<<< Date Index >>>     <<< Thread Index >>>

[IP] Three on MyDoom! from Risks Digest 23.15




Date: Mon, 2 Feb 2004 9:41:36 PST
From: "Peter G. Neumann" <neumann@xxxxxxxxxxx>
Subject: E-mail activity: VaVaVoom MyDoom!

SpamAssassin is now trapping over 1100 e-mail spam messages to me and RISKS
each day.  IN ADDITION to that, the recent malware activity (MyDoom, etc.)
is awesome.  After putting out RISKS-23.14 on 27 Jan, I did not get a chance
to look at the RISKS mailbox until this morning, and there were 2528 NEW
messages, of which only about 40 were legitimate postings.  Note that I run
absolutely *no* MS software, so don't bother to blame me for any of the
bogus e-mail that seems to come from RISKS.

Subject     Messages
-------     ------
test         407
hi           296
hello        240
status       197
mail deliv.. 188
mail trans.. 185
returned ma. 161
error ...     89
server report 85
undeliver...  77
failure not.  67
... virus ..  44
and many many more with gibberish that I deleted on the basis of their
subject lines alone.

Many thanks to those of you who remember to use the helpful tag string
[noted in the last message in each issue, and which will change as soon as
the spammers start using it].  That tag really encourages me to look at your
e-mail first -- or even at all.  It also enables me to scan through the
thousands of items that SpamAssassin traps, and I think I have found only
one legitimate message that got caught in its web.  (My sincere regrets if I
accidentally deleted any of your legitimate messages.)

Incidentally, RISKS is hugely backlogged at the moment, with material for
about three issues waiting for catching up -- without even thinking about
everything that this issue will generate.

Side note: MyDoom hit SCO yesterday at midnight, as predicted, infecting PCs
beginning in New Zealand.  SCO was reportedly completely paralyzed by the
denial of service attacks, which are expected to continue through 12 Feb.

------------------------------

Date: Wed, 28 Jan 2004 21:56:26 -0500
From: Steve Bellovin <smb@xxxxxxxxxxxxxxxx>
Subject: Risks of virus scanners

For fairly obvious reasons, I just upgraded a family member's anti-virus
software.  She asked me to check a suspicious message; when I saw that the
body said "The message contains Unicode characters and has been sent as a
binary attachment," I knew what I was dealing with.

Of course, the AV software did detect it, and dealt with it in an
appropriately permanent fashion.  But how did it notify the user of what it
found?  It created a .txt file -- as an attachment in the e-mail message...

How long, I wonder, till a virus uses that exact filename and syntax to
hide behind?  Recall that MyDoom is already calling itself things like
"document.txt                      .scr" and the like, to try to hide
the real extension.  Why are the good guys trying to teach people to
click on attachments?

------------------------------

Date: Wed, 28 Jan 2004 19:32:13 -0800
From: Kevin Dalley <kevin@xxxxxxxxxxxx>
Subject: AP blames virus transmission on users

Anick Jesdanun, an AP Internet Writer, wrote an article stating:

  The continued spread of a cleverly engineered computer virus exposes a key
  flaw in the global embrace of technology: Its users are human.

The article is available at:
  http://story.news.yahoo.com/news
  ?tmpl=story&cid=528&e=4&u=/ap/20040128/ap_on_hi_te/e_mail_worm

The e-mail contacts an attachment marked
    application/octet-stream; text.zip
or
    application/octet-stream; data.zip

Unzipping the file gives you an executable, perhaps data.scr or text.pif,
again with a misleading name.  Unfortunately, the mail reader knows how to
unzip and execute the file without any warning to the user.

Anick blames the user's trust for the damage.  If the user were warned
before the file were executed, the problem would not be as serious.

comp.risks has covered this topic in 20:44, in June, 1999, where
Steven M. Bellovin says:

  The underlying problem is that there are two different mechanisms used to
  determine file type, and hence how it should be "opened".  One is what is
  displayed to the user; the other is what is actually used.  That way lies
  danger.

------------------------------

Date: Wed, 28 Jan 2004 23:26:31 -0800
From: Kevin Dalley <kevin@xxxxxxxxxxxx>
Subject: US-CERT warns of worm, forgets to mention operating system

In one of its first actions, US-CERT issued a warning about the
MyDoom.B worm.  Unfortunately, US-CERT forgot to mention the operating
systems which are susceptible to attack from the worm.  The technical
warning is available at:

http://www.us-cert.gov/cas/techalerts/TA04-028A.html

The warning contains hints that the OS is some form of Windows,
mentioning the Windows System directory, but doesn't come out and
identify any operating systems.

On the other hand, CERT's (without "US") warning of Novarg.A worm:

http://www.cert.org/incident_notes/IN-2004-01.html

has a link titled "Steps for Recovering from a UNIX or NT System
Compromise".  CERT doesn't mention the susceptible operating systems,
either, but one could assume that UNIX is at risk.

Chew on these CERTs and you will be lucky to see a spark of light.

-------------------------------------
You are subscribed as roessler@xxxxxxxxxxxxxxxxxx
To manage your subscription, go to
 http://v2.listbox.com/member/?listname=ip

Archives at: http://www.interesting-people.org/archives/interesting-people/