MyDoom Virus Could be 'Linux War' Weapon

internetnews.com ^ | 1/27/2004 | Ryan Naraine

[Born Conservative]

A fast-spreading mass-mailing virus has emerged as an unlikely weapon in the ongoing 'Linux War' between the SCO Group (Quote, Chart) and the open-source community.

Anti-virus experts have increased the threat level on the W32.Novarg.A@mm (MyDoom) virus, which is spreading like wildfire through e-mail in-boxes worldwide and is programmed to launch a massive distributed denial-of-service (DDos) attack against the SCO home page.

"This one is pretty bad. It's widespread and it only looks to be increasing," said Chris Belthoff, a senior security analyst at Sophos, Inc. "This takes the Linux Wars to a new intensity. It appears that the author of MyDoom may have taken the war of words from the courtrooms and Internet message boards to a new level . . . If we ever get our hands on MyDoom's creator our guess is that he will be an open source sympathizer."

Belthoff told internetnews.com the worm was also capable of squirming through the popular Kazaa peer-to-peer network, making it a bigger threat to succeed in an attack against the SCO site.

Lindon, Utah-based SCO has drawn the ire of open-source advocates in recent months because of its litigation against Linux vendors IBM (Quote, Chart), Red Hat (Quote, Chart) and Novell , claiming that some of its code was being used in implementations of the Linux OS.

The DDoS attack is programmed to start Feb. 1 and has a trigger date to stop spreading on Feb. 12.

Security firm Symantec (Quote, Chart) rates MyDoom as a Level 4 threat (one below the maximum) while F-Secure and MessageLabs have both classified the worm as the highest risk.

MessageLabs reports that the e-mail to virus ratio for MyDoom has hit 1-in-12 e-mails, surpassing the SoBig.F virus which peaked and 1-in-17 e-mails. "[We have stopped] more than 1.2 million copies of MyDoom so far and as the U.S. comes online, we expect this number to grow considerably," according to a MessageLabs spokesperson.

In an advisory posted late Monday, Symantec warned that the worm is capable of setting up a backdoor into an infected system by opening TCP ports 3127 thru 3198. "This can potentially allow an attacker to connect to the computer and use it as a proxy to gain access to its network resources. In addition, the backdoor has the ability to download and execute arbitrary files," the anti-virus firm said.

MyDoom (also known as MiMail-R) arrives as an attachment with the file extension .bat, .cmd, .exe, .pif, .scr, or .zip. It uses a variety of subject lines like "Hi" or "Hello" and sometimes uses technical subjects like "Mail Transaction Failed" or "Server Report."

If the attachment is opened, the worm installs itself to the system folder and copies itself to the Kazaa download directory. In some cases, MyDoom pretends to be a pirated copy of Microsoft Office and makes itself available for download on the file-sharing network.

According to Sophos' Belthoff, the MyDoom virus writer has embraced the use of .ZIP attachments to circumvent gateway filtering. Because .ZIP files are normally used to send large files within the enterprise, it's easier to get a .ZIP attachment into an in-box, he said.

He said the latest virus were also using visual aids to trick users into opening the attachment. In this case, MyDoom appears in most mail clients with an icon resembling a text file attachment. "The message is fairly innocuous and the 'from' addresses have all been spoofed but this one is spreading fast because of the way it employs new tricks.

"This is unlike many other mass-mailing worms we have seen in the past, because it does not try to seduce users into opening the attachment by offering sexy pictures of celebrities or private messages."

[Noumenon]

You'd have to be pretty fresh off the turnip truck to fall for this one.

WinProxy stops this crap dead on my gateway boxes.

[Gerasimov]

ok ...

an open source sympathizer.

As if he's saying "Nazi sympathizer."

That said ... it is a really, really, bad idea to piss off the Linux nerds. (He says while writing from his Linux computer...)

[Little Ray]

Hey! I got one of these! My NAV cleaned it right out.

[mikegi]

Of course, this and other Win32 virii are written by Linux zealots. They're frustrated by their <5%-dom. I've never understood how some people can become so attached to an operating system (remember the endless Windows vs. OS/2 garbage). I'm not that attached to Windows even though I have a personal stake in it. If some other OS had 95% share, I'd write apps for it.

[general_re]

In some cases, MyDoom pretends to be a pirated copy of Microsoft Office and makes itself available for download on the file-sharing network.

I'm pretty much fresh out of sympathy for anyone who gets infected this way - not for the piracy thing so much as the general cluelessness it betrays. If the fact that the version of Office that you're pirating is a whopping 22K in size doesn't tip you off....

[Cardini]

Back in Nov. I bought a server that runs red hat linux and I can say without fear of contradiction that this is the most unstable, worthless garbage I have ever worked with. I have several Windows servers that have never locked up or failed in years. This useless linux crap has to be rebooted at least twice a week. Also all the commands are in cryptic gibberish.

linux is crap!!!!!!!!!!!!!!!!!!!!

[drjoe]

"I'm pretty much fresh out of sympathy for anyone who gets infected this way"

I'm pretty much fresh out of sympathy for any one who uses Microsoft products and thereby clutters OUR internet with crappy softeare; software that is bloated, insecure, virus/worm/trojan prone and generally a blight upon personal and corporate computing.

A 5% market share Mac user and proud of it.

[HAL9000]

Of course, this and other Win32 virii are written by Linux zealots.

Until the culprit is apprehended, it's impossible to know. One could also speculate that it was written by someone in the Windows anti-virus industry for financial motives.

[steplock]

"The DDoS attack is programmed to start Feb. 1 and has a trigger date to stop spreading on Feb. 12"

Add that with the "rumors" of Al Qaueda attacks Feb 1-2 and warnings from the 'greenies/anarchists' with a similar timetable .....

A little history.....

Mid to late august 2001, the Code Red virus began increasing until its apex on Sept 10, 2001. There were repeated warnings from the Anarchists, Green Party, of bombings and attacks on President Bush to take place in September 2003.

From an article on August 22, 2001 :

There were threats from the International Forum on Globalization, an umbrella organization of a couple of hundred groups headed by leaders of the Environmentalist movement, includes Ralph Nader - Green Party candidate for President, Carl Pope - Sierra Club, Jerry Brown - We the People, Randall Hayes - Rainforest Action Network, Brent Blackwelder - Friends of the Earth-U.S. and many other environmentalists and others.

"... 'an assassination plan by Saudi dissident Osama bin Laden, aimed at US President George W Bush. Militant supporters of Bin Laden are said to planning a possible bomb attack.' Russia's President Putin also was a target,..."

Those who forget the past are bound to repeat it!


http://www.gohotsprings.com/focus/modules.php?op=modload&name=Sections&file=index&req=viewarticle&artid=3

[Rifleman]

My experience is just the reverse. The linux servers that I admin just run and run. Windows servers (although W2000 is much better than NT and XP still better) take a lot of continuing work to keep operating reliably They are also resource hogs.

Maybe the hardware in the linux box is junk. Or it was set up by a clueless newby.

[general_re]

This bug does not rely on Microsoft or holes in Microsoft security - it tricks unsuspecting users into intentionally running arbitrary code on their machines. There is no OS in the world that can protect you from such a thing, really - if you think OSX will protect you from software that you tell it to run, I'll roll together a few executables to send to you, and you let me know what happens when you run them, 'kay?

[GOP_1900AD]

Significantly, among the biggest current proponents of "open source" Linux stacks, particularly RED FLAG Linux and SuSE, include the governments who rule from Beijing and Moscow. For a number of years now, both entities have been taking strong measures to remove paid for OSs (Windows and others such as SCOs offerings) and replace them with free Linux distributions obtained from the Open Source world. In light of this, the current virus attack may have unique significance.

[taxcontrol]

Funny, my experience has been the exact opposite of yours. I had a Red Hat Linux firewall that only went down when I moved it. Same can be said for email servers and other network servers I have had.

As for the Windows server, well the Exchange server had to be rebooted every 3 days. Became so chronic that we had to right it into the nightly procedures.

[GOP_1900AD]

You can't run .exe or .pif on Solaris. I suspect that's also the case for other flavors of UNIX. This morning, when I unzipped the worm (OHMIGOD! he unzipped it! Horrors!) I simply opened it in my text editor and proceeded to calmly inspect it. The first thing I noticed was how it goes right after the 32 bit Windows kernel. Bummer man!....

[general_re]

You can't run .exe or .pif on Solaris.

Only because it's targeting the wrong platform, in that case. Shall I make you the same offer and send you some Solaris binaries? ;)

[mikegi]

Until the culprit is apprehended, it's impossible to know. One could also speculate that it was written by someone in the Windows anti-virus industry for financial motives.

Yeah, and in the days after 9/11 one could have speculated that the attacks were made by 90 year-old Swedish grandmothers. Gimme a break.

[SpinyNorman]

Of course, this and other Win32 virii are written by Linux zealots. They're frustrated by their <5%-dom. I've never understood how some people can become so attached to an operating system (remember the endless Windows vs. OS/2 garbage). I'm not that attached to Windows even though I have a personal stake in it. If some other OS had 95% share, I'd write apps for it.

Why do you perpetuate the "my OS is better than your OS" mentality with the snipe at their alleged "frustrattion with their <5%-dom?" While I am no sympathizer of virus makers, the presumption of this story is that their beef seems to be with the greedy actions of SCO rather than any "frustration" with their market share. If they want to do a DoS to SCO, what better way than with the most "popular" (read this: preloaded) OS in the world, the makers of which are suspected of being behind the scenes of SCOs actions?

I have used most of the OSes that have been around (CP/M, PC/MSDOS, OS/2, Mac, Linux, Windows), mostly because I have worked in various labs with their own preferences/needs in OSes, and I find most people are pretty happy with whatever they have chosen. They all have their pluses and minuses. The real issue is with Microsoft's gross insecurity in the "popularity" of their OSes. They are deathly afraid that one will discover that other OSes offer the same or better utility/reliability, so they institute their FUD attacks etc. on their competitors. They reluctantly write software for Mac, mostly to give the impression that they are not monopolistic. Look at how MS attacked OS/2, which was demonstrably better at multitasking etc., until very recently. Note the recent attacks on Lindows. MS has the mentality and tactics of a fundamentalist religion. Now they attack Linux with the same tactics, with the aid of SCO's McBride. Or at least that is the current theory. At minimum, MS is not displeased that the Linux community is being hassled.

[Gerasimov]

RTFM.
Then the "gibberish" will make sense and your poorly configured linux server will run like a champ.

It took me time to learn linux, just like it took me time to study up for my MCP. My knowledge of both is valuable to me... it's just that I, like many, prefer the control and customization I have with linux to the sub standard stuff Microsoft keeps pushing out. (Although XP Pro is a very good product. Finally.)

[GOP_1900AD]

I agree. But in this case, those OSs were not targetted. In this case, the Windows kernel was specifically targetted, that's my only point.