Re: MyDoom download info

[Valdis.Kletnieks () vt edu]

On Sun, 01 Feb 2004 10:46:09 +1300, Steve Wray <steve.wray () paradise net nz>  said:

> but to address the points, as one person wrote, its difficult to spread 
> fast when you are trying to be stealthy; I would argue that if one is 
> stealthy enough, one doesn't need to spread fast since one is trying to 
> evade detection rather than evading elimination.

Very true...

> If a virus could spread slowly but stealthily, it could be all over
> the planet and activated before any antivirus vendor became aware
> of its presence and came out with a fix; it wouldn't matter much
> if it took a year of quiet spreading.

On the other hand, it severely limits your growth potential.

If you go for a spread-fast strategy, you *will* set off all the white
hat's detectors (on sheer unexpected traffic volume, if nothing else).
You then have 100 white hats all starting from ground zero in analyzing
the critter, and you're basically limited to however many systems you
can nail in 8 hours before they get a signature out the door.  But since
you're spreading fast, that's still a lot of systems.

What I probably didn't make clear enough the first time I said it was that
if you're propagating slowly, you need to be *very* careful - all it takes
is for you to hit *one* wrong IDS or honeypot and you've been spotted.
And more importantly for the discussion, even if it takes that researcher
a week of evening and lunch hours to figure out what you're up to, you
won't have gotten many more systems during that week.

Consider that a fast-spreading worm can nail several million boxes, while
the average IRC botnet built more stealthily is in the several 10K range.

> Sometimes (and here I go sounding paranoid again) it seems that the
> viruses and worms we see are nothing but a smokescreen; they are
> SO VERY obvious.

Welcome to the club. Want some tinfoil? :)

Attachment: _bin
Description: