[Dshield] Re: list Digest, Vol 14, Issue 3

Kenneth Coney superc at visuallink.com
Tue Feb 3 18:24:52 GMT 2004

I notice you are sidestepping the question of who is telling the truth. 
SCO when they claimed to have been knocked off the Internet by My Doom A, 
or those who stated My DoomA is incapable of actually launching the Denial 
of Service attack?

I also note with amusement the sudden showing up of four Swen mailings in a 
row this AM, :)  at the above email address along with five or six My DoomA 
s.  (I thought that would happen once I said they seemed to be fading 
away.)  Like you, I have yet to see a single My DoomB.  This implies enough 
people have installed the AV patch so spread of the infection by the B 
variant is dependent on the virus finding an unpatched machine with an 
owner stupid enough to click on the attachment before each replication can 
occur.  Something like that African tree species' seed that can't grow 
unless first eaten by an elephant, then found by a certain insect.  Miss 
one step and no replication.

Beyond "script kiddies" using a kit and trying for a reputation, most 
viruses have a purpose.  Good ones are just too durn hard to write, and 
stealth the delivery of, for it to be done to no purpose.  Even the 
Uni-bomber had a purpose.  A lot of effort was involved in spreading My 
Doom.  Possibly some money too.  For what end?  To deny service to SCO for 
a few days as a method of showing displeasure by Linux users?  All who 
believe that, please raise your hand.  Okay, 7 people.  The rest think 
there might be more to it.

I should point out that the reports of My DoomA viruses rate of propagation 
also comes from the media.  Given spoofed IPs, we recipients of infected 
spam mails really don't know exactly which machine originated each one.  If 
we did, we would probably all go talk with the owner of the computer in 
question.  I know about 60 or so people who have had viruses in the past. 
I have talked to several since this began and although they have been 
seeing My Doom in their emails, which were deleted unread, none have opened 
one, or have detected infection signs.  Once burnt, twice shy.  If the 
media claimed rate of propagation was true, then I repeat that I am dubious 
that all of the spreading is coming from people clicking on a strange file 
called "readme.scr" or "your account info.pdf"  Some other mechanism would 
seem to be at work.

It is agreed that a virus originally designed to mutate upon receipt of a 
command message to do so would be a cumbersome beast.  However, once an 
infected machine announced it's presence over the Internet and created an 
open port commands could be sent and received to, both the virus machine 
and the host PC could be altered.  New programs and instructions can be 
sent to such a machine.  Has it ever happened to a "popular" (i.e., 
widespread) virus?  I agree that I know of no such modifications of a 
widespread virus before.  What I am aware of is trojaned machines (i.e., 
sub sevened or similar) that had additional trojans remotely inserted and 
C: drive files remotely viewed and/or erased back in the pre firewall days. 
  Again, in order to succeed, those routines required some additional 
stupidity on the part of the owners.  Likewise, those were small incidents 
in terms of the numbers of computers involved and the victims and the 
attackers often knew each other (i.e., high school classmates, spouses and 
ex's, etc.).  Something command driven and large-scale would be indeed be 
totally new to us.

 > Subject: [Dshield] MyDoom-A/B
 > From: > jayjwa <jayjwa at atr2.ath.cx>
 > Date: > Tue, 3 Feb 2004 06:09:36 -0500
 > To:   > General DShield Discussion List <list at dshield.org>
 > On Mon, 2 Feb 2004, Kenneth Coney wrote:
 >> Or did the virus somehow repair the timing bug
 >>(perhaps by receiving instructions over the opened ports)?
 > That's crazy.
 >>Swen mailings to my machines have virtually stopped.  The AV logs show I
 > You can have the two copies I just got. Cleared the access.db (stops spam
 > and such) for only several hours, and planet.nl and sent me two copies.
 > Win32.Swen is dying due to several reasons I belive: Free email carries
 > (usually a large infection vector for mass-mailers) such as Hotmail now
 > auto-block Swen; Win32.Swen's bogus "Patch" screen has appeared on many AV
 > sites and else where- people know what Swen looks like, so even if they
 > know nothing else, they automatically think "virus: bad".
 >>This My Doom thing spread so fast I am suspicious of the ease with which it
 >>spread.  I find it hard to believe that each and every infection point has
 >>come from some idiot opening a .scr, or other, attachment from an unknown
 >>person.  Not in 2004.  By now every one online over the age of 5 knows that
 >>is a good way to get an infection in their PC.
 > But sadly, time and time again they do, they open attachments, execute
 > things like "readme.exe". Or fall prey to tricks like was utilized in the
 > last virus "myphoto.jpg                               .exe" (notice
 > spaces, that's still an executable).
 > Now Win32.MyDoom.B is a strange case. I've yet to receive this virus in
 > the mail like was intended. If you've followed the "Full-Disclosure"
 > lists, you'll see that varient B has become somewhat of a collector's
 > item- something to obtain and attempt to "overcome" with home-analysis &
 > disassembly. I was amazed at the number of self-proclaimed "researchers".
 > So yes, MyDoom.B is spreading- not like the author pictured it would!
 >>initially more plausible, at least to those who had registered their PC
 >>with MS and didn't know MS emails nothing), or similar viruses (Gibe,
 >>received new instructions through their already open servers and that these
 >>Swen infected machines played a pivotal role in the spreading of My Doom by
 >>functioning as command driven infection originators?
 > To my knowlege, no virus has yet to sucessfully receive instructions from
 > another virus designed to allow that virus to better spread. Viruses, for
 > all their mystery, are only programs, not living, reasoning things. While
 > it may be technically possible for a virus to search out its environment
 > and  interact with another virus already installed (or even rootkit?)
 > there to further its own infections, this approach to replication would
 > involve significate amounts of AI, and in doing so would result in a very
 > large and unwieldy virus better suited for POC code than an actual,
 > in-the-wild intended virus.
 > [jayjwa]RLF#37

More information about the list mailing list