RE: Outbreak warning: possibly Mydoom.C (Now Deadhat/Vesser)
"Larry Seltzer" <larry@xxxxxxxxxxxxxxxx> wrote:
Sorry -- I missed this yesterday...
> All the AV companies are calling this new outbreak "Doomjuice"
Indeed, for reasons explained in my message yesterday...
> They all have it as a low-incidence in the wild. What I don't
> understand is that if it hasn't spread, what caused the attack against
> Microsoft this morning?
There are two aspects to this. First, as Gadi suggested, depending on
the nature of the DDoS attack, a "low incidence" DDoS attack agent can
still perform a very effective attack (this is particularly so if the
DoS part of the attack involves some significant multiplier effect --
very few bytes sent, massive CPU, network response, etc load
generated). I'm not entirely sure this is the case here, but haven't
looked closely at it with this in mind...
Second, how does AV (mostly) judge the incidence of viruses, worms and
so on? Right -- from incident and rate data collected from their
scanners, etc. Such measures, by their very nature, will be almost
blind to Doomjuice. Why? Because Doomjuice _only_ spreads via
Mydoom.A/.B infected machines and only across the net, P2P-like in
direct machine-to-machine manner. By and large, AV does not monitor
such things and to do so, it would actually have to run a Mydoom-
emulating listener. If AV did monitor for this kind of threat, what
would it cost? First, it would be soaking up the user's CPU cycles and
other resources for the "benefit" of monitoring this attack vector
which is the something the user is not actually vulnerable to because
they have up-to-date AV and thus, we can assume, are not infected with
Mydoom in the first place. Multiply by all the other similar backdoors
and what have you and the load AV s/w imposes on your typical PC (which
many users of some products already describe as "crippling" the
machine) would increase considerably. So, Doomjuice only spreads
through machines that do not have up-to-date AV (else they wouldn't
have Mydoom to let it in) and only spreads through a medium that AV
developers (in particular) do not monitor at all closely (notice that
Email-specific services/vendors such as MessageLabs and Postini will
not be reporting Doomjuice _at all_ -- I haven't checked, but if they
are it will be tiny numbers and due to an occasional user-initiated
action, such as attaching a suspect .EXE to an Email and sending it to
a security or AV vendor).
However, a few folk do have relatively specific monitoring for such
things. Given the rate I'm hearing of _proven_ Doomjuice distribution
attempts (i.e. the code sent through the "Mydoom update" mechanism is
actually captured and well-fingerprinted rather than assumed to be
Doomjuice from some very limited partial capture/signature such as some
IDS systems are using), it certainly is no Slammer, CodeRed or Blaster,
but it is definitely out there and probably in numbers enough to
trouble www.microsoft.com... (That said, www.microsoft.com did not
seem troubled from New Zealand for much of yesterday. It was dead slow
late last night but seems OK again this morning -- for now it is
resolving to www2.microsoft.akadns.net, IP:207.46.245.92.)
--
Nick FitzGerald
Computer Virus Consulting Ltd.
Ph/FAX: +64 3 3529854