RE: Outbreak warning: possibly Mydoom.C (Now Deadhat/Vesser)

From: Nick FitzGerald (nick_at_virus-l.demon.co.uk)
Date: 02/10/04

  • Next message: Harley David: "RE: Why are postmasters distributing the MyDoom virus?"
    Date: Wed, 11 Feb 2004 09:46:01 +1300
    To: bugtraq@securityfocus.com
    
    

    "Larry Seltzer" <larry@larryseltzer.com> wrote:

    Sorry -- I missed this yesterday...

    > All the AV companies are calling this new outbreak "Doomjuice"

    Indeed, for reasons explained in my message yesterday...

    > They all have it as a low-incidence in the wild. What I don't
    > understand is that if it hasn't spread, what caused the attack against
    > Microsoft this morning?

    There are two aspects to this. First, as Gadi suggested, depending on
    the nature of the DDoS attack, a "low incidence" DDoS attack agent can
    still perform a very effective attack (this is particularly so if the
    DoS part of the attack involves some significant multiplier effect --
    very few bytes sent, massive CPU, network response, etc load
    generated). I'm not entirely sure this is the case here, but haven't
    looked closely at it with this in mind...

    Second, how does AV (mostly) judge the incidence of viruses, worms and
    so on? Right -- from incident and rate data collected from their
    scanners, etc. Such measures, by their very nature, will be almost
    blind to Doomjuice. Why? Because Doomjuice _only_ spreads via
    Mydoom.A/.B infected machines and only across the net, P2P-like in
    direct machine-to-machine manner. By and large, AV does not monitor
    such things and to do so, it would actually have to run a Mydoom-
    emulating listener. If AV did monitor for this kind of threat, what
    would it cost? First, it would be soaking up the user's CPU cycles and
    other resources for the "benefit" of monitoring this attack vector
    which is the something the user is not actually vulnerable to because
    they have up-to-date AV and thus, we can assume, are not infected with
    Mydoom in the first place. Multiply by all the other similar backdoors
    and what have you and the load AV s/w imposes on your typical PC (which
    many users of some products already describe as "crippling" the
    machine) would increase considerably. So, Doomjuice only spreads
    through machines that do not have up-to-date AV (else they wouldn't
    have Mydoom to let it in) and only spreads through a medium that AV
    developers (in particular) do not monitor at all closely (notice that
    Email-specific services/vendors such as MessageLabs and Postini will
    not be reporting Doomjuice _at all_ -- I haven't checked, but if they
    are it will be tiny numbers and due to an occasional user-initiated
    action, such as attaching a suspect .EXE to an Email and sending it to
    a security or AV vendor).

    However, a few folk do have relatively specific monitoring for such
    things. Given the rate I'm hearing of _proven_ Doomjuice distribution
    attempts (i.e. the code sent through the "Mydoom update" mechanism is
    actually captured and well-fingerprinted rather than assumed to be
    Doomjuice from some very limited partial capture/signature such as some
    IDS systems are using), it certainly is no Slammer, CodeRed or Blaster,
    but it is definitely out there and probably in numbers enough to
    trouble www.microsoft.com... (That said, www.microsoft.com did not
    seem troubled from New Zealand for much of yesterday. It was dead slow
    late last night but seems OK again this morning -- for now it is
    resolving to www2.microsoft.akadns.net, IP:207.46.245.92.)

    -- 
    Nick FitzGerald
    Computer Virus Consulting Ltd.
    Ph/FAX: +64 3 3529854
    

  • Next message: Harley David: "RE: Why are postmasters distributing the MyDoom virus?"