Sophos Cloud Optix
The MyDoom worm. First seen in January 2004, it spread via email, opened a backdoor for spammers to gain access to your PC, and scoured your hard drive for more email addresses to forward itself onto.
It became widespread in no time, which was particularly concerning for software firm SCO – whose website it targeted with a distributed denial-of-service attack from infected Windows computers, seemingly as part of a civil war between different factions of the Linux community.
SCO offered a bounty of $250,000 for information leading to the successful arrest and conviction of the author.
As a later variant targeted Microsoft’s website, a further $250,000 was added to the kitty by the Seattle giant.
So, a notorious piece of malware – first seen and stopped by anti-virus companies over seven years ago.
Which makes it all the more depressing for us in SophosLabs to see it every day still spreading around the world as an email attachment.
And it’s not just MyDoom, we see other blasts from the past like the W32/Bagle-CF worm and W32/Netsky-P malware many times a day too.
If everyone had updated their anti-virus software at least once in the.. oh, I don’t know.. last five years then this malware wouldn’t be able to spread.
Clearly there will always be computers out there which aren’t running any anti-virus protection, or which haven’t been updated since the 1990s..
Don’t forget, we see approximately 100,000 new pieces of malware every single day. If you haven’t updated your anti-virus since 2004 then.. well, I don’t even like to think about it.
Good modern anti-virus software pretty much keeps itself constantly up-to-date, protecting against the latest threats.
100'000 NEW malware every DAY ?
Are you serious ?
Afraid so.
Fortunately most of it we detect proactively, even if we haven't seen it before. But that's how many new malicious samples our labs receive each day.
So, 36 million a year? Seriously?
Who's writing all this malware?
That's 100,000 "malicious samples" per day. Perhaps, for widespread malware, many samples are independently submitted.
Very good point.
And I’d add to that: is that malware susceptible of being found *in the wild*?
This story sounds to me like AV companies are not selling enough licenses.
Disclaimer: I'm not with Sophos or any other AV vendor, so the following is just a semi-educated guess on my part.
What is being counted is likely dynamically created variants from virus creation "toolkits". The command & control IPs change, the infected location/file names may change, functionality may be tweaked slightly, and the active virus code can be obfuciated differently… but all of these changes can be automated. This allows one toolkit to crank out thousands of different viruses per day.
The trappings keep changing, but the underlying framework remains the same (or at least, changes less frequently).
That’s disgusting. People who won’t even do something as simple as update their antivirus ruin it for the rest of us by allowing these botnets to continue.
Did anyone get the reward?
As far as I know, the author of MyDoom was never caught.
Unfortunately, if someone does not have any anti-virus software, they are also probably not subscribing to the Sophos security blog or reading any of the latest virus reports.
I don’t need no security software. Or any virtualization.
I protect myself by simply updating windows & those important adobe flash/java updates.
To this day, i have not been infected 🙂
This shows that AV software is partially a scam.
Or it indicates that you've never been hit by an attack which uses a zero-day vulnerability or fallen for a social engineering trick.
I'm delighted for you! But don't think that every other internet user has been so lucky, or is capable of avoiding social engineering traps.
Yea I guess the person doesnt use any usb storage devices.
I am amazed at the various reasons why people do not have anti-virus, or don’t update it. Here’s some of the excuses I’ve heard:
A) Well, if I use anti-virus software, then I am letting bad vibes come to my house. If I think something bad could happen to my computer, then it will. If i never have a thought about bad things, I will never get a virus.
B) My computer came with XXX a long time ago, and I don’t know anything about it. It says it’s protecting my computer. I have never updated it.
C) Every time I go on line, Windows Update tried to download updates, and it takes a long time, so I told it to stop doing that. I never get updates. I don’t do anything except email, surfing and pictures. I don’t need updates.
D) It says it costs money to get updates for my anti-virus software, and I don’t want to pay for it. It came free when I bought my computer, why should I have to pay for it again?
E) I’m very careful. I never get viruses. I don’t have anti-virus software. I don’t need it.
F) I have anti-virus software, but I don’t let it run. It uses too much memory. It interferes with the bit torrents I’m trying to download.
G) Why would I need anti-virus software? Why do I need anti-malware? There’s nothing on my computer worth taking. All I use my computer for is paying bills online.
It's not the only one. I still see "I love you" in the wild, the sql slammer was spotted a few weeks ago on a relatively quiet part of our corporate network. And the "forward this and Microsoft will pay you" hoax is still alive and kicking. Remember the tests with an unpatched microsoft machine connected directly to the internet? I think the current survival time is less than 10 minutes.
People treat computers as appliances and lack skill. People also do not care enough to get someone in to do the work for them. Big ISPs do not care enough to disconnect infected customers.
> Big ISPs do not care enough to disconnect infected customers.
Tis is what amazes me the most. I have a small Linux server
running at home, and the logs are constantly being sprinkled
with information on blocked brute force SSH attacks and port
scans. Naturally, none of them get through, but a large portion
of the originating addresses are local to my ISP.
I have tried to contact them and tell them that hundreds of
the computers in their local corner of the Internet are spambots
and need to be disconnected. I even offered to send them logs
if they can’t be bothered with setting up a detector themselves,
but their response was “we have no routines in place to handle
such things, but thanks for telling us”. Nothing has happened
since then. Some of the bot computers are still active on the
same IP address as they were years ago, and persistently
show up in the logs as soon as they are being unblocked by
my simple but effective blacklisting software, only to be blocked
again within seconds.
From what I hear, most other ISPs show the same attitude,
pretending that this is not a problem. It is, and they are to
blame for a lot of the rapid spreading of malware and spam.
Content filtering is different, I wouldn’t want that, but their
failure to block brute force SSH attacks and their inability to
detect even the most typical HTTP security exploits makes
me wonder what they are up to.
I might be crazy, but wasting cpu, disk and memory on av software seems stupid. But it might be stupid to have so many bugs too…
There is a question I could not have answered in a long time.
How many of the mainstream virus/malwares/worms are unable to infect/work using a non privileged user account?
I usually take the incredible pain to use my win xp lap as a normal user,
(It has been stripped of all unneded software/services and upgraded to working softwares such as firefox, pidgin and removed most but utterly needed MS tools) and haven’t had an infection in years.
Does anybody have a clue on this?
Thanks
Sebastian
Most of the malware we see uses social engineering tricks to *fool* people into running the software. So, users unlock the door for the malware to do its dirty work.
In other words, most of what we see *doesn't* exploit software vulnerabilities – just the bug in people's brains.
Graham, you really ought to check your sources better:
> as part of a civil war between different factions
> of the Linux community
This was the initial rumor, but it was wrong. The source of
the MyDoom problem was a criminal network, as verified by
several independent sources. As an expert you should know
that, and I am surprised to see you spreading that rumor now,
several years later. Please update your anti-virus knowledge
at least once every few years. Your reputation will suffer greatly
if people start thinking you are deliberately spreading
misinformation.
I agree that MyDoom was written primarily to relay spam.
However, I can't agree with your theory that there wasn't a connection with the rumpus between SCO and others at the time.
As I wrote at the time (in the article I linked to above):
"If we ever get our hands on MyDoom's creator my guess is that he will be an open source sympathiser. Of course, it's the last kind of assistance the open source community would want at this time.""
Please check your history, also outside the security domain.
– There was no war between Linux factions. The actions of SCO had more in common with a subsidized attack on Linux.
– The attack was no part of that discussion. The hackers made it look that way to create confusion. The real motivation was, as always, money.
If you want references, just ask.
I'm fascinated to hear how you have concluded that the denial-of-service attack against SCO was done to "create confusion".
As far as I know, the author of MyDoom was never discovered – so it's hard to speculate as to his motivation, right?
Yes, MyDoom was written to aid spammers – but I'm not sure it would make sense for them to target SCO as well just for the heck of it. My suspicion (as I detailed in the article I linked to above) is that the author was an open source sympathiser.
As I said, "Of course, it's the last kind of assistance the open source community would want at this time."
This underlines the difference between Linux/Unix security and Windows security. The Linux/Unix security strategy is to lock the door. If there is a vulnerability and it is fixed, it is fixed for good. With Windows on the other hand, you leave the door open and you employ a security guard to catch the intruder once he has broken in – the security hole is never fixed, which is why Windows is still vulnerable to a 2004 virus. The reason for this? It is because the security hole is not a flaw in the design of the Windows security model itself, which cannot be fixed without breaking compatibility, rather than as Linux/Unix a case of a programming or default configuration flaw which can be fixed.
The problem with the Windows "security guard" model, is that the security guard doesn't know who is the bad guy until he has been given a wanted poster with a picture of the bad guy, and in the case of Internet worms, this allows rapid spread of automated networked viruses (worms, and email spam viruses) before the anti-virus companies can react and issue virus database updates.
This is why Windows is targeted successfully by so many hundreds of thousands of viruses, worms and other automated malware exploits and Unix/Linux is still untouched by viruses, and Apple has only recently been targetted by a trojan posing as anti-virus program (caused by a serious Apple security flaw, but fortunately not one in the design of the security model) .
"seemingly as part of a civil war between different factions of the Linux community."
Uh — no. You should check your facts, which are really, really easy to check in this case. The attack on SCO was the work of a criminal organization in E. Europe. Linux never had anything to do with it — either as perpetrator or victim.
Really, is a little research too much to ask?
Did you read the article I linked to?
I wrote:
"If we ever get our hands on MyDoom's creator my guess is that he will be an open source sympathiser. Of course, it's the last kind of assistance the open source community would want at this time."
Yes, MyDoom was written to help spammers. But my guess is that the author was sympathetic to the open source movement and was as grumpy with SCO as many other folks were at the time. Of course, that doesn't make what he did right.
AV often is lagging new threats and often doesn't detect viruses and malware anyway. Saying something is better than nothing is ONLY applicable IF the AV products were detecting 90% or more of threats. Unfortunately, we need to flip that number to something more like 40% or less in some cases. A recent test showed Kapersky was able to catch 80% of threats and that was on a good day and one of the few that had anything close to this number. The rest were appalling and hovered in the 30-50% range. Uh, correct me if I am wrong but isn't this about as good as NOT running AV???? Here's a solution…run Ubuntu and dump Windows which is root cause of all this vulnerability nonsense–just look at the June 2011 patch Tuesday…ridiculous!!
What do you think would happen if everyone all of a sudden switched to Ubuntu? Hackers and Malware writers would simply switch their platforms and start targeting Ubuntu. Can you say that Ubuntu is without any flaws? I don't think so. History would repeat itself again.
Another reason to use Gnu/Linux.
All this hostility in the Sophos area. anti-virus is needed regardless of the OS. And since we all know 1 application isn't perfect we have to deal with what it gives us. If it has a network port, theres always a chance of infection.
Yeah thats not what some folks want to read but its the truth.