<<< Date Index >>>     <<< Thread Index >>>

RE: Outbreak warning: possibly Mydoom.C (Now Deadhat/Vesser)



"Larry Seltzer" <larry@xxxxxxxxxxxxxxxx> wrote:

Sorry -- I missed this yesterday...

> All the AV companies are calling this new outbreak "Doomjuice"

Indeed, for reasons explained in my message yesterday...

> They all have it as a low-incidence in the wild. What I don't
> understand is that if it hasn't spread, what caused the attack against
> Microsoft this morning? 

There are two aspects to this.  First, as Gadi suggested, depending on 
the nature of the DDoS attack, a "low incidence" DDoS attack agent can 
still perform a very effective attack (this is particularly so if the 
DoS part of the attack involves some significant multiplier effect -- 
very few bytes sent, massive CPU, network response, etc load 
generated). I'm not entirely sure this is the case here, but haven't 
looked closely at it with this in mind...

Second, how does AV (mostly) judge the incidence of viruses, worms and 
so on?  Right -- from incident and rate data collected from their 
scanners, etc.  Such measures, by their very nature, will be almost 
blind to Doomjuice.  Why?  Because Doomjuice _only_ spreads via 
Mydoom.A/.B infected machines and only across the net, P2P-like in 
direct machine-to-machine manner.  By and large, AV does not monitor 
such things and to do so, it would actually have to run a Mydoom-
emulating listener.  If AV did monitor for this kind of threat, what 
would it cost?  First, it would be soaking up the user's CPU cycles and 
other resources for the "benefit" of monitoring this attack vector 
which is the something the user is not actually vulnerable to because 
they have up-to-date AV and thus, we can assume, are not infected with 
Mydoom in the first place.  Multiply by all the other similar backdoors 
and what have you and the load AV s/w imposes on your typical PC (which 
many users of some products already describe as "crippling" the 
machine) would increase considerably.  So, Doomjuice only spreads 
through machines that do not have up-to-date AV (else they wouldn't 
have Mydoom to let it in) and only spreads through a medium that AV 
developers (in particular) do not monitor at all closely (notice that 
Email-specific services/vendors such as MessageLabs and Postini will 
not be reporting Doomjuice _at all_ -- I haven't checked, but if they 
are it will be tiny numbers and due to an occasional user-initiated 
action, such as attaching a suspect .EXE to an Email and sending it to 
a security or AV vendor).

However, a few folk do have relatively specific monitoring for such 
things.  Given the rate I'm hearing of _proven_ Doomjuice distribution 
attempts (i.e. the code sent through the "Mydoom update" mechanism is 
actually captured and well-fingerprinted rather than assumed to be 
Doomjuice from some very limited partial capture/signature such as some 
IDS systems are using), it certainly is no Slammer, CodeRed or Blaster, 
but it is definitely out there and probably in numbers enough to 
trouble www.microsoft.com...  (That said, www.microsoft.com did not 
seem troubled from New Zealand for much of yesterday.  It was dead slow 
late last night but seems OK again this morning -- for now it is 
resolving to www2.microsoft.akadns.net, IP:207.46.245.92.)


-- 
Nick FitzGerald
Computer Virus Consulting Ltd.
Ph/FAX: +64 3 3529854