peteoutside at yahoo.com
Tue Feb 3 11:59:09 GMT 2004
With regards to compromised "legitimate" updates and so forth, I agree that this is a wholly unresolved issue.
I fear it more in terms of GAIN and similar parasites which can download and execute code in order to "update" themselves without querying the user. There are just so many ways to exploit this, and I somehow doubt that GAIN is as security conscious as, say, M$ is when sending you the latest patch.
Your theory should be testable in a lab setting, given a Swen-infected box.
Does MyDoom read the local clock or does it go out to determine the date and time?
I read this article just now on c|Net with my morning coffee:
Apparently due to the spead of this thing's spread we need "another layer of software" to cover the gap left by "conventional" antivirus programs.
Kenneth Coney <superc at visuallink.com> wrote:
Lacking relevant logs and a confession it would be hard to show. New
instructions with an imbedded countdown to launch could have been sent to
Swen infected PCs days before the My Doom began spreading. The only way of
checking is to examine a PC known to have previously been infected with
Swen, which was allowed to sit on the net and do its thing, and to see if
it is now magically spreading My Doom instead. (Anyone have such?)
Likewise careful forensic examination of a dozen or so My Doom infected
machines for tell tale traces of prior Swen or other infections might do
it. Normally when we disinfect a machine we just run the patches and don't
look for what other files used to be on the machine once the virus we know
about is killed. However, even erased files will leave traces which can be
found if anyone is looking for them.
As stated, this thing spread too fast. Faster than Blaster. If you want
to walk down the halls of paranoia, how do we know the infection wasn't
first spread weeks ago in an otherwise innocuous update or patch for a
common program? Most of us who stay updated pull in 2 to 8 megabytes of
patches and updates a week (TDS, Norton, McAfee, MS, Lavasoft, Quicken,
etc.). Many of the updates do not contain details as to exactly what is in
that 360K byte uploads, so we trust. The good news is not too many
security professionals are reporting their own machines are My Doom
infected, so it probably wasn't spread with a security patch. Can we get a
survey of users of My Doom infected machines? What are the commonalties?
Do they all admit to stupidly opening an .scr attachment on the first day?
What other software (besides Win) is on their machines? What (if any)
software auto updates?
Do you Yahoo!?
Yahoo! SiteBuilder - Free web site building tool. Try it!
More information about the list