To 10 | View Replies ]


To: Leroy S. Mort

A true security expert could confirm or deny the existence of a keylogger.

You can't trust this worm to be the same on any two machines. Its fundamental structure is that of a trojan that listens on a TCP port for arbitrary code segments that it is to execute.

For example, the supposed DDOS attack on Microsoft was not in the original worm; it was added yesterday by sending out a new worm that scans for old worms, and tells them to update themselves with this, where "this" is whatever the guy wants to add.

Yesterday he added a DDOS attack on Microsoft. But that's not supposed to occur until February 1. By then he could have changed the target two or three times, or deleted the DDOS attack altogether and replaced it with a spam relay, or a thing that formats C:, or whatever he wants. Right now this virus writer is just jerking these security guys around. "It's a DDOS attack! It'a a keystroke logger! It's a breath mint!"

You were right the first time: fundamentally, no one really knows what this thing is for. It is a remotely-piloted executor of arbitrary code. Its "real" mission, whatever that is, could be scheduled to arrive a week from now, or a month from now, and could be anything.

Based on comments I've seen elsewhere, the reason they think it has to do with spammers is two-fold. First, it seems to be a professional package; the techniques used, the way things are laid out, etc., point to a professional as opposed to a scipt kiddie or the "12-year-old genius" who writes most of these things. Secondly, this is the New Thing among spammers. The last big worm turned out to be a collector of zombies for use by spammers; here comes another one with similar capabilities and a built-in SMTP engine, and it appears to be a paid-for, professionally written item. That suggests commercial, profit-making enterprise at work, as opposed to some crank who just wants to be a vandal. They could be wrong about this of course, but they do work this problem every day and see a lot of this stuff in the course of their work. It's "conjecture" but it's educated conjecture.

36 posted on 01/29/2004 2:43:27 PM PST by Nick Danger ( With sufficient thrust, pigs fly just fine.)

[ Post Reply | Private Reply | To 28 | View Replies ]


To: rdb3

oh yeah.. ping :)

37 posted on 01/29/2004 2:49:15 PM PST by honeygrl

[ Post Reply | Private Reply | To 36 | View Replies ]


To: 69ConvertibleFirebird

"At least half of it is coming from DSL and Cable Modem systems"

Most likely open relays rather than the actual owner doing it. I get around 20 attempts a day on my mail server from people looking to see if they can relay from it.

38 posted on 01/29/2004 2:49:49 PM PST by Proud_texan

[ Post Reply | Private Reply | To 34 | View Replies ]


To: Proud_texan

What is an "open relay" and why would someone let their system be used to send SPAM?

Here is an example of the from: field with full headers on:
Received: from c-24-1-157-18.client.comcast.net (c-24-1-157-18.client.comcast.net [24.1.157.18])

Is there any way of telling whether this IP originated the e-mail or went through an open relay?

Either way, I forward the full message with headers to the system that it came from, usually at abuse@_system_.com, or wherever, asking that their system stop sending SPAM. Maybe they will terminate that IP's account. I get about 20 of these (from DSL and/or Cable Modem) per day.

39 posted on 01/29/2004 3:02:51 PM PST by 69ConvertibleFirebird

[ Post Reply | Private Reply | To 38 | View Replies ]


To: 69ConvertibleFirebird

An open relay is a mail server that allows one to log on and send email from that server without proper credentials. They aren't as common as they were and as recently as a couple of years ago it was pretty standard. Not unlike leaving your door unlocked in the 50s.

It's by no means comprehensive but http://www.ordb.org/ maintains a list of open relays. I don't find that IP address in their database but I do note that it's been tested for open relay service recently, might be the owner get a dose of reality with all the spam complaints and took care of it.

Or it could be that the address was merely forged and the IP address is totally bogus.

40 posted on 01/29/2004 3:12:19 PM PST by Proud_texan

[ Post Reply | Private Reply | To 39 | View Replies ]


To: 69ConvertibleFirebird

c-24-1-157-18.client.comcast.net (c-24-1-157-18.client.comcast.net [24.1.157.18])

This is most likely a dial up, or DSL connection. Send the complaint to abuse@comcast.net. My experience with this indicates that people frequently receive trial subscriptions solely for the purpose of originating spam. Recently, a wireless spot in a hotel was used to originate spam.

Text based spam is bad enough, but when it includes viruses and trojans, the problem is compounded. CNN suggested this current virus could cost over $250M.

Open Relays pose a problem, as do trial subscriptions, and temporary email accounts. Even though fewer open relays exist in the US, the emergence in 3rd world countries will only increase this problem.

The real challenge is that the existing email protocol cannot authenticate who really sent the email. The advocates for updating the protocol are dwarfed by the advocates for keeping the existing protocol due to the anticipated cost for making the change. Existing applications are based on the current protocol and they would have to be changed.

The CAN-SPAM Act fails because it requires you to identify who sent you the spam. When it comes from a 3rd world country, that will not happen. When the spammers spoof the headers, again you cannot identify who sent the email.

41 posted on 01/29/2004 3:28:47 PM PST by rit

[ Post Reply | Private Reply | To 39 | View Replies ]


To: Nick Danger

For example, the supposed DDOS attack on Microsoft was not in the original worm; it was added yesterday by sending out a new worm that scans for old worms, and tells them to update themselves with this, where "this" is whatever the guy wants to add.

It's my understanding that W32.Mydoom.B (the one that includes DoS's against both SCO AND Microsoft)is a whole new variation of W32.NovargA (the original MyDoom SCO worm)and is not, to my knowledge, "updating" the original package in the wild. If you have information to the contrary, I'd be interested in seeing it.

42 posted on 01/29/2004 3:32:02 PM PST by Leroy S. Mort

[ Post Reply | Private Reply | To 36 | View Replies ]


To: rit

I see a lot of spam from "spam zombie" machines on dsl and broadband networks. They get infected with a backdoor trojan, and then the spammers will use them to send mail from.

43 posted on 01/29/2004 3:37:06 PM PST by tacticalogic (Controlled application of force is the sincerest form of communication.)

[ Post Reply | Private Reply | To 41 | View Replies ]


To: Nick Danger

You were right the first time: fundamentally, no one really knows what this thing is for. It is a remotely-piloted executor of arbitrary code. Its "real" mission, whatever that is, could be scheduled to arrive a week from now, or a month from now, and could be anything.

I see your finally starting to understand the dangers of computer criminals? That's actually the first post ever I've seen you make where may be actually starting to realize that policing of the internet is a forgone conclusion.

There are some really bad people out there on the net, and they used to just pirate other's property, giving it away for free all over the world, but now they're launching bombs out there. These "loosely knit groups of hackers from around the web" (kernel.org) have to be watched closely. I'm amazed and hopeful you're starting to see the light. More likely, just a temporary flash.

44 posted on 01/29/2004 3:41:58 PM PST by Golden Eagle

[ Post Reply | Private Reply | To 36 | View Replies ]


To: All

Most of these links are courtesy Martin Fierro:

Alternative browsers:
http://www.mozilla.org/
http://www.opera.com/

Free anti-viral protection:
http://www.grisoft.com/us/us_dwnl_free.php

Popup ad killers:
http://www.bayden.com/popper/

Close that friggin' Messenger in Windows XP:
http://grc.com/stm/ShootTheMessenger.htm

Spyware removers:
http://www.safer-networking.org/index.php?lang=en&page=download
http://www.lavasoftusa.com/
http://www.wilderssecurity.net/spywareblaster.html

Good for pre-screening & bouncing SPAM:
http://mailwasher.net/

Script Defender ( stop that nonsense from running unwelcome scripts ):
http://www.analogx.com/welcome.htm

Online virus scans:
http://housecall.antivirus.com/housecall/start_corp.asp
Trend Micro

http://www.rav.ro/scan/indexie.php
RAV

http://www.bitdefender.com/scan/license.php
Bit Defender

45 posted on 01/29/2004 3:48:31 PM PST by backhoe (--30--)

[ Post Reply | Private Reply | To 1 | View Replies ]


To: Leroy S. Mort

is not, to my knowledge, "updating" the original package in the wild. If you have information to the contrary, I'd be interested in seeing it.

From the discussion of Novarg.B on Symantec Security Response (see #11):

The worm also contains functionality which allows it to install itself on systems which may have been infected by W32.Novarg.A@mm. This is accomplished as follows:

  • The worm creates two to six threads working in parallel.
  • Each thread scans a randomly picked class-C sized networks, from a.b.c.1 to a.b.c.254, except that it skips networks where a=16, 224, 127 or 128.
  • Between each scanned network, a thread waits 128 ms.
  • Each IP in the scanned class-C is contacted on port 3127, if the connection succeeds, the worm sends an update command along with a copy of itself to be executed on the remote machine.

So basically this guy can send out a new worm at any time to modify the behavior of the old worms. I think it's against the law in the United States to invade someone else's computer, but perhaps a "white hat" in some other country could send out an update that kills this thing, and then deletes itself.

46 posted on 01/29/2004 4:00:05 PM PST by Nick Danger ( With sufficient thrust, pigs fly just fine.)

[ Post Reply | Private Reply | To 42 | View Replies ]


To: Golden Eagle

When you swim in the ocean, you enter the food chain.

47 posted on 01/29/2004 4:00:58 PM PST by tacticalogic (Controlled application of force is the sincerest form of communication.)

[ Post Reply | Private Reply | To 44 | View Replies ]


To: backhoe

No Netscape? BTW, do you know if any other browsers offer the 'full screen' mode with zero border like IE?

48 posted on 01/29/2004 4:03:45 PM PST by Golden Eagle

[ Post Reply | Private Reply | To 45 | View Replies ]


To: Golden Eagle

In the Microsoft Outlook product's preview mode, if an email contains an embedded executable mime type, does it trigger automatically? Or, does the user have to open the attachment? Clarity is appreciated.

49 posted on 01/29/2004 4:11:33 PM PST by rit

[ Post Reply | Private Reply | To 48 | View Replies ]


To: tacticalogic

I see a lot of spam from "spam zombie" machines on dsl and broadband networks.

It's insane how infected some of these broadband ISP's are with this stuff, a virgin system gets popped within 10 mins on a lot of them. They're going to have to better authenticate, and the more you'll pay the sounder your service will be. You can already join one of the major ISP's and get similar protetion now, but some would rather ride these big waves anyway. So it will never end, some will just better isolate themselves from it.

50 posted on 01/29/2004 4:17:09 PM PST by Golden Eagle

[ Post Reply | Private Reply | To 43 | View Replies ]


Navigation: use the links below to view more comments.
first 1-5051-70 next last


Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.

Free Republic
Home Browse Search

 

News/Activism
Topics Post Article


FreeRepublic, LLC, PO BOX 9771, FRESNO, CA 93794

FreeRepublic.com is powered by software copyright 2000-2003 Robinson-DeFehr Consulting, LLC.

 

 

Free Republic
Home Browse Search

 

News/Activism
Topics Post Article


Skip to comments.

Latest worm ( MyDoom ) has professional twist (Computer experts blame spammers)
AJC.com ^ | 1/28/04 | Bill Husted

Posted on 01/29/2004 12:57:10 PM PST by honeygrl

click here to read article


Navigation: use the links below to view more comments.
first previous 1-5051-70 last


To: Golden Eagle

No Netscape? BTW, do you know if any other browsers offer the 'full screen' mode with zero border like IE?

Oversight- I keep 7.1 on my machine and like it fine... far as the other 2 go, I have used them in the past, but darned if I can recall offhand that border feature- I suspect you can do it, but can't say for sure.

51 posted on 01/29/2004 4:18:20 PM PST by backhoe (--30--)

[ Post Reply | Private Reply | To 48 | View Replies ]


To: rit

My understanding is older versions of Outlook can indeed have a 'preview pane' vulnerability where a received message can possibly autolaunch itself if it becomes active in the preview pane, and I believe that was only related to Outlook Express, the free package included in Windows and not the Outlook 9X, 2000, etc that comes packaged with Office, I believe it's preview pane may have always been safe although that version is perhaps more vulnerable to HTML mail attacks.

However these would be much older, more like initial implementations, that hopefully have long since been upgraded and would in fact be considered one of the more serious threats that an intellegent updater like windowsupdate.com would immediately notice as severe issue.

Any modern version of Outlook Express (normal Outlook not being affected) that came with any recent version of IE (5.1+) would probably not be susceptable. As I said, at least that is my current understanding...

52 posted on 01/29/2004 4:24:22 PM PST by Golden Eagle

[ Post Reply | Private Reply | To 49 | View Replies ]


To: Golden Eagle

It's insane how infected some of these broadband ISP's are with this stuff, a virgin system gets popped within 10 mins on a lot of them. They're going to have to better authenticate, and the more you'll pay the sounder your service will be. You can already join one of the major ISP's and get similar protetion now, but some would rather ride these big waves anyway. So it will never end, some will just better isolate themselves from it.

At the very least, the broadband and dsl providers ought to be stopping smtp traffic from their clients, or at least making arrangements for an authorization process to enable it. I stop the majority of spam from hitting my mail servers by using RDNS, and blocking all the address spaces assigned to China. AOL is testing the new SPF (Sender Permitted From) DNS extention, and I'm waiting to see how that turns out.

53 posted on 01/29/2004 4:27:01 PM PST by tacticalogic (Controlled application of force is the sincerest form of communication.)

[ Post Reply | Private Reply | To 50 | View Replies ]


To: Nick Danger

perhaps a "white hat" in some other country could send out an update that kills this thing, and then deletes itself.

Someone did write such a thing kill the blaster worm. Unfortunately it was so agressive, it would overload networks just from the sheer volume of scanning it was doing.

54 posted on 01/29/2004 4:31:25 PM PST by tacticalogic (Controlled application of force is the sincerest form of communication.)

[ Post Reply | Private Reply | To 46 | View Replies ]


To: tacticalogic

At the very least, the broadband and dsl providers ought to be stopping smtp traffic from their clients, or at least making arrangements for an authorization process to enable it.

They don't want to turn anything off, unless they turn it all off, then the customers all raise hell and threaten to drop. The ISP's seem to be at a break even point though, no way to add staff or features like security without raising their rates, something nobody wants, but maybe inevitable.

55 posted on 01/29/2004 4:42:36 PM PST by Golden Eagle

[ Post Reply | Private Reply | To 53 | View Replies ]


To: Golden Eagle

Thank you for the response. What about embedded HTML with javascript and/or active-X? Is that autoenabled in the preview pane for the current versions of outlook?

56 posted on 01/29/2004 4:45:48 PM PST by rit

[ Post Reply | Private Reply | To 52 | View Replies ]


To: honeygrl

These "MyDoom" articles on FR have reminded me to update my virus definitions every day for the past several days, and there's always something new. Usually, I update about once a week.

57 posted on 01/29/2004 4:46:38 PM PST by wimpycat ("Black holes are where God divided by zero.")

[ Post Reply | Private Reply | To 1 | View Replies ]


To: tacticalogic

perhaps a "white hat" in some other country could send out an update that kills this thing, and then deletes itself.

I think that may be welchia. I'm not in favor of much vigilante justice, there's enough lose cannons out there as it is. And there's a tremendous amount of bluring of the lines between the "black hats" and the "white hats" right now, including these 'security firms' that release newly found exploits straight onto the open internet without first notifying the vendors and giving them a chance to build a patch first. But you can't have a "mob rules" world out there, which it is turning into.

58 posted on 01/29/2004 4:50:34 PM PST by Golden Eagle

[ Post Reply | Private Reply | To 54 | View Replies ]


To: rit

Thank you for the response. What about embedded HTML with javascript and/or active-X? Is that autoenabled in the preview pane for the current versions of outlook?

All the same, as far as I know. The latest versions of Outlook with very latest patches applied won't let you open any attachment without saving it first, or at least that is my understanding. You could be hyperlinked, but that would typically require a corrupt host for you to connect.

Of course, A/V protection is a higher level of protection, from the client to the server on to the perimeter if you control it. With that updating signatures constantly, only the immediate impact of a virus not yet defined by your A/V vendor and pushed to your protection points can even get to your Outlook client. Still happens, on rare occassion even with the best perimeter defense, but then you have the other protections I've mentioned along with user education.

59 posted on 01/29/2004 5:01:02 PM PST by Golden Eagle

[ Post Reply | Private Reply | To 56 | View Replies ]


To: wimpycat

These "MyDoom" articles on FR have reminded me to update my virus definitions every day for the past several days, and there's always something new. Usually, I update about once a week.

If you have any sort of permanent connection you should update every day. Usually the mid morning to early afternoon signatures have been built to block whatever comes from overseas that day. But you have to do this since even what may seem as extreme precaution may not be enough, as the virus sometimes advance in front of the virus, although that actually did not seem to be the case with MyDoom, there are just a lot of people who aren't upgrading fast enough that got caught and accidentally clicked those files. Bottom line, treat the dangers of the internet with deserved respect, and you'll be fine.

60 posted on 01/29/2004 5:05:48 PM PST by Golden Eagle

[ Post Reply | Private Reply | To 57 | View Replies ]


To: Golden Eagle

I did a virus check & didn't have this worm....but did find 1 other worm & 1 virus....my bosses kids use my computer & I have not run a virus check since around Thanksgiving. It was my fault for being lazy, but I never open any attachments unless the person sending has told me it is on the way.

I ran Mcafee & found 2....Norton told me I had none. Whats up with that?

61 posted on 01/29/2004 5:13:54 PM PST by feinswinesuksass (Drawing on my fine command of language, I said nothing.)

[ Post Reply | Private Reply | To 50 | View Replies ]


To: Golden Eagle

That's the one. I'm on a dialup, and when blaster hit, I got infected twice during the process of trying to d/l the update. After the second time I got fed up with it and created a 0 byte file in my Windows directory, named it msblast.exe, and made it read only.

62 posted on 01/29/2004 5:20:50 PM PST by tacticalogic (Controlled application of force is the sincerest form of communication.)

[ Post Reply | Private Reply | To 58 | View Replies ]


To: Golden Eagle

Again, thank you for the detail. This seems to diminish the perception that the MyDoom virus was spread mostly through the auto preview mode. It is more likely 99.9% falls back on the user who explicitly opened the attachment.

Given that CNN reported the anticipated cost of MyDoom at $250M, and that the virus has been classified as the fastest spreading virus ever, we must consider the possibility that the reactionary A/V and filtering model is insufficent to solve the spam/virus problem.

63 posted on 01/29/2004 5:22:32 PM PST by rit

[ Post Reply | Private Reply | To 59 | View Replies ]


To: Golden Eagle

My computer automatically scans for viruses every Friday night at 8:00. I do have a permanent connection, but my modem has a "pause" button that blocks all traffic. I usually hit the pause button during the day while I'm at work, and before I go to bed at night.

Curiosly enough, I do have automatic live update enabled, but I still manually run live update, and I still get new downloads. But I don't see where it even allows me to set up a schedule to automatically download definitions.

64 posted on 01/29/2004 5:30:07 PM PST by wimpycat ("Black holes are where God divided by zero.")

[ Post Reply | Private Reply | To 60 | View Replies ]


To: feinswinesuksass

I ran Mcafee & found 2....Norton told me I had none. Whats up with that?

Sorry to hear that, but just further proof the sneaky bastards are getting better and better. Kids make it almost impossible to defend everything, too. ;-)

65 posted on 01/29/2004 5:56:44 PM PST by Golden Eagle

[ Post Reply | Private Reply | To 61 | View Replies ]


To: rit

Given that CNN reported the anticipated cost of MyDoom at $250M, and that the virus has been classified as the fastest spreading virus ever, we must consider the possibility that the reactionary A/V and filtering model is insufficent to solve the spam/virus problem.

Sorry but I think that's the wrong conclusion. First there are always questions about the validity of these estimates, and the first ones have been from overseas sources. Second, this attack while sophisticated was not that revolutionary, and those with adequate defenses, defenses that have been raised recently due to other similar events, were therefore much better prepared to block it.

I think what the overall result is, even though hacker sophistication remains high, overall protection of critical data secured by professionals is exceptional, and suffered little damage testifying to the truths of security practice, but the mostly poorly prepared home users are receiving the brunt of virii attacks now, and will likely in the future. Before it was both receiving damage, so we are making progress, mainly by advances in technology and sophistication of operators. The current model is strong, by those who choose or can afford to enforce it.

66 posted on 01/29/2004 6:06:16 PM PST by Golden Eagle

[ Post Reply | Private Reply | To 63 | View Replies ]


To: Golden Eagle

Agreed that the CNN 250M is an estimate, but even if the damage is half, it is still too expensive for where we should be. I am questioning if A/V is the yet to be perfected solution, or, if something more is required.

67 posted on 01/29/2004 6:52:37 PM PST by rit

[ Post Reply | Private Reply | To 66 | View Replies ]


To: Lael; Dog Gone

I haven't gotten it either and I have six different email accounts. On all my boxes I run Nortons and Zone Alarm Pro for the firewall. One of my ISPs run a virus scan on email, so I feel pretty safe.

68 posted on 01/29/2004 6:57:09 PM PST by Lawgvr1955 (Sic Semper Tyrannus)

[ Post Reply | Private Reply | To 26 | View Replies ]


To: rit

I am questioning if A/V is the yet to be perfected solution, or, if something more is required.

With proper configuration, yes it's close but technology doesn't "close the loop" to use a technical term and user interaction is most often the final weakest link in the process, of which there is no ultimate protection with the currently configured landscape.

69 posted on 01/29/2004 7:38:06 PM PST by Golden Eagle

[ Post Reply | Private Reply | To 67 | View Replies ]


To: Golden Eagle

Ready to 'fess up and write 100 times "I AM VERY SORRY THAT I SPREAD SLANDERS"?

70 posted on 02/09/2004 8:08:56 AM PST by steve-b

[ Post Reply | Private Reply | To 1 | View Replies ]


Navigation: use the links below to view more comments.
first previous 1-5051-70 last


Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.

Free Republic
Home Browse Search

 

News/Activism
Topics Post Article


FreeRepublic, LLC, PO BOX 9771, FRESNO, CA 93794

FreeRepublic.com is powered by software copyright 2000-2003 Robinson-DeFehr Consulting, LLC.

 

HOME