New Worms Feed on MyDoom Infections 243
JJP writes "ZDNet Australia is reporting that two new worms, Doomjuice and Deadhat, are taking over computers previously infected by the MyDoom virus.
Apparently they try to uninstall the MyDoom virus and then take over the PC to start their own malignant work. Whilst the threat these two worms pose shouldn't be too big, both needing a MyDoom backdoor, it is still a novel way to spread a virus. In the Netherlands there is a newspaper reporting this proves MyDoom was initialy spread by organised crime in a dark plot to wage cyber-war and steal confidential data from our computers."
Get a Mac (Score:5, Insightful)
Re:Get a PENCIL AND PAPER (Score:5, Funny)
Re:Get a Mac (Score:5, Interesting)
I'll just ask: is it possible for a binary file to open ports and send itself as an email attachment on a Mac? On a linux box? Are you sure you understand the problem?
Re:Get a Mac (Score:2, Insightful)
anything else i should avoid doing? i think you amply illustrate the point that the virusmania has reduced the usability of windows.
with my linux box and mac i can do whatever i want - including open attachments... i bought a computer so i could use it.
is it possible for a binary file to open ports and send itself as an email attachment on a Mac?
do you mean, "can i telnet 25 to another host"? well, yes. i hope that was a rhetorical question.
if you me
Re:Get a Mac (Score:5, Interesting)
with my linux box and mac i can do whatever i want - including open attachments... i bought a computer so i could use it.
To be infected by MyDoom, you would have to open the attachment and run the binary.
if you mean, "can i fire up an mta and start spraying email all over creation"? then the answer is only if you have root. and if that virus has root... well, you've got bigger problems.
Eh, no. You don't have to be root to "spray email all over creation". Outgoing connections usually use unprivileged ports. And to accept incoming connection without root, you just need to listen to a port above 1024.
Re:Get a Mac (Score:2)
Re:Get a Mac (Score:2)
sigh. i offered two options - open a connection on 25, which i referred to as "telnet 25" because i am old, for which root is not required, and start up the mta (postfix on panther) for which you do need to be root.
Re:Get a Mac (Score:3, Informative)
Re:Get a Mac (Score:2, Informative)
Re:Get a Mac (Score:3, Insightful)
of course i'm sure on KDE with some WINE integration it could be so much quicker and easier...
Re:Get a Mac (Score:3, Interesting)
Yes, the question was rhetorical, and the point is an app can start accepting connections on a given port (which is how the latest worms are spreading) no matter what your OS. It's possible to firewall everything and require admin access to open ports on Linux and OSX, but hey, it's possible on Windows too. Bad sysadmins and clueless users are a problem on ev
Re:Get a Mac (Score:4, Insightful)
Sane creation of a network topology, email subsystem, proactive network monitoring, and general patch management is NECESSARY to operate a large internet connected environment, reguardless of the Operating System of Choice.
(and to head off the usual Mac'noids, show me a mac based application that scans, OCRs, and backs up to multiple Optical drives 20,000 documents an hour.)
Re:Get a Mac (Score:2, Insightful)
Re:Get a Mac (Score:2)
There's NO reason why a Mac box can't do the exact same thing as any alternative. Sane creation of network topology, data backup subsystem, and general intelligence is NECESSARY to operate a large backup operation, regardless of the Operating System of Choice.
For Newbies, not experienced users. (Score:5, Insightful)
These people STILL infected with MyDoom don't know the first thing about computer security. They would be MUCH MUCH better off with a Mac than with windows. All they probably do anyway is chat with their little friends on AIM and check their webmail.
It's obvious that windows is NOT the perfect OS for clueless newbie users, because it leaves gaping holes for them to be abused through. Think about it from the newbie point of view, not the experienced user point of view.
Thank you.
Re:For Newbies, not experienced users. (Score:2)
Re:For Newbies, not experienced users. (Score:5, Insightful)
And that's great, until Macintosh's become popular enough for viruses to be written for them (at which point its going to be a massacre). A guy I work with owns a Macintosh, and he brags about how he doesn't need to run any antivirus program and how he can open all attachments. If a virus like MyDoom was created for the Macintosh, how much you want to bet my coworker (and people like him) would get infected right away, because they aren't using common sense? Windows may be buggy, and windows may have a lot of security holes, but in this case, MyDoom does not take advantage of any of them MyDoom takes advantage of the traditional weakest link in any security system, people.
For Newbies, not experienced users??? (Score:2)
You make some excellent points. And, *why* should the average person *be* an expert on computer security? Why *WHY* should average users need to hassle with patching their box every *fucking* week? I've resisted the Mac for years (price has kept me away), and now have several Linux boxes in addition to my Win boxes, but...
It's obvious that windows is NOT the perfect OS for clueless newbie users
Linux just isn't ther
Re:Get a Mac (Score:3, Insightful)
You realize, of course, that the average computer user wouldn't even _understand_ this sentence, much less be able (or willing?) to implement your suggestions.
You may be right in theory, but for unskilled (read: average, normal) users in the real world, Macs are currently the safe choi
Re:Get a Mac (Score:2, Interesting)
Hey man, lay off (Score:3, Funny)
My system is part of a new global network. Your Mac just sits there and runs.
Re:Get a Mac (Score:5, Informative)
etymologically it's an old way (well, old in English) of pluralizing that we only see in a few words...child children, brother brethren is similiar too. Interestingly enough, Persian being an Indo-European language has it too--Taleban (-an) is students (pl).
Re:Get a Mac (Score:5, Insightful)
popularity isn't exactly directly related to the number of exploits it has.
Re:Get a Mac (Score:3, Insightful)
Guarantee me that if I look I won't find an apache server which is months or years out of date. Go ahead. I dare you.
Re:Get a Mac (Score:5, Informative)
A virus would not be able to automatically start just by reading a message, as Mail doesn't allow that to happen. More significantly, it could not masquerade as another type of file, since clicking on it would pop up a dialog that says something like "Warning: the attachment 'foo.jpg.app' is an application. Since applications can contain viruses, make sure this was sent by someone you trust." or some such.
In short, even if the Mac platform were the primary computing platform on the planet, it would not have these problems at the same level, IMNSHO.
Proofs? (Score:3, Funny)
Deadhat (Score:3, Funny)
Proof? (Score:5, Funny)
Re:Proof? (Score:5, Funny)
- Neil Wehneman
It proves one thing. . . (Score:4, Funny)
I think it "proofs" that the editors don't proofread the submissions.
AIM (Score:4, Interesting)
Re:AIM (Score:5, Informative)
Funny I was just looking that up for a friend.
This is not MyDoom.
This link may help [computercops.biz].
Check that out, may help.
Re:AIM (Score:3, Insightful)
Re:AIM (Score:4, Informative)
~Philly
Re:AIM (Score:2)
Possibly it was inspired by MyDoom's reminder of how easy it is for a virus to wear just a little bit of sheep's clothing and get a user to give it the okay to execute.
Ok.. (Score:3, Funny)
Here's an idea..
Next time, if you're going to post a link that you have to register for, at least make sure it's in english.
In other news... (Score:5, Funny)
Thread? (Score:4, Funny)
Just Once (Score:2)
dark plot to wage cyber-war and steal confidential data from our computers."
...I wish that this sinister plot was met with terabytes/second of "confidential data" like, oh, free viagra offers, Nigerian 419 scams, Add 3 inches, etc...
DoomNet... (Score:5, Interesting)
I guess the only positive side effect is that some of these DoomJuice variants are closing the back door from the original MyDoom so that nobody else can interfere with them. Now, if only there was a MyDoom uninstaller worm that didn't have another distructive payload...
Re:DoomNet... (Score:2, Informative)
Re:DoomNet... (Score:3, Informative)
My writeup of Doomjuice: http://www.lurhq.com/mydoom-c.html [lurhq.com]
Re:DoomNet... (Score:4, Informative)
Re:DoomNet... (Score:3, Informative)
Almost right. MyDomain was apparantly a variable in the code (uhh, then I am guessing VB code?) and he spelled it MyDoomain.
Is "DeadHat" a reference to .... (Score:4, Funny)
Way to go on damming Linux users reputation
Virus names (Score:5, Funny)
Re:Virus names (Score:5, Funny)
Re:Virus names (Score:5, Interesting)
Re:Virus names (Score:2, Informative)
Either that, or... (Score:2)
Either that, or a bunch of smart, bored kids in the Netherlands...
Cyber war? Puleeeze (Score:5, Insightful)
If organized crime was looking to steal data, all they had to do is ask people. Hundreds of people hand over their eBay, PayPal, and credit card information every day to phisher emails claiming to be from a legit company. Making a worm to steal the information isn't even necessary when the user is already the weakest link after being socially engineered.
Re:Cyber war? Puleeeze (Score:2)
If organized crime is behind MyDoom, then it certainly allows them to upgrade to a cyber war. MyDoom takes a territory of the Internet over, otherwise innocent user's PCs suddenly do the work of the hackers. No longer would this crime group need to rent out or hack individual servers to run cyber-scams, MyDoom's backdoor gives them full invisible control the hacked PCs, including the ability to harvest random users' indenties and contacts.
Re:Cyber war? Puleeeze (Score:5, Informative)
Why commit computer crimes from your own machines, when you can do it from another person's, and in fact connect to a 2nd or 3rd infected machine from the first infected machine to add another layer of dificulty to any investigation?
The ability to harvest contact information exists in a simple forwarded joke email. This is not advanced "war" stuff. If it was advanced, people wouldn't have noticed.
Re:Cyber war? Puleeeze (Score:2)
Posing "threads" (Score:3, Insightful)
All the speculation about who did it or even why is still speculation. (If someone hated SCO so much, why stop after two weeks?)
Re:Posing "threads" (Score:2)
In fact, it seems all these people need to do is change the payload of DoomJuice to fit their specific wishes. One letter is not going to be enough to keep all the DoomJuice.* variants straight.
"only about 50,000 or 75,000 machines left" (Score:2, Funny)
I thought that Doomjuice was from the ... (Score:5, Interesting)
Re:I thought that Doomjuice was from the ... (Score:5, Interesting)
So, effectively we've got worm-writing for dummies now. No need to write new full-featured virus, nor even the need to know how to exploit an obscure security hole. Just take DoomJuice and add your own payload...
Re:I thought that Doomjuice was from the ... (Score:3, Insightful)
I wonder (Score:5, Interesting)
Re:I wonder (Score:2)
Too many problems with that... Boot sectors are more or less locked down by your standard anti-virus program. Unless the virus installs an already-infected copy of the new operating system, it wouldn't be able to use past infections as zombies.
Re:I wonder (Score:2)
Re:I wonder (Score:2)
Now, a more plausible thing would be to install Cygwin. The user won't see any difference but suddenly their computer has become a lot more useful of a platform from which to launch attacks.
Re:I wonder (Score:3, Insightful)
Re:I wonder (Score:2, Interesting)
Now imagine a worm that would go through an IIS-based system, backup all their ASP files and fish for anything SQL Server-related onto a remote server, install LAMP, run ASP2PHP on those ASP files, "restore" them to the server, and electronically file for a
Old News (Score:2)
How hard is to click on the icon [slashdot.org] on the side of the article before posting a new article?
Re:Old News (Score:2)
Lamest... Names... Ever (Score:4, Funny)
What's next, ThunderCat? MrDoom? Anyone smart enough to write a virus this effective must be more imaginative than this!
not exactly "novel" (Score:2)
Re:not exactly "novel" (Score:2)
Re:not exactly "novel" (Score:3, Funny)
white hat worms? (Score:5, Interesting)
Re:white hat worms? (Score:3, Interesting)
And most people in the know would agree that Welchia, which was the worm intended to fix Blaster infections, was actually worse than Blaster in terms of its impact on networks.
Organized Crime? (Score:3, Funny)
I am willing to admit that SCO is a crime, but who is claiming that they are organized??
I think I would be willing to admit that it was spread by a criminal comany.
Idibus Martiis (Score:2)
Novel? (Score:2)
I think the word I would have used here is 'obvious'...
Laugh with me... (Score:3, Interesting)
2. Block applicable ports
3. Smile when alerts are issued
Re:Laugh with me... (Score:3, Insightful)
Sure if you block ports 21, 25, 53, etc you might be safer, but far less functional a system as well. If you go that far, I think you'd be better firewalling off all ports and just opening the ones for the services you _want_ to have exposed.
A way to deal with worm outbreaks? (Score:5, Interesting)
When a big worm comes out, wouldn't it be possible to write another worm that would utilize the backdoor, get rid of the worm, and then hang about to make reinfection impossible?
My organization took care of the worm in the first few minutes after it started spreading, but there seem to be a lot of people still out there who aren't protected (if the number of inbound mails my mail server quarantines each day is any indication).
If someone in a white hat wrote a MyDoom imobilizer worm, and then released it, wouldn't that put a speedy end to MyDoom in the wild?
Re:A way to deal with worm outbreaks? (Score:5, Insightful)
The problem is that by creating a worm that cleans up the original malware worm, the fix is just as bad as the original virus. You're still using a lot of bandwidth that isn't yours, you're still sending out a program to change someone else's system without their permission, etc.
On the surface it looks like a good idea, but unfortunately it has a lot of serious drawbacks.
Re:A way to deal with worm outbreaks? (Score:2)
I may not lock my windows, but you better believe you're going to get arrested if you walk into my house and try to lock them for me.
for the non-dutch (Score:5, Informative)
Amsterdam - There are signs that the computer virus MyDoom has been brought into circulation by organised crime syndicates. The wormvirus was accompanied yesterday by the evil program 'DeadHat'. Microsoft and software maker SCO have a quarter *billion* dollar in stock to reward the tip that will lead them to its creators.
According to the British research firm mi2g, deadhat is designed to provide its creator with sustaining, long-term control over a system. This power could be abused to hostage websites.
It is also possible to abuse the pc in sending spam e-mail, and the program is capable of harvesting passwords and other confidential information. Deadhat is an intelligent software agent, a program
[snip] the really boring part
According to mi2g, deadhat has encrypted intelligence, waiting to be activated. "This definitely looks like the work of organized crime"
Meanwhile, Soomjuice has come to surface. Another worm which seems to battle for control of the PC.
Re:for the non-dutch (Score:3, Interesting)
http://blanu.net/curious_yellow.html
I'm really surprised that we haven't seen various implementations taking over large numbers of computers.
My only thought has been that the kind of person who implements Curious Yellow is sufficiently more skilled than the average worm writer that they choose to be subtle and slow. If that is the case, then I expect that the 75,000 is a very small number of machines compared to those that are al
Exchange servers beware (Score:5, Interesting)
Last week I get a call from another tech friend, "Hey toqer, I got this customer and they got infected with MyDoom. The NAV wasn't set to exclude the exchange store on the server, and it wiped out their calendaring info, the server needs all its logs rebuilt"
I asked him for more info. Logs rebuilt? WTF was he talking about? Apparently they had brought in an "Exchange Expert" to fix the problem. The guy spent about 2 days out there and didn't get anything done. After calling them I went out to see exactly what the problem was.
This office is a lawers office, and they're specialty is wills and trust funds. I was met by a really nice french woman at the door. "Toqer, please follow me and I will show you what the problem was"
She first showed me their main problem. Whenever they would try and modify the big bosses calendar, outlook would spit out some nonsense about unable to connect to his free/busy information. Second problem I noticed was the entire network was running on NT4.0, and the machines were all pentium1 class PC's. "Good thing this is hourly" I said to myself.
Looking at the NAV logs, it looked like it had deleted some files from d:\exchngsrv\mtadata (not exactly, this is best recolection) First thing I did was set NAV to exclude those folders. Good, done.. Now it was time to fix the problem itself.
Now I don't have the exact KB article, but the MS solution was to log in as the affected user. Backup his exchange store to personal folders. Use the exchng32 client to delete the calendar folder, then launch outlook with a
It took me 4 hours to fix it, nice little chunk o change in my pocket. Thanks MyDoom!
Re:Exchange servers beware (Score:2)
Cleverer Social Engineering (Score:5, Informative)
* Windows2003Keygen.exe
* mIRC.v6.12.Keygen.exe
* Norton.All.Products.KeyMkr.exe
* F-Secure.Antivirus.Keymkr.exe
* FlashFXP.v2.1.FINAL.Crack.exe
* SecureCRTPatch.exe
* TweakXPProKeyGenerator.exe
* FRUITYLOOPS.SPYWIRE.FIX.EXE
* ALL.SERIALS.COLLECTION.2003-2004.EXE
* WinRescue.XP.v1.08.14.exe
* GoldenHawk.CDRWin.v3.9E.Incl.Keygen.exe
* BlindWrite.Suite.v4.5.2.Serial.Generator.exe
* Serv-U.allversions.keymaker.exe
* WinZip.exe
* WinRar.exe
* WinAmp5.Crack.exe
This is also a Social Engineering technique similar to the catchy email sent by other recent worms.
The difference I see is that the filenames are catchier and seem to be targetted towards a more computer savvy audience. Normal Windows users wouldn't need to look for WinRar.exe and the other security software cracks/etc...but then, they're the ones who opened the MyDoom attachments in the first place.
Get the dumb users with vulnerable PCs through email attachments, and break the more secure computers/users through enticing downloads!
New Welchia Worm (Score:5, Interesting)
I don't normally like any Windows virus, but I have a tough time not liking this one.
Hmmm.... (Score:5, Funny)
DoomJuice: "I'm your Grim Reaper."
MyDoom: "Like hell you are. This is my machine, punk."
DoomJuice: "Prepare to meet thy maker (wink wink)."
MyDoom: "Over my dead process."
DoomJuice: "Look, a little old lady on a Windows 98 machine!"
MyDoom: (turns) "Who? Where?"
DoomJuice: "Your Mom." *BONK* "Muhahahaha! Mine, the world is mine!"
"threat these two worms pose shouldn't be to big" (Score:4, Interesting)
Maybe not a big threat in the sense that most of us reading this have been taking precautions against viruses like MyDoom all along (or were on Macs or Linux), but there's still a pretty big secondary threat to all of us who use the internet. I'm still seeing a lot of MyDoom-infected computers out there: a quick look at my mail server shows examples -- sometime multiple examples -- of MyDoom sent from dsl hosts in cerfnet.com, telus.net, sprintbbd.net, and ameritech.net just within the last hour). When Doomjuice and Deadhat get on these machines and start sucking up neighboring bandwidth with their DoS or whatever, it's a problem -- even if it's not actually your machine that's infected.
Kinda scary (Score:4, Insightful)
Viruses : Cutting Edge of Artificial Intelligence (Score:5, Interesting)
- Food is computing power, which it steals.
- Prey are vulnerable computers, with computing power unprotected.
- Predators are virus scanning and eradication software.
- Reproduction is checked only by environmental factors.
- Evolution has developed two clear attributes: transport and payload.
It will be very interesting to watch this area develop, especially considering it's place in society. It's incredible that not only have software companies been given virtual total immunity from the financial impact of their defective products, but that they have convinced the right parties that people who expose their defects are criminals. Truly incredible.Similar to Hepatitis D vs B (Score:3, Interesting)
That's MY Domain! (Score:4, Funny)
I am not at all happy that someone has sullied the good name of my website with a worm.
Switching OSs isn't the solution (Score:3, Insightful)
Ooo! (Score:5, Funny)
Re:Ooo! (Score:5, Funny)
Re:Ooo! (Score:5, Funny)
Re:Ooo! (Score:4, Funny)
Re:Organized crime? (Score:5, Funny)
When the spammers have oil.