[Dshield] MyDoom-A/B

Pete Cap peteoutside at yahoo.com
Tue Feb 3 11:59:09 GMT 2004


Kenneth,
 
With regards to compromised "legitimate" updates and so forth, I agree that this is a wholly unresolved issue.
 
I fear it more in terms of GAIN and similar parasites which can download and execute code in order to "update" themselves without querying the user.  There are just so many ways to exploit this, and I somehow doubt that GAIN is as security conscious as, say, M$ is when sending you the latest patch.
 
Your theory should be testable in a lab setting, given a Swen-infected box.
Does MyDoom read the local clock or does it go out to determine the date and time?
 
I read this article just now on c|Net with my morning coffee:
http://news.com.com/2100-7349_3-5152165.html
Apparently due to the spead of this thing's spread we need "another layer of software" to cover the gap left by "conventional" antivirus programs.
Riiight.
 
Two things.  One, we never saw a single instance of MyDoom because we vet all incoming mail and drop anything with an executable attachment (sometimes this angers people.  I just refer them to the terms of use).  All ISPs should be doing this.  Two, I know enough not to execute random stuff people send me.  I know the people on my list, and they known and I know that if I wanted a screen saver, I would go download one.   Three, I know I have no right to download and install ANYTHING on my work machine because it's not "my" computer at all.  IT professionals need to recognize this and enforce it among their clients, I think.
 
Regards,
 
Pete

Kenneth Coney <superc at visuallink.com> wrote:
Lacking relevant logs and a confession it would be hard to show. New 
instructions with an imbedded countdown to launch could have been sent to 
Swen infected PCs days before the My Doom began spreading. The only way of 
checking is to examine a PC known to have previously been infected with 
Swen, which was allowed to sit on the net and do its thing, and to see if 
it is now magically spreading My Doom instead. (Anyone have such?) 
Likewise careful forensic examination of a dozen or so My Doom infected 
machines for tell tale traces of prior Swen or other infections might do 
it. Normally when we disinfect a machine we just run the patches and don't 
look for what other files used to be on the machine once the virus we know 
about is killed. However, even erased files will leave traces which can be 
found if anyone is looking for them.

As stated, this thing spread too fast. Faster than Blaster. If you want 
to walk down the halls of paranoia, how do we know the infection wasn't 
first spread weeks ago in an otherwise innocuous update or patch for a 
common program? Most of us who stay updated pull in 2 to 8 megabytes of 
patches and updates a week (TDS, Norton, McAfee, MS, Lavasoft, Quicken, 
etc.). Many of the updates do not contain details as to exactly what is in 
that 360K byte uploads, so we trust. The good news is not too many 
security professionals are reporting their own machines are My Doom 
infected, so it probably wasn't spread with a security patch. Can we get a 
survey of users of My Doom infected machines? What are the commonalties? 
Do they all admit to stupidly opening an .scr attachment on the first day? 
What other software (besides Win) is on their machines? What (if any) 
software auto updates?

---------------------------------
Do you Yahoo!?
Yahoo! SiteBuilder - Free web site building tool. Try it!


More information about the list mailing list