Posted on 01/29/2004 12:57:10 PM PST by honeygrl
A new computer worm called MyDoom is spreading in the United States and abroad at a frightening rate. But that's not the really scary news.
What worries computer experts the most is the fact that MyDoom is an example of a new breed of professionally created worms that are more difficult to detect and move faster. These better-built worms also are used by criminals to turn a profit.
Experts say the creation of MyDoom was almost certainly funded by e-mail spammers. The worm takes possession of a computer -- either at a home or one used in business -- and turns the machine into a remotely controlled robot programmed to send spam e-mail messages.
With hundreds of thousands of these zombie computers sending spam, the chances of shutting down the flow are almost zero.
While the inner workings of the worm aren't a strong departure from earlier ones, the fact that it was professionally created with a criminal profit motive is a big shift. Instead of sloppily made worms from amateurs, professional software writers -- motivated by money -- can create worms that will spread faster and work more efficiently, said Roger Thompson, director of malicious-code research for TruSecure, a Herndon, Va.-based anti-virus firm.
"I don't think the worm is especially sophisticated, but the overall plot is very sophisticated," said Thompson. "The plot is to prepare a bunch of machines to send out spam, to own more and more computers that can do that."
"Yeah, it definitely has ties to spammers," said Neel Mehta, a computer scientist with Atlanta-based Internet Security Systems.
Nor is there any question that MyDoom spread like wildfire. Medina, Ohio-based Central Command, which sells anti-virus software, said the worm multiplied so quickly that, for a time, one of every nine e-mails was infected.
Atlanta-based EarthLink, which has more than 5 million Internet customers, said the worm created massive volumes of e-mail on its system. At 2 a.m. Tuesday, normally a slack time, e-mail traffic was equivalent to what "we'd expect during midday," said Dave Blumenthal, a company spokesman.
As if the news wasn't bad enough, there is a general suspicion the worm may contain what computer scientists call a keystroke-logger program. If that's true, the creator of the worm can monitor every keystroke made on every infected computer not protected by a firewall program. That provides access to everything typed, including credit card numbers and passwords.
"I think there is a link to organized crime," Thompson said. "I don't have any proof of that, but it could easily be. It could be harvesting credit card numbers ... or bank account log-ins."
Mehta said while he had seen reports the worm contained a keystroke logger, he could not confirm them. He said computers equipped with a firewall program should be safe because the anti-hacker software would intercept and stop the remote prying.
MyDoom's professional touch can be seen in the way the e-mail induces the recipient to open the attachment carrying the infection. Earlier amateur-built worms promised naked pictures and the like. MyDoom looks like an official e-mail error message you might get if an e-mail failed to transmit properly. Even worm-smart users could be fooled, said Mehta.
Once that attachment is opened, it hijacks e-mail addresses stored in infected computers. It then e-mails copies of itself using one of those names as the sender. So an infected e-mail could look like a message from a friend or relative. Since it appears to be the report of a failed e-mail message, many users may be eager to open the attachment to see which message failed.
The text for some of those messages seems properly technical. One says: "The message contains Unicode characters and has been sent as a binary attachment."
The professionalism of all that has Thompson worried. He foresees a new generation of worm creators who are better educated and more skilled.
"Most worm writers grow up and get a girlfriend, a job and then stop," he said. "If there is a profit motive involved, I would expect the acts to continue."
As professionals take charge, the construction of the worms themselves is likely to improve, making it more difficult to stop them. Mehta said professionally created worms such as MyDoom -- also known as Novarg -- have "more features ... they have more code to them, and the code is generally of better quality."
He added, "It's not the first to have ties to professional writers, but until about a year ago we didn't see worms that were tied to professionals."
While any fast-spreading worm causes congestion for computer networks inside businesses and on the Internet itself, that is a byproduct of MyDoom but not the intent, Thompson said.
"Professional hackers are getting more into this," said Mehta. "We are now seeing worms that are designed with a purpose."
Both Internet Security Systems and EarthLink believe the peak of e-mail from the worm came Monday and early Tuesday morning and that volume is now on the decline.
This is most likely a dial up, or DSL connection. Send the complaint to abuse@comcast.net. My experience with this indicates that people frequently receive trial subscriptions solely for the purpose of originating spam. Recently, a wireless spot in a hotel was used to originate spam.
Text based spam is bad enough, but when it includes viruses and trojans, the problem is compounded. CNN suggested this current virus could cost over $250M.
Open Relays pose a problem, as do trial subscriptions, and temporary email accounts. Even though fewer open relays exist in the US, the emergence in 3rd world countries will only increase this problem.
The real challenge is that the existing email protocol cannot authenticate who really sent the email. The advocates for updating the protocol are dwarfed by the advocates for keeping the existing protocol due to the anticipated cost for making the change. Existing applications are based on the current protocol and they would have to be changed.
The CAN-SPAM Act fails because it requires you to identify who sent you the spam. When it comes from a 3rd world country, that will not happen. When the spammers spoof the headers, again you cannot identify who sent the email.
It's my understanding that W32.Mydoom.B (the one that includes DoS's against both SCO AND Microsoft)is a whole new variation of W32.NovargA (the original MyDoom SCO worm)and is not, to my knowledge, "updating" the original package in the wild. If you have information to the contrary, I'd be interested in seeing it.
I see your finally starting to understand the dangers of computer criminals? That's actually the first post ever I've seen you make where may be actually starting to realize that policing of the internet is a forgone conclusion.
There are some really bad people out there on the net, and they used to just pirate other's property, giving it away for free all over the world, but now they're launching bombs out there. These "loosely knit groups of hackers from around the web" (kernel.org) have to be watched closely. I'm amazed and hopeful you're starting to see the light. More likely, just a temporary flash.
From the discussion of Novarg.B on Symantec Security Response (see #11):
The worm also contains functionality which allows it to install itself on systems which may have been infected by W32.Novarg.A@mm. This is accomplished as follows:
So basically this guy can send out a new worm at any time to modify the behavior of the old worms. I think it's against the law in the United States to invade someone else's computer, but perhaps a "white hat" in some other country could send out an update that kills this thing, and then deletes itself.
It's insane how infected some of these broadband ISP's are with this stuff, a virgin system gets popped within 10 mins on a lot of them. They're going to have to better authenticate, and the more you'll pay the sounder your service will be. You can already join one of the major ISP's and get similar protetion now, but some would rather ride these big waves anyway. So it will never end, some will just better isolate themselves from it.
Oversight- I keep 7.1 on my machine and like it fine... far as the other 2 go, I have used them in the past, but darned if I can recall offhand that border feature- I suspect you can do it, but can't say for sure.
At the very least, the broadband and dsl providers ought to be stopping smtp traffic from their clients, or at least making arrangements for an authorization process to enable it. I stop the majority of spam from hitting my mail servers by using RDNS, and blocking all the address spaces assigned to China. AOL is testing the new SPF (Sender Permitted From) DNS extention, and I'm waiting to see how that turns out.
Someone did write such a thing kill the blaster worm. Unfortunately it was so agressive, it would overload networks just from the sheer volume of scanning it was doing.
They don't want to turn anything off, unless they turn it all off, then the customers all raise hell and threaten to drop. The ISP's seem to be at a break even point though, no way to add staff or features like security without raising their rates, something nobody wants, but maybe inevitable.
I think that may be welchia. I'm not in favor of much vigilante justice, there's enough lose cannons out there as it is. And there's a tremendous amount of bluring of the lines between the "black hats" and the "white hats" right now, including these 'security firms' that release newly found exploits straight onto the open internet without first notifying the vendors and giving them a chance to build a patch first. But you can't have a "mob rules" world out there, which it is turning into.
All the same, as far as I know. The latest versions of Outlook with very latest patches applied won't let you open any attachment without saving it first, or at least that is my understanding. You could be hyperlinked, but that would typically require a corrupt host for you to connect.
Of course, A/V protection is a higher level of protection, from the client to the server on to the perimeter if you control it. With that updating signatures constantly, only the immediate impact of a virus not yet defined by your A/V vendor and pushed to your protection points can even get to your Outlook client. Still happens, on rare occassion even with the best perimeter defense, but then you have the other protections I've mentioned along with user education.
If you have any sort of permanent connection you should update every day. Usually the mid morning to early afternoon signatures have been built to block whatever comes from overseas that day. But you have to do this since even what may seem as extreme precaution may not be enough, as the virus sometimes advance in front of the virus, although that actually did not seem to be the case with MyDoom, there are just a lot of people who aren't upgrading fast enough that got caught and accidentally clicked those files. Bottom line, treat the dangers of the internet with deserved respect, and you'll be fine.
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.