[Full-Disclosure] Mydoom: perfect storm averted or just ahead?

From: Computer Security (c2_protect_at_hotmail.com)
Date: 01/29/04

  • Next message: Phil Brutsche: "Re: [Full-Disclosure] Proposal: how to notify owners of compromised PC's"
    To: full-disclosure@lists.netsys.com
    Date: Thu, 29 Jan 2004 01:34:26 +0000
    
    

    Worms traveling across the Internet are like waves rolling and swelling
    across an ocean. Just because the first swell does not catch inundate a
    network, one should not assume invincibility to next wave in the perfect
    storm.

    Reports vary in Mydoom.a – generated traffic; between 1 in 7-12 Emails.
    Although Mydoom.a infested may networks, it apparently bypassed others.
    Sophos http://www.sophos.com/virusinfo/analyses/w32mydooma.html reported
    that the initial variant was programmed to bypass certain domains or
    addresses with strings to include the following:

    acketst, arin., avp, berkeley, borlan, bsd, example, fido, foo., fsf., gnu,
    google, .gov, gov., hotmail, iana, ibm.com, icrosof, ietf, inpris, isc.o,
    isi.e, kernel, linux, math, .mil, mit.e, mozilla, msn., mydomai, nodomai,
    panda, pgp, rfc-ed, ripe., ruslis, secur, sendmail, sopho, syma, tanford.e,
    unix, usenet, utgers.ed

    Experience shows that programmers are quick to “improve” upon initial code,
    modifying and releasing variants (note Sobig and now Mydoom.b -
    http://www.computerworld.com/securitytopics/security/virus/story/0,10801,89494,00.html?SKC=news89494.

    Lesson learned:

    1. Do not rest on your laurels, assuming your network has good
    defense-in-depth ( Executables stripped away at Email server, Outlook
    security patch installed) . The next version could be modified with
    condition right to target your environment and hit you with a perfect storm.

    2. It would be difficult for a malicious programmer, cyber terrorists or
    cyber activists to target a specific environment and protect others ( Eg.,
    launch denial of service against SCO.com because I like LINUX and don’t like
    SCO legal actions. Protect my computer at Berkley.edu because I don’t want
    to effect my own Email.) Programmers can easily modify code and launch an
    attack against another environment.

    Karl Wolfgang

    _________________________________________________________________
    MSN 8 with e-mail virus protection service: 2 months FREE*
    http://join.msn.com/?page=features/virus

    _______________________________________________
    Full-Disclosure - We believe in it.
    Charter: http://lists.netsys.com/full-disclosure-charter.html


  • Next message: Phil Brutsche: "Re: [Full-Disclosure] Proposal: how to notify owners of compromised PC's"

    Relevant Pages

    • Re: sysadmin qualifications (Re: apt-get vs. aptitude)
      ... app to run over a cellular data network. ... Hardware guys, for instance, can change the network at any time. ... them on my Intel machine but not run them. ... couple with 100+ programmers. ...
      (Debian-User)
    • Re: sysadmin qualifications (Re: apt-get vs. aptitude)
      ... app to run over a cellular data network. ... different hardware, but that requires either: ... I've worked on a couple with 100+ programmers. ... I would expect that most are NOT working on mainframes - though where ...
      (Debian-User)
    • Re: [Full-Disclosure] MS Anti Virus?
      ... customers about security, ... protect our customers'. ... seemingly relieve Microsoft of any such responsibility, ... means their network connection gets hosed or their OS is rendered ...
      (Full-Disclosure)
    • Re: Front End/Back End communication
      ... I believe we should further protect the FE Exchange Server: ... the FE is located on the internal network with typical full-stack access to ... There is no such thing as security perfection. ...
      (Focus-Microsoft)
    • Re: Front End/Back End communication
      ... I believe we should further protect the FE Exchange Server: ... the FE is located on the internal network with typical full-stack access to ... There is no such thing as security perfection. ...
      (Focus-Microsoft)