Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

More MyDoom Gloom

timothy posted more than 10 years ago | from the windows-users-are-mydoomed dept.

Security 730

StarWreck points out this article in The Atlanta Journal Constitution citing "experts who believe the worm was put out for criminal profit motives by spammers and not by Linux Advocates." Further on that, deadmonk writes "MessageLabs is reporting that the recent Mydoom virus seems to have originated in Russia. A place where nobody gives a wet slap about a court case in the U.S. Personally, I'm looking for a serious apology (or at least a retraction) for the 'alleged' link between this ugly little nasty and Open Source / Linux users." Of course, there could be evil spammers who also like Linux (or don't like SCO), but until someone's caught, or fesses up, it's impossible to say. Read on for some more MyDoom updates, including a new variant (with a new payload), ramifications for Australians, and a forensic analysis of the worm.

fudgefactor7 writes "Hot on the heels of the last virus, Mydoom.b is on the loose. According to Computerworld, this variant has a larger payload and targets Microsoft's Web site for a distributed denial-of-service attack on Feb. 1, instead of The SCO Group Inc. Patch those systems and keep your A-V up to date. Definitions are available currently."

decaying writes "With the amount of virus-laden emails flying about due to the latest virus, Australian ISP Optus have started selectively blocking port 25 outbound. Optus say they are acting in accordance with their "Terms of use", quoting that they reserve the right to restrict access to any TCP/IP port. The only option is to use Optus' SMTP server and nothing else. Community site Whirlpool has an on-going discussion about the issue."

carnun writes "Just another link on MyDoom. Apparently the FBI are also getting in on the act. Interesting to see such a fast response." And to me, the most interesting one: Zeriel writes "After much discussion on a mailing list discussing trojan horses, some people have reached the conclusion that MyDoom doesn't accomplish its stated goal of DDOSing SCO at all! Choice quote from the analysis: "I have the new critter in a test environment where we conducted a preliminary and rudimentary functionality and threat analysis...I have played with the date, etc, but still no activity directed toward www.sco.com." The link also includes disassembly and analysis of the worm code."

cancel ×

730 comments

Sorry! There are no comments related to the filter you selected.

FP (-1)

CmdrTaco (troll) (578383) | more than 10 years ago | (#8117501)

FAGS.

Re:FP (-1, Troll)

Anonymous Coward | more than 10 years ago | (#8117663)

Lick my nutsack dilhole. Fucking faggot ass republican. Everyone know that you stupid faggots are all closet homosexuals. go back to your log cabin you flaky bint.

Hey AL Frankin! (-1, Offtopic)

Anonymous Coward | more than 10 years ago | (#8117816)

Why don't you just tackle the guy and show him more of your intellectual wit.

Off Track (5, Insightful)

andyrut (300890) | more than 10 years ago | (#8117503)

It's entirely possible that the authors of this virus targeted SCO, simply to make it appear that Linux zealots were responsible...to throw off the law enforcement officials who might look for the culprit in the Linux community.

While I despise these worms, you've got to admit that some of these more recent ones are pretty ingenious:

Blaster - The only way to fix it is to grab stuff from Microsoft? Have it DDOS Windows Update.
MyDoom - Hate SCO, Love Linux? Target Microsoft systems and leave Linux machines alone. Have it DDOS SCO.

Re:Off Track (-1, Troll)

Anonymous Coward | more than 10 years ago | (#8117649)

It's entirely possible that the authors of this virus targeted SCO, simply to make it appear that Linux zealots were responsible...to throw off the law enforcement officials who might look for the culprit in the Linux community.

Yeah, because the FBI is full of people who are too stupid to deal correctly with decoy strategies. Not. How dumb do you have to be to actually think this malware was created by Linux zealots?

Re:Off Track (4, Insightful)

B'Trey (111263) | more than 10 years ago | (#8117803)

It is entirely possible the SCO connection is a red herring. However, it's also possible it's an attempt to kill two birds with one stone. I certainly hope the author wasn't a Linux zealot trying to harm SCO. However, the argument that a Russian Linux user wouldn't care about the SCO trial doesn't hold water. Linux has come a long way in recent years and a large part of it's progress is directly attributable to commercial companies who have either invested in Linux, contributed code to Linux, or supported Linux developers. SCO's case appears extremely weak, and the chances of them having any sort of success seem very remote. However, if SCO were to win their case, it could heavily damage the Linux movement. Particularly if SCO were to be found to have ownership rights in certain technologies, it isn't all certain that a rewrite of the relevant portions of the kernel would be sufficient to remove the taint. Linux users worldwide could be affected.

This is, of course, a worse case scenario and it doesn't provide any evidence that Linux fans were connected in any way. However, one can't dismiss the possibility simply because it came from Russia.

I knew it... (0, Funny)

Anonymous Coward | more than 10 years ago | (#8117509)


.. believe the worm was put out for criminal profit motives ..

So it was SCO!

McBride interview (5, Insightful)

BWJones (18351) | more than 10 years ago | (#8117512)

I'm looking for a serious apology (or at least a retraction) for the 'alleged' link between this ugly little nasty and Open Source / Linux users."

Of note: Darl McBride was on local (Utah) television last night with a stinging quote. "What we are seeing here is the dark side of the open source movement" or something very close to that. I thought, no dude, you have it all backwards. SCO is the dark side of the open source movement.

Re:McBride interview (3, Insightful)

vladkrupin (44145) | more than 10 years ago | (#8117570)

I think - No, dude, SCO is not the dark side of the open source movement. Aside from old Caldera, it has no relation to any side of the open source movement.

Re:McBride interview (5, Funny)

haystor (102186) | more than 10 years ago | (#8117583)

Bah!

The virus is closed source and runs on Windows. It clearly has nothing to with the GNU/Linux.

Hehe, insert joke about BSD catching a virus...

Re:McBride interview (0)

Anonymous Coward | more than 10 years ago | (#8117653)

Hehe, insert joke about BSD catching a virus...

How could it? It's dead.

Re:McBride interview (3, Funny)

Vagrant (518197) | more than 10 years ago | (#8117633)

SCO is the dark side of the open source movement.
Darth McBride: "You underestimate the power of the dark side. If you will not fight, then you will meet your destiny."

close (2)

doug (926) | more than 10 years ago | (#8117670)

SCO is the back side of the open source movement.

Darling (1, Funny)

nnnneedles (216864) | more than 10 years ago | (#8117714)

On a related note, I found this on urbandictionary.com:

(remove the spaces that /. adds)
http://www.urbandictionary.com/define.php?t erm=dar l&f=1

http://www.urbandictionary.com/define.php?term=d ar l+mcbride&f=1

http://www.urbandictionary.com/define.php?term=m cb ride&f=1

It seems the search engine on urbandictionary.com is so smart, you don't even have to add a definition to get the right search results!

The current definitions:

No definitions found for "mcbride."

Suggestions:

jackhole
8 votes

a dumbshit

Fucker quit being a jackhole!

tea bag
40 votes

(v). To lower your body as to dip the testicles into her mouth as the woman is tounging the scrotum.

Hey man, you should have seen the look on that bitches face when I tea bagged her.

I suggest not to mess with the definitions as these suggestions are even funnier than the real thing. Thanks! :)

Re:McBride interview (-1, Troll)

Anonymous Coward | more than 10 years ago | (#8117734)

Personally, I'm looking for a serious apology (or at least a retraction) for the 'alleged' link between this ugly little nasty and Open Source / Linux users

Fuck you. Seriously. FUCK YOU. Step away from your fucking computer and look around you. There is much worse going on in the world. Like anyone cares what you opensource morons think.

doesnt matter. (1, Insightful)

eyeareque (454991) | more than 10 years ago | (#8117513)

we will neever see an apology from SCO.. they will be gone and bankrupt before too long.

It's another case against OS monoculture (4, Informative)

Eyah....TIMMY (642050) | more than 10 years ago | (#8117517)

It was covered [slashdot.org] last week.

Basically, to limit the spread of a worm on a network such as the internet, we can only diversify to make sure not all machines go down.

Here's a presentation [defcon.org] (sorry I could only find a PowerPoint version) that was made by Jonathan Wignall [defcon.org] at DefCon last year about this topic. Same conclusion, diversifying is the necessary to combat worms.

Eventually, that might not help. (2, Interesting)

qortra (591818) | more than 10 years ago | (#8117784)

Many worms nowadays are capable of traveling along multiple protocols and containing multiple payloads. Of course, worm writers generally don't bother because there are indeed far more copies of Windows out in the wild than anything else. However, if we began to see a more substantial plurality of OSes, I suspect multiple-architecture worms would become more common place; just pick your favorite exploit from each os, and make a separate payload for each. The worm might double or triple in size (depending on the number of architectures supported), but authors won't care.

Further more, universal binaries like those associated with Java or .NET/Mono might eventually make it so worm writers don't even have to include multiple payloads; just multiple exploits.

Maybe diversifying will help a little for a short while, but the real solution to this problem is to write better code.

Re:It's another case against OS monoculture (1)

Random Guru 42 (687672) | more than 10 years ago | (#8117786)

Yeah. When you're running nothing but Windows, it doesn't matter how distributed or decentralized your network is. It'll die all the same.

But on the other hand, if everyone uses Linux exclusively, you know that people will find ways to make working virii and worms for it, too.

Re:It's another case against OS monoculture (1)

Trolling4Dollars (627073) | more than 10 years ago | (#8117796)

Couldn't be more true. Where I work nearly everyone uses Windows on the desktop. When Blaster hit last year, a number of systems in my deprtment were hit. But being the oddman here who runs Redhat as my desktop, well... I didn't feel a thing. Even better, I was able to use my box to connect to our reouters and begin throwing down access lists and blocking the spread. I was also able to use open source tools to track down more infected systems outside of our deparment. Did anyone learn anything here? No. Windows is too easy for them, but that's going to change as we are becoming more and more Unix oriented on the servers. (Previously Windows and OpenVMS)

OT,but someone needs to make the [NO CARRIER] joke (0)

Anonymous Coward | more than 10 years ago | (#8117520)

I haven't been affected since I don't use Outloo=20 ]} } } }&..}=3Dr}'}"}[NO CARRIER]

Re:OT,but someone needs to make the [NO CARRIER] j (1)

allism (457899) | more than 10 years ago | (#8117572)

That would be funnier if the worm needed Outlook to spread. Unfortunately, it's got its own SMTP engine.

Re:OT,but someone needs to make the [NO CARRIER] j (0)

Anonymous Coward | more than 10 years ago | (#8117610)

Thanks for the info. Someone mod +5 inform=20 ]} } } }&..}=3Dr}'}"}[NO CARRIER]

Re:OT,but someone needs to make the [NO CARRIER] j (0)

Anonymous Coward | more than 10 years ago | (#8117701)

OK, that WAS funny...

Re:OT,but someone needs to make the [NO CARRIER] j (1)

Cosmik (730707) | more than 10 years ago | (#8117801)

That's the point of the parent post. He doesn't use Outlook but got infected anyway via other means.

whoever made it (-1, Flamebait)

kyknos.org (643709) | more than 10 years ago | (#8117523)

i like the beast. every damage to windows counts :o)

--

Re:whoever made it (0)

Anonymous Coward | more than 10 years ago | (#8117752)

I like your sig. You could change it to "Europe, Proving Americans Wrong Since The Spanish Inquisition" Just kidding.

New DDOS targets (-1, Redundant)

Anonymous Coward | more than 10 years ago | (#8117524)

Mydoom now DDOS sco.com and microsoft.com

For profit? (2, Interesting)

spun (1352) | more than 10 years ago | (#8117525)

You mean, a big bag of money showed up on some spammer's doorstep with a note promising much more if a DDoS against www.sco.com is included in the next release?

Completely untraceable, even if caught: the spammer wouldn't know who sent the money, and could even claim, "I think it was some Linux Zealot."

OK, Deadmonk!! (2, Funny)

Anonymous Coward | more than 10 years ago | (#8117529)

Personally, I'm looking for a serious apology (or at least a retraction) for the 'alleged' link between this ugly little nasty and Open Source / Linux users.

We'll get right on that!

Sincerely,
The Mass Media.

In addition, not instead of (4, Informative)

allism (457899) | more than 10 years ago | (#8117537)

The B variant [kaspersky.com] targets both Microsoft and SCO.

Re:In addition, not instead of (0, Redundant)

graniteMonkey (87619) | more than 10 years ago | (#8117596)

Well that just reinforces my belief that it's actually a conspiracy by Microsoft and SCO to discredit the Open Source Movement(tm), just like everything else that gets Slashdot's attention.

Either way... (-1, Troll)

Anonymous Coward | more than 10 years ago | (#8117545)

If you havent already, I suggest you download and install linux immediately. By doing so you are reducing the impact of winworms, and your letting SCO know that you dont care about them!

So install [redhat.com] linux [mandrake-linux.com] today! [lindows.com]

Am I the only one? (4, Funny)

CGP314 (672613) | more than 10 years ago | (#8117553)

place where nobody gives a wet slap

Anyone care to clarify what a wet slap is?

--
In London? Need a Physics Tutor? [colingregorypalmer.net]

American Weblog in London [colingregorypalmer.net]

Re:Am I the only one? (1)

Samuel Duncan (737527) | more than 10 years ago | (#8117601)

You hit someone on the unclothed buttom with a wet towel.

Re:Am I the only one? (1)

j0keralpha (713423) | more than 10 years ago | (#8117625)

This is a reference to Hitchhikers Guide to the Galaxy, where this phrase is used in a number of places...

Ford:'The best cooks and The best drinksmixers, and they dont give a wet slap about anything else...'

Re:Am I the only one? (-1, Troll)

Anonymous Coward | more than 10 years ago | (#8117646)

When a girl is aroused, her vagina becomes lubricated. The coloquial term for this is 'getting wet'. Now, the guy with the girl will put his erect penis into the lubricated vagina. At this point he can either bend her over a couch or lay her down at the edge of a bed, whatever. Next, the guy will thrust in and out of the lubricated vagina, producing a wet slapping sound. This goes on until the couple reaches orgasm, also called 'cumming'. Let me know if you need anything else explained. I'll come to you if I ever need any physics help, OK? It sounds like you know a lot about that!

Re: Am I the only one? (1)

Black Parrot (19622) | more than 10 years ago | (#8117650)


> Anyone care to clarify what a wet slap is?

It's like a dry slap, but done in the shower.

Re:Am I the only one? (1)

glubbs (526448) | more than 10 years ago | (#8117671)

Anyone care to clarify what a wet slap is?

Whatever it is, we can be sure it's not coming from Russia.

Re:Am I the only one? (0)

Anonymous Coward | more than 10 years ago | (#8117705)

You know blogging about your moving to London is not very becoming. Especially with that ridiculous flag with your initials over it. Get some class man, seriously. I mean, when you sat down to make that icon, what in the hell were you actually thinking? "This will show everyone out there that I'm someone. I'm in Britian, and I'm going to advertise it!"
LOL!

MY SON GETTING BUSY IN THE BASEMENT (-1, Troll)

Michael's Mommy (746184) | more than 10 years ago | (#8117707)

WITH HIMSELF. Schwing!!

soviet russia (-1, Troll)

Anonymous Coward | more than 10 years ago | (#8117787)

in soviet russia slaps wet you!

I wish all mail admins.. (5, Insightful)

grub (11606) | more than 10 years ago | (#8117554)


.. would TURN OFF those blasted "Your mail has a virus!" auto-replies. They accomplish nothing but the generation of yet more useless traffic.

Bravo! (4, Funny)

Dman33 (110217) | more than 10 years ago | (#8117654)

Not to mention all of the scared users calling the helpdesk insisting that they are infected.

"Dude, you are using PINE! You are NOT infected!!!"

Re:I wish all mail admins.. (1)

allism (457899) | more than 10 years ago | (#8117667)

There was an article advising this on, I think, one of the major news sources (can't remember which one) - it said that since most email spreading programs spoof the return address, there's no reason to have the auto-replies.

I feel your pain - I have gotten almost as many auto-replies as I have gotten worms - and they're directed back at an email that I don't even have outgoing access to...

Re:I wish all mail admins.. (1)

Random Guru 42 (687672) | more than 10 years ago | (#8117756)

I agree! A lot of them ship the original message back, too, and with all the spammers pretending to be from my domain, it certainly helped fill up my allotted space on the server.

Security could be easily enhanced (3, Interesting)

Samuel Duncan (737527) | more than 10 years ago | (#8117555)

Two steps:
  • Make bad system adminstrators personally responsible for the damages they create by not fixing security holes.
  • Give physical punishment to the virus writers. Money charges won't usually do the trick (paid by parents/community), but a decent spanking will teach them a lesson.

Re:Security could be easily enhanced (1)

E-Rock (84950) | more than 10 years ago | (#8117741)

Yea... In case you didn't pay any attention at all, this virus relies on the user to do something stupid. Any mailreader that supports attachments and has a user at one end is vulnerable. Also, these viruses already are illegal. They can't catch them to do anything at all to them.

Proof of who's lying (5, Interesting)

Saven Marek (739395) | more than 10 years ago | (#8117557)

I have the new critter in a test environment where we conducted a preliminary and rudimentary functionality and threat analysis...I have played with the date, etc, but still no activity directed toward www.sco.com." The link also includes disassembly and analysis of the worm code."

So basically, SCO being down right now is Yet Another Big Lie from SCO. Nice to see them shown up as spreaders of misinformation yet again. I'm sure the FBI will love to hear their excuses as to why they're pretending to be down, especially if they're attempting to blame the worm. Fascinating

Please Remember! (5, Insightful)

Bruce Perens (3872) | more than 10 years ago | (#8117559)

Excerpted from perens.com/SCO/DOS/ [perens.com] , this bears repeating.

It is likely that this virus has been assembled for the purpose of defaming the Linux developers by spammers, SCO, or others. Your behavior will influence whether or not it succeeds in this mission.

Thus, I urge all persons who have sympathy for Free Software, Open Source, and Linux:

  • Do not cheer on attacks on the SCO site. By doing so, you falsely implicate our community in the attacks, in the eyes of outsiders who read your words. Our community believes in freedom of speech, not silencing our opponent's speech through net attacks. We will defeat SCO using the truth, not by gagging them.
  • Publicly deplore the attacks as an attempt to defame us, and not an effort of our community. Show others this notice.
  • Continue to fight SCO, using all legal means at your disposal. Show others the analysis of SCO's ongoing fraud at Groklaw.net [groklaw.net] and elsewhere, and explain to them your own experience as a participant in the Free Software community.
  • Continue the visible presence of Free Software as a force for good in the world by producing excellent original software for everyone's free use and deploying it wherever possible. Promote these projects to the press and public as you carry them out. Do what you can for other public-good projects such as schools and non-profit organizations. FreeGeek.org [freegeek.org] is an excellent example of how to carry this out.
  • Show others by example that our side always takes the high road. When they see a low-road sort of action like denial-of-service, spam, or stock fraud, they'll know who to blame.

Remember that your actions count. You are ambassadors of our community.

Re:Please Remember! (-1, Troll)

Anonymous Coward | more than 10 years ago | (#8117635)

You are such a dick.

The ultimate call for group think. (0)

Anonymous Coward | more than 10 years ago | (#8117721)

I'll laugh at SCO if I want to thank you very much.

I personally like to see SCO denial of serviced to kingdom come.

Free software is neither good nor evil. SCO are evil.
It depends on the people who run the stuff.

Look a whole group of people obviously didn't write this virus. There isn't a sourceforge project named MyDoom.
If the media or public can't figure that out then screw them.

SCO can kiss my arse.

Re: Please Remember! (1)

Black Parrot (19622) | more than 10 years ago | (#8117748)


> Do not cheer on attacks on the SCO site.

Not even a <nelson>Ha, ha!</nelson> [wiktionary.org] ?

Re:Please Remember! (0)

Anonymous Coward | more than 10 years ago | (#8117785)

I want to congratulate whoever wrote this virus, if it is indeed directed at SCO. SCO NEEDS TO BE TARGETED with lots more evil viruses for taking on Open Source. HURRAH FOR VIRUS WRITERS! I LOVE LINUX!

Hmm (0)

Anonymous Coward | more than 10 years ago | (#8117561)

...the only activity I can get it to perform related to www.sco.com is to

resolve the name. In fact, it seems very unhappy if it cannot resolve www.sco.com.
there's a simple solution then,
everybody set their DNS servers to drop SCO off,
worm propegation stops!

Re:Hmm (0)

nil5 (538942) | more than 10 years ago | (#8117606)

Umm that wouldn't fly. Then I couldn't pay my linux licensing fee.

what??? (-1, Flamebait)

Anonymous Coward | more than 10 years ago | (#8117562)

I'm looking for a serious apology (or at least a retraction) for the 'alleged' link between this ugly little nasty and Open Source / Linux users." Why, from whom? Why would you be personally offended by this? Nothing has been proven. It is fairly obvious that whoever wrote this doesn't like SCO. Why not like SCO? The most logical reason is because you are a fan of Linux. So while unlikely that it is anyone involved with Linux development, it is almost assuredly some fanboy, which sady reflects upon the community. So like it or not, this worm rightly reflects the views of some people in the OSS community. You have to learn to control the loose cannons! But really, don't get so offended, just an OS here, nothing that really matters.

It's interesting (3, Interesting)

nil5 (538942) | more than 10 years ago | (#8117564)

if this is not a more effective form of economic terrorism, I don't know what is. These worms seem to cost US companies millions if not billions of dollars, and they're probably not so difficult to develop either.

With such a hugely damaging effect for such little cost, wouldn't you say that is almost the perfect weapon?

Re:It's interesting (-1, Offtopic)

Anonymous Coward | more than 10 years ago | (#8117713)

ohtehnos! terrorists are stoled my megahurtz!!!!1111~~~one

We've gotta do something about Russia (-1, Troll)

77Punker (673758) | more than 10 years ago | (#8117566)

I don't have anything against Russians; I've never met one. However, the Russian gov't needs to wake up and do something about all of the criminals it harbors. They write all of the major viruses, distribute drugs, and distribute weapons. It's bleedin obvious where all the problems come from, it's time for something to happen.

Re:We've gotta do something about Russia (1)

plams (744927) | more than 10 years ago | (#8117641)

In Soviet Russia something happens to YOU!

Re:We've gotta do something about Russia (1)

corbettw (214229) | more than 10 years ago | (#8117652)

However, the Russian gov't needs to wake up and do something about all of the criminals it harbors.

Bwa-ha-ha!!! Considering how many criminals are in the Russian government*, I don't think anything's gonna change any time soon.

* Yes, yes, I know this is true for most governments, but the line between organized crime and government power seems blurriest in Russia at the moment.

I HATE MY SON!!!!!!! (-1, Troll)

Michael's Mommy (746184) | more than 10 years ago | (#8117764)

Michael is the WORST slashdot editor, PERIOD!!! WE HATE MICHAEL! Hates michael. A lot.

hahhaha! (-1, Troll)

Anonymous Coward | more than 10 years ago | (#8117573)

but until someone's caught, or fesses up,

When I first read that, it looked like 'feces'. LOL!

getting sick of this shit... (0)

Anonymous Coward | more than 10 years ago | (#8117580)

how about we write a worm/virus/whatever and have it look for spamming machines. then use the open ports on the compromised machines and just blow them away....wipe out C/D/E/F drive, / or whatever else gradually (say one file every hour or so) until all the spamming machines die.
anyone want to volunteer for this ?

Re:getting sick of this shit... (1)

spydir31 (312329) | more than 10 years ago | (#8117647)

Good idea, but then 90% of windows machines will be dead

Not to condone writing worms.... (3, Interesting)

phaetonic (621542) | more than 10 years ago | (#8117600)

Wouldn't it be ironic if a worm were to DDoS slashdot.

Re:Not to condone writing worms.... (0)

Anonymous Coward | more than 10 years ago | (#8117749)

Wouldn't it be ironic if a worm were to DDoS slashdot.

Only if the source was slashdot.

Re:Not to condone writing worms.... (2, Insightful)

allism (457899) | more than 10 years ago | (#8117788)

Don't give them ideas...although it WOULD be interesting to see what kind of load /. can handle...on Sept 11, it seemed like it was the only site up, so it can handle quite a bit, but I guess the question is - which is greater - /.'s load handling or the number of stupid Windows users?

(Not trolling by saying stupid Windows users - it could just as easily be written as stupid computer users who happen to be using Windows - but....anyway, I'm rambling, I will shut up now.)

Heh. (1)

Black Parrot (19622) | more than 10 years ago | (#8117607)


My Slashdot story page has a MS ad for an "earlybird" special. If you're not getting YourDoom fast enough, that's the ad for you!

I don't find the fast reactions unbelievable... (5, Informative)

Coocha (114826) | more than 10 years ago | (#8117608)

... here at Virginia Tech, the virus has had our pop/smtp servers down since sometime last night. Apparently it infected our financial aid listserv, which caters to 51,000 email addresses, most of them in the vt.edu domain. Not to mention 8000 of the not-so-savvy on-campus undergrads whose systems have been infected. In the 4+ years I've been here, this is the longest downtime for our email system yet, even considering the downtime a couple routine server rebuilds caused. I'm sure other institutions, agencies, and businesses are experiences unheard-of downtimes as well.

Re:I don't find the fast reactions unbelievable... (1)

djward (251728) | more than 10 years ago | (#8117775)

Yep, been here even longer and same story. Never seen the email system down for more than ~6 hours. I think they just turned off the mail system to halt spread of the thing, more than the servers melting - the POP server still responds instantly to a ping but it's not allowing connections.

Still no updated virus defs (1)

j-turkey (187775) | more than 10 years ago | (#8117609)

Definitions are available currently

According to the official site [sourceforge.net] (at 5:00 EST) there are still no ClamAV defs available for the .b variant of this worm (affectionately known as Worm.SCO.*).

Does anyone know where I can grab (and submit) a signature...or a copy of it (without waiting for it to trickle into a user's mailbox)?

Huh?! (4, Insightful)

pclminion (145572) | more than 10 years ago | (#8117614)

Of course, there could be evil spammers who also like Linux (or don't like SCO), but until someone's caught, or fesses up, it's impossible to say.

What the hell would it matter anyway? Evil spammers probably also use toothpaste. Does that make everyone who uses toothpaste evil?

The fallacious logic here astounds me. Wait, no it doesn't.

Innocent domain owners (0)

Anonymous Coward | more than 10 years ago | (#8117627)

How about domain names (fake e-mails) that are being sent out by the worm because your ISP happens to proxy your connection (and allows un-secured windows users) and logs your e-mails being sent from your "unavailable to the world and NOT open for relay mail server".

Will the blocking zealots block everyone......or will we have some sense of control in this scenario.

Being able to use my own mail server is one of the many reasons I use open source!

Linux users (3, Insightful)

gid13 (620803) | more than 10 years ago | (#8117636)

From the post: "Personally, I'm looking for a serious apology (or at least a retraction) for the 'alleged' link between this ugly little nasty and Open Source / Linux users."

I don't know what it is with people trying to represent such large groups. Every group has nasty people in it! Since Linux is generally more efficient once set up (IMHO, anyway), then OF COURSE people will use it to do nasty things like serve spam and make DOS attacks and so on. I don't get why people are so patriotic all the time... "He's American! No AMERICAN could be evil!" Sigh...

It's a conspiricy! (1)

techno-vampire (666512) | more than 10 years ago | (#8117638)

The worm was obviously written and released by a Windows fanatic, and designed both to harm SCO and give Linux a black eye!

Does Andy work at SCO (4, Interesting)

jaymzter (452402) | more than 10 years ago | (#8117639)

A report [channelnewsasia.com] covering F-Secure's work on the virus reveals this interesting comment imbedded in the virus:

Buried in its programming code -- and only readable after it has been decrypted -- was also the message "Andy; I'm just doing my job, nothing personal, sorry" from the creator

My tinfoil hat says it's some poor guy at SCO!

If I've said it once . . . (5, Informative)

Leroy_Brown242 (683141) | more than 10 years ago | (#8117672)

I've said it a thousand times.

  1. Mutt [mutt.org]
  2. Spamassassin [spamassassin.org]
  3. Greylisting [puremagic.com]
  4. Profit!

If it weren't for /., I'd have never noticed.

Not here either (1)

nocomment (239368) | more than 10 years ago | (#8117676)

MyDoom doesn't accomplish its stated goal of DDOSing SCO at all!

I've done some testing here either. I have yet to see 1 single packet move from the infected machines. I had some infected yesterday, and after checking my squid logs (ALL port 80 traffic gets forced through the squid proxy) I saw not 1 not 2 but ZERO traffic generated by the virus (mass emailing aside). Maybe it's busted? Was all the hype for nothing?

Open Source Virus Scanner caught it (1)

prandal (87280) | more than 10 years ago | (#8117680)

ClamAV [clamav.net] , the Open Source virus scanner, caught it on our email gateway this afternoon, whilst McAfee's uvscan with the 4319 DATs didn't find a thing.

A big thanks to the ClamAv team.

Phil

The new payload is to DDoS MS (4, Funny)

dupper (470576) | more than 10 years ago | (#8117683)

All right, it's clearly one of us. 'Fess up, J. Random Slashdotter.

Also, you forgot to make an RIAA variant, dumbass!

Spammers use Linux? (1)

EvilGrin666 (457869) | more than 10 years ago | (#8117687)

If you were a spammer wouldn't it be in your best interest not to be using Windows? You can't spam very well if your getting spammed/virused to death.

Reality Check (0, Redundant)

benna (614220) | more than 10 years ago | (#8117691)

OK listen. I hate SCO as much as any of you. This is a clear pump and dump. However, I am getting sick of people saying SCO or someone wanting to discredit the open source community wrote this worm. I can think of A LOT of linux supporters that would have done this in a second if they had thought of it. The chances are, it was a linux supporter. I'm not saying whether I support the people that did this or not. I'm really not sure but I am also getting tired of this "holier than thou" attitude of people who say its not good because it makes open source look bad blah blah blah. I'm beginning to think we must fight fire with fire. We must fight these tacticts of SCO, tactics that may even be illegal under RICO, with tactics that are less than legal. Maybe it is time we start doing things designed to bring down SCO, just as they are trying to bring down linux. The legal process will take years. SCO will probobly do alot more damage in that time than some worm written by a linux supporter. So we must do something. WE MUST FIGHT!

Re:Reality Check (0)

Anonymous Coward | more than 10 years ago | (#8117792)

moron.

Yahoo! Frames! (1)

belgar (254293) | more than 10 years ago | (#8117695)

Silly Messagelabs, using frames. [messagelabs.com] What a treat to see the internet circa 1998. And, it doesn't work in Safari.

We have you now... (2, Funny)

RobinH (124750) | more than 10 years ago | (#8117698)

Of course, there could be evil spammers who also like Linux (or don't like SCO), but until someone's caught, or fesses up, it's impossible to say.

That sounds like terrorist speak to me. Thanks to recent legislation, anyone running Linux can now be 'detained' indefinitely without evidence. God bless Micro^H^H^H^H^H^H America.

Of course it wasn't some malicous Linux user (4, Insightful)

bogie (31020) | more than 10 years ago | (#8117700)

This was some criminal capitalizing on the Hot topic of the Linux vs SCO debate. If this worm has targeted the whiteshouse.gov site you've have the same idiots saying terrorists did it. These criminals just used Linux as a scapegoat. I try to avoid reading articles about this worm because I just can't stomach reading all these posts about how the OSS community should "tread lightly" etc. Get a clue people.

Port Blocking (1)

narfbot (515956) | more than 10 years ago | (#8117709)

Cox HSI already blocks port 25. The only way to send outbound email, even if you have a legitimate remote server, is through them -- It's really cruddy.

Cox also blocks other ports which are obviously because of windows worms. Port 80, for example, was blocked because of Code Red. Port 25 could have been blocked for the same reason, but spam is definately another major reason for it.

Cox also prohibits, bandwidth usage now, supposably.

Reread what I just said with the tone that the rampant Cox TV advertisements use, and find out a service you really get for progessively HIGHER prices. The only other viable broadband ISP is Qworst, and I've already seen what it is like there.

So thank you Windows worms for ruining my ISP access even when I used Linux on the connection! Those Windows problems every time!

How to filter the worm: (3, Informative)

Saint Aardvark (159009) | more than 10 years ago | (#8117717)

From a posting on the SecurityFocus Incidents mailing list [securityfocus.com] :

------- Forwarded message follows -------
From: lsi <stuart cyberdelix net>
To: focus-virus securityfocus com
Subject: how to filter the Novarg virus
Send reply to: stuart cyberdelix net
Date sent: Wed, 28 Jan 2004 17:35:57 -0000

I have devised a near-bulletproof Novarg filter.

The following regular expressions trap this virus dead, no matter
what subject line, message body, or filename it uses:

If expression body matches "UEsDBAoAAA*" Move [virus folder]

If expression body matches "TVqQAAMAAA*" Move
[virus folder]

This is because the worm is in fact the same program with many
disguises. However the program looks the same when encoded with
MIME. Therefore, the above are basically 'MIME sigs' which work just
like a virus signature in a regular virusscanner.

So to find it we merely filter on the MIME strings above, which are
the first 10 bytes of the MIME content section.

For users without enterprise-class content filters (such as me),
these two regexp's work like a silver bullet.

(That two different sigs are required suggests there are two versions
of the virus in circulation.)

No silver bullet for auto-notification messages, unfortunately :(

Stuart

------- End of forwarded message -------

Patch patch scratch and lose (2, Interesting)

djupedal (584558) | more than 10 years ago | (#8117731)

OS X....works for me...all go to the trash.

Oh what a relief it is :)

Any ideas (1)

maztuhblastah (745586) | more than 10 years ago | (#8117744)

The following comes from
http://www.channelnewsasia.com/stories/afp_w orld/view/68440/1/.html

"Buried in its programming code -- and only readable after it has been decrypted -- was also the message "Andy; I'm just doing my job, nothing personal, sorry" from the creator, Hyppoenen said."

I think that this message refers to Andy Nagle, the director of the SCOx project.

ObSoviet Russia Reference (-1, Offtopic)

Anonymous Coward | more than 10 years ago | (#8117765)

In Soviet Russia, MyDoom virus clogs YOU!

Block port 25? (1)

dubious9 (580994) | more than 10 years ago | (#8117769)

Why block port 25? How much of that 25 traffic do they know is SPAM? If I were a spammer, I could just get a co-location somewhere in asia (or just about anywhere else), ssh over, and do my dirty work from there.

The only people they are hurting are people that like to run their own mail servers.

People like me. And I am not a spammer.

Why can't people understand that you can't block certain kinds of traffic by blocking ports? All it takes is another computer outside the blockade to ferry them along. The only way this would be effective is that if every ISP everywhere blocked port 25, and co-located servers had to register to use port 25. But since that will never happen, then one ISP doesn't make a difference.

Good for Optus! (1)

RT Alec (608475) | more than 10 years ago | (#8117782)

Kudos to Optus for blocking egress port 25 traffic. They can be assured that their customers will not be part of the problem for anyone else! Other ISPs, and any business that provides internet access to any internal workstations-- please take note, and block egress port 25 traffic. Otherwise, you are part of the problem.

Purdue's got it (1)

Raynach (713366) | more than 10 years ago | (#8117783)

The network was down a little last night, and I'm getting bombarded with emails from it from people with the purdue.edu domain. The university's put people on alert [purdue.edu] , but there's still people stupid enough to open up random executables at school.

Apparently college doesn't weed out the idiots.

spammers? (1)

trb (8509) | more than 10 years ago | (#8117795)

in order for worm/spammers to profit from spam, they have to put some link back to themselves in the spam, don't they? doesn't that make them a bit easier to track down than 1337 4ax0r worm writers who don't use real return addresses or phone numbers?

I know that the spammers who use the worm-enriched mailers aren't necessarily the worm writers, but they are paying someone to send the spam, so there's still a (worm) trail.

Court case in the U.S.? (1)

Fjord (99230) | more than 10 years ago | (#8117805)

AFAIU, SCO's claims of IP ownership are global, and countries like Russia and China have more to gain from linux IP being free than an MS saturated U.S. market.

I did it (0)

Anonymous Coward | more than 10 years ago | (#8117810)

Dear SCO

I did it. I admit it.
Please send me a check for USD 250.000.

Thank you.

PD: Slahsdot readers:
Any lawyer out there who'll defend me for USD 200.000?

Who cares? (1)

jason.mitchell (711646) | more than 10 years ago | (#8117811)

Wow.. who really cares? How is this news to us? We didn't make the virus stop telling us every little detail that's going on; we don't care about SCO. Every day I see a post about some worthless SCO news; it is just drawing SCO more media coverage, what they want. I urge /. to stop giving SCO the respect by actually posting there worthless case that will not go anywhere. --jay
Load More Comments
Slashdot Login

Need an Account?

Forgot your password?