Interesting People mailing list archives
Three on MyDoom! from Risks Digest 23.15
From: Dave Farber <dave () farber net>
Date: Mon, 02 Feb 2004 17:43:03 -0500
Date: Mon, 2 Feb 2004 9:41:36 PST From: "Peter G. Neumann" <neumann () csl sri com> Subject: E-mail activity: VaVaVoom MyDoom! SpamAssassin is now trapping over 1100 e-mail spam messages to me and RISKS each day. IN ADDITION to that, the recent malware activity (MyDoom, etc.) is awesome. After putting out RISKS-23.14 on 27 Jan, I did not get a chance to look at the RISKS mailbox until this morning, and there were 2528 NEW messages, of which only about 40 were legitimate postings. Note that I run absolutely *no* MS software, so don't bother to blame me for any of the bogus e-mail that seems to come from RISKS. Subject Messages ------- ------ test 407 hi 296 hello 240 status 197 mail deliv.. 188 mail trans.. 185 returned ma. 161 error ... 89 server report 85 undeliver... 77 failure not. 67 ... virus .. 44 and many many more with gibberish that I deleted on the basis of their subject lines alone. Many thanks to those of you who remember to use the helpful tag string [noted in the last message in each issue, and which will change as soon as the spammers start using it]. That tag really encourages me to look at your e-mail first -- or even at all. It also enables me to scan through the thousands of items that SpamAssassin traps, and I think I have found only one legitimate message that got caught in its web. (My sincere regrets if I accidentally deleted any of your legitimate messages.) Incidentally, RISKS is hugely backlogged at the moment, with material for about three issues waiting for catching up -- without even thinking about everything that this issue will generate. Side note: MyDoom hit SCO yesterday at midnight, as predicted, infecting PCs beginning in New Zealand. SCO was reportedly completely paralyzed by the denial of service attacks, which are expected to continue through 12 Feb. ------------------------------ Date: Wed, 28 Jan 2004 21:56:26 -0500 From: Steve Bellovin <smb () research att com> Subject: Risks of virus scanners For fairly obvious reasons, I just upgraded a family member's anti-virus software. She asked me to check a suspicious message; when I saw that the body said "The message contains Unicode characters and has been sent as a binary attachment," I knew what I was dealing with. Of course, the AV software did detect it, and dealt with it in an appropriately permanent fashion. But how did it notify the user of what it found? It created a .txt file -- as an attachment in the e-mail message... How long, I wonder, till a virus uses that exact filename and syntax to hide behind? Recall that MyDoom is already calling itself things like "document.txt .scr" and the like, to try to hide the real extension. Why are the good guys trying to teach people to click on attachments? ------------------------------ Date: Wed, 28 Jan 2004 19:32:13 -0800 From: Kevin Dalley <kevin () kelphead org> Subject: AP blames virus transmission on users Anick Jesdanun, an AP Internet Writer, wrote an article stating: The continued spread of a cleverly engineered computer virus exposes a key flaw in the global embrace of technology: Its users are human. The article is available at: http://story.news.yahoo.com/news ?tmpl=story&cid=528&e=4&u=/ap/20040128/ap_on_hi_te/e_mail_worm The e-mail contacts an attachment marked application/octet-stream; text.zip or application/octet-stream; data.zip Unzipping the file gives you an executable, perhaps data.scr or text.pif, again with a misleading name. Unfortunately, the mail reader knows how to unzip and execute the file without any warning to the user. Anick blames the user's trust for the damage. If the user were warned before the file were executed, the problem would not be as serious. comp.risks has covered this topic in 20:44, in June, 1999, where Steven M. Bellovin says: The underlying problem is that there are two different mechanisms used to determine file type, and hence how it should be "opened". One is what is displayed to the user; the other is what is actually used. That way lies danger. ------------------------------ Date: Wed, 28 Jan 2004 23:26:31 -0800 From: Kevin Dalley <kevin () kelphead org> Subject: US-CERT warns of worm, forgets to mention operating system In one of its first actions, US-CERT issued a warning about the MyDoom.B worm. Unfortunately, US-CERT forgot to mention the operating systems which are susceptible to attack from the worm. The technical warning is available at: http://www.us-cert.gov/cas/techalerts/TA04-028A.html The warning contains hints that the OS is some form of Windows, mentioning the Windows System directory, but doesn't come out and identify any operating systems. On the other hand, CERT's (without "US") warning of Novarg.A worm: http://www.cert.org/incident_notes/IN-2004-01.html has a link titled "Steps for Recovering from a UNIX or NT System Compromise". CERT doesn't mention the susceptible operating systems, either, but one could assume that UNIX is at risk. Chew on these CERTs and you will be lucky to see a spark of light. ------------------------------------- You are subscribed as interesting-people () lists elistx com To manage your subscription, go to http://v2.listbox.com/member/?listname=ip Archives at: http://www.interesting-people.org/archives/interesting-people/
Current thread:
- Three on MyDoom! from Risks Digest 23.15 Dave Farber (Feb 02)