Wow, I'm glad you informed us of that. Especially since noone here would know anything about Mydoom or SCO. Don't worry, I'll stick to slashdot for my geek news and groklaw for my SCO lawsuit.

<sarcasm> What's MyDoom and who is this SCO person? /sarcasm>

Yes, we were aware of MyDoom and SCO the same day that it hit the wild, and the effects it would have on the net infrastructure as a whole.(and SCO's boxen)

Quirk-

Which, courtesy of a quick response by the antivirus vendors (and the lousy method of propagation chosen by the authors as well as their lousy timing in releasing it), has been relatively little.

And FWIW, I remember hearing that SCO took their website down voluntarily. Obviously this is in the realm of the anecdotal at this point, but does raise an interesting point if true: could a zero-payload worm/virus purely *psychologically* force a company to down their own infrastructure?

Yes, although I think it was more of the protect and proceed plan if that happened to be the case(for now, till they find the bastard and prosecute) If I was SCO, and knew I'd pissed someone off, first thing I'd do is get ahold of my network engineering team, and plot a way to divert the 42trillion GET requests they'd be expecting. Disconnecting from the net in an instance like that is completely ass-backward logic, assuming they did do that - The one that wrote MyDoom will go back for round 2, and not announce the target this time - If you deserve to get your beating, stand there and take it, do your best to stop it, and shut the hell up about it.

My thoughts,
Quirk-

I definately agree with you on this one, unfortunately there's no way to not annouce the target when releasing the virus into the wild. I just wonder why the major carriers didn't decide to null route SCO instead. That would probably save them a few pennies. AFAIK, Sco had attempted to put up a temporary server.

That's all part of the fun of information guerilla warfare... try it and find out. Unfortunately, if the worm was truly zero-payload, I think it would be discovered as such and declared innocuous.

~Shakes his fists at CARO

"and I would have gotten away with it, if it wasn't for you nosey kids!"

Agreed, and I did notice that SCO's whois records have changed more than once in the last ten days or so. My personal suspicion is that they effectively nullrouted inbound port 80 GET requests for the /20 that they own - so nothing was really down per se, just that you'd never be able to get to it since the traffic got dropped at the border.

Yep, particularly since it appears as though their /20 not only hosts their website but also provides the address space for their extranet. Taking down their route to the outside would be like cutting off your hands and then trying to write a letter.

I think that this is where the AV vendors were most useful - in determining the targets based on the content of the payload as well as the timing of the attack. One technique that would have worked well on most networks would be to have EIGRP announce (internally, at least) a null route for SCO's /20 - so any DoS traffic never gets much past its own local switch. This should at least mitigate some of the potential impact it may have for taking down things like BGP on an internal network - Blaster springs to mind as I write this.

Thinking about it, I'm really beginning to wonder if the virus was never really *meant* to successfully DoS SCO - given the lousy timing in terms of releasing it (which gave the AV companies time to respond), the ease with which it was reverse-engineered (less than 12 hours to know what the payload was and how it would deliver it), ease with which it's removed (low system modification rate and delivery via email - dumb idea), and the fact that the end result was ultimately achieved (sco.com's webserver is inaccessible, though quite possibly not by the virus itself), it may have purely been an exercise in psychological warfare against SCO. After all, if you know there's a good chance that the media is going to pick up on it and whip everyone into a frenzy, why not let them do the work for you if you know your code is basically out in the open for everyone's AV software to detect?

I agree with everything you've said Skroo, but I think it was meant to be just a bit more than psychological warfare. I saw the ASM code for it, it's not 100% benign in any form, there is enough that that if re-written just a bit, there'd be a hell of a nasty surprise knocking on SCO's front door if they didn't take massive steps to stop it. It's very possible that it was written in that fashion just so that an antivirus with insane heuristics would sniff a section, and flag it as a virus to start the panic streak that insued. Many unanswered questions, and they will probably remain that way for a while unless the author is found, and they can make him talk.

Quirk-

Both mydoom variants are odd...what's up with the apology message from "Andy" that's embedded?

The verdict is still out on that one, my personal belief is that it is one of 2 things. Either A) he's being forced to do it, which isn't likely or he'd have written something that actually worked or B) he's playing into the fears of the Homeland Security people as if he's a cyberterrorist cell waiting to happen, is unpredictable, and can cause damage in the blink of an eye. You cannot neglect or overlook the part of the code that does work... which is the backdoor section, and on command you have an immense amount of drones that are capable of DRDoS and I wouldn't be on the receiving end of it with the biggest fiber trunk that exists in the U.S.

To quote the aljazeera network post on it...

"He(Ero Carrera F-secure coder, cracked MyDoom.a and .b) said while the virus was effective against smaller companies, an attack on Microsoft would likely fail as the firm's site was built for heavy use. Plus, the strain of the virus is less potent than the one used against SCO."

That right there tells me something is fishy, if it's less potent, why would it be version .b ? Wouldn't progressive logic say make it work better, faster, and be more stealthy? (I do not condone malicious virii, just stating that most who write a progressive version of the first improve upon it)

I am still wondering many things about what is going to result, and I can't wait for .c to come out, that'll be a good laugh for all ages - more code that scares people and raises the alert level to the point where ISPs are running crazy shit like Deciduous (even though it's junk and cannot gather info properly from things written to provide randomized IP support) </rant>


Quirk-

Because it's significantly different to the original variant to warrant a point revision. AV vendors do this regularly regardless of the severity of the payload compared to previous versions. Corollary:

I agree with you on that. Here's a possible explanation. Abstract: it's mentioned that the coding style fits in with what you'd expect to see in a check-in/check-out system, suggesting that the author may have been a professional developer. Personally, I wouldn't be surprised if the guy was just using CVS (or similar) to track his revisions as he wrote it, which would account for the coding style as well as possibly for the sub-par performance of the .b variant.

I just want more Homeland Security CERT advisiories. I plan on collecting the whole set and FUDding my workplace with them.

Don't assume the .b variant came from the same author. When it comes to virii I've seen the following:

virii coder writes a virus, releases the virus, watches the results, goes back to the drawing board to refine and tune, virii coder releases the second version that fixes any weakness in the first one.

but I've also seen

virii coder writes and releases a virus, virus payload gets spread around, skippy the skript kid makes a few minor variations (like changing sco.com to microsoft.com), then puts his new version back out in the wild so he can go brag about what a leet haxor he is.

Good example of that was the walking tub of bacon grease that got popped for one of the SoBig variants where he litteraly changed the name of the virus to his handle and included a link to his site in the code. Way to go!

Embedded in MyDoom.C is a compressed archive containing the source code for MyDoom.A. This code is dropped onto the root directory of each drive as well as the Windows,system and temp directories of each infected system. How's that for a revision?

It's quite possible that it's not the same person, as was stated although the code is the same unless they've been working overtime.... .C is coupled with another worm, Deadhat.A which also propagates through any .A or .B variant infected computer. The size is 55,808 bytes, and it appears quite destructive as a whole. It drops a copy of sms.exe and references is in the registry under HKLM,software,microsoft,windows,currentversion,run - you'll spot a KernelFaultChk = “%System%\sms.exe” key if you are.

It may also delete:
BOOT.INI, AUTOEXEC.BAT , CONFIG.SYS , WIN.INI and other critical windows files.

If you are at all worried, block all port access on 1080, 3127, and 3128 for all till this threat has passed. If you use soulseek as a filesharing util similar to Kazaa, make sure you comb the files you download, and make sure you have the latest scanning engine and db that your A/V software has released.

Another way to tell if you're infected.... is that it'll shut down all running antivirus software and firewalls in it's database. I will not spam the post here with the complete list, if in doubt note me and I'll get the list to you.

-------------------------------------------------------------------

NEW AS OF A FEW HOURS AGO: deadhat.a coupled with mydoom.c info has been changed. mydoom.c is now known as doomjuice.a and is a payload updater for the current .a and .b out there. deadhat.a payload and delivery methods have not changed since the above post.

Info on doomjuice.a -

it drops 3 compressed updated payloads in:

%System%\sync-src-1.00.tbz
%Root folder%\sync-src-1.00.tbz
%Temp%\sync-src-1.00.tbz

and intrenat.exe in the windows system folder, as well as a new registry key:

hklm,software,microsoft,windows,currentversion,run - presence of Gremlin = "<%System%>intrenat.exe" will indicate you are infected with it.

-=- Let's eradicate this pain in the ass -=-


Qu|rk-

also 420times/420girls they got hit with mydoom, there whole mailing list a bunch of the people got emails that work with the 420girls site. i know i got a load of emails for mydoom norton caught them all.