Full Disclosure mailing list archives
Mydoom: Perfect Storm Averted or Just Ahead?
From: WolfgangK () usfk korea army mil
Date: Thu, 29 Jan 2004 14:34:49 +0900
Worms traveling across the Internet are like waves rolling and swelling across an ocean. Just because the first swell does not catch inundate a network, one should not assume invincibility to next wave in the perfect storm. Report vary in Mydoom.a - generated traffic; between 1 in 7-12 Emails. Although Mydoom.a infested may networks, it apparently bypassed others. Sophos http://www.sophos.com/virusinfo/analyses/w32mydooma.html reported that the initial variant was programmed to bypass certain domains or addresses with strings to include the following: acketst, arin., avp, berkeley, borlan, bsd, example, fido, foo., fsf., gnu, google, .gov, gov., hotmail, iana, ibm.com, icrosof, ietf, inpris, isc.o, isi.e, kernel, linux, math, .mil, mit.e, mozilla, msn., mydomai, nodomai, panda, pgp, rfc-ed, ripe., ruslis, secur, sendmail, sopho, syma, tanford.e, unix, usenet, utgers.ed Experience shows that programmers are quick to "improve" upon initial code, modifying and releasing variants (note Sobig and now Mydoom.b - http://www.computerworld.com/securitytopics/security/virus/story/0,10801,894 94,00.html?SKC=news89494 ). Lesson learned: 1. Do not rest on your laurels, assuming your network has good defense-in-depth ( Executables stripped away at Email server, Outlook security patch installed)because the first wave didn't affect you. The next version could be modified with condition right to target your environment and hit you with a perfect storm. 2. It would be difficult for a malicious programmer, cyber terrorists or cyber activists to target a specific environment and protect others ( Eg., launch denial of service against SCO.com because I like LINUX and don't like SCO legal actions. Protect my computer at Berkley.edu because I don't want to effect my own Email.) Programmers can easily modify code and launch an attack against another environment. Comments? Karl F. Wolfgang Systems Security Manager
Current thread:
- Mydoom: Perfect Storm Averted or Just Ahead? WolfgangK (Jan 28)
- Re: Mydoom: Perfect Storm Averted or Just Ahead? Randal L. Schwartz (Jan 29)
- Re: Mydoom: Perfect Storm Averted or Just Ahead? Collin R. Mulliner (Jan 29)
- Re: Mydoom: Perfect Storm Averted or Just Ahead? Papp Geza (Jan 29)
- <Possible follow-ups>
- Mydoom: perfect storm averted or just ahead? Computer Security (Jan 29)
- Re: Mydoom: perfect storm averted or just ahead? Roelof Temmingh (Jan 29)
- Re: Mydoom: Perfect Storm Averted or Just Ahead? Randal L. Schwartz (Jan 29)