[Full-Disclosure] Mydoom: perfect storm averted or just ahead?
From: Computer Security (c2_protect_at_hotmail.com)
Date: 01/29/04
- Previous message: Jesse Keating: "[Full-Disclosure] [FLSA-2004:1207] Updated cvs resolves security vulnerability"
- Next in thread: Roelof Temmingh: "Re: [Full-Disclosure] Mydoom: perfect storm averted or just ahead?"
- Reply: Roelof Temmingh: "Re: [Full-Disclosure] Mydoom: perfect storm averted or just ahead?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: full-disclosure@lists.netsys.com Date: Thu, 29 Jan 2004 01:34:26 +0000
Worms traveling across the Internet are like waves rolling and swelling
across an ocean. Just because the first swell does not catch inundate a
network, one should not assume invincibility to next wave in the perfect
storm.
Reports vary in Mydoom.a – generated traffic; between 1 in 7-12 Emails.
Although Mydoom.a infested may networks, it apparently bypassed others.
Sophos http://www.sophos.com/virusinfo/analyses/w32mydooma.html reported
that the initial variant was programmed to bypass certain domains or
addresses with strings to include the following:
acketst, arin., avp, berkeley, borlan, bsd, example, fido, foo., fsf., gnu,
google, .gov, gov., hotmail, iana, ibm.com, icrosof, ietf, inpris, isc.o,
isi.e, kernel, linux, math, .mil, mit.e, mozilla, msn., mydomai, nodomai,
panda, pgp, rfc-ed, ripe., ruslis, secur, sendmail, sopho, syma, tanford.e,
unix, usenet, utgers.ed
Experience shows that programmers are quick to “improve” upon initial code,
modifying and releasing variants (note Sobig and now Mydoom.b -
http://www.computerworld.com/securitytopics/security/virus/story/0,10801,89494,00.html?SKC=news89494.
Lesson learned:
1. Do not rest on your laurels, assuming your network has good
defense-in-depth ( Executables stripped away at Email server, Outlook
security patch installed) . The next version could be modified with
condition right to target your environment and hit you with a perfect storm.
2. It would be difficult for a malicious programmer, cyber terrorists or
cyber activists to target a specific environment and protect others ( Eg.,
launch denial of service against SCO.com because I like LINUX and don’t like
SCO legal actions. Protect my computer at Berkley.edu because I don’t want
to effect my own Email.) Programmers can easily modify code and launch an
attack against another environment.
Karl Wolfgang
_________________________________________________________________
MSN 8 with e-mail virus protection service: 2 months FREE*
http://join.msn.com/?page=features/virus
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
- Previous message: Jesse Keating: "[Full-Disclosure] [FLSA-2004:1207] Updated cvs resolves security vulnerability"
- Next in thread: Roelof Temmingh: "Re: [Full-Disclosure] Mydoom: perfect storm averted or just ahead?"
- Reply: Roelof Temmingh: "Re: [Full-Disclosure] Mydoom: perfect storm averted or just ahead?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
