|
|
| Virus Came From Russia, Says MessageLabs |
 |
|
Tuesday, January 27 2004 @ 10:22 PM EST
|
MessageLabs has announced that the MyDoom virus originated in Russia. That pretty much rules out any Linux enthusiast trying to get back at SCO, as far as I can see. Nobody in Russia cares about a legal case in the US that won't affect them one bit. It looks like spammers and worse trying to shift the blame to cover the other ugly things this virus does, because it
tries to install a keylogger to get your credit card and other such details, according to Symantec, something no Linux person has ever been involved in to the best of my knowledge. Here are the details from MessageLabs: The worm was first intercepted by MessageLabs on the 26th January, 2004 at 8:03 a.m. ET and as of 7:00 p.m. ET, MessageLabs has stopped over 170,000 copies of the virus, while providing complete protection for MessageLabs' 8,000 business customers worldwide. The email containing the first copy was sent from Russia.
"This is certainly the first major virus outbreak of 2004," said Mark Sunner, Chief Technology Officer at MessageLabs. "Not only is it causing major nuisance damage through the sheer volume of email it's generating but it may also leave a backdoor wide open for hackers to take control of the machine and misappropriate passwords, credit-card details or for some other nefarious purpose." And here are the details from Symantec in the ComputerWorld article: According to Symantec, the worm also installs a "key logger" that can capture anything that is entered, including passwords and credit card numbers, and will start sending requests for data to SCO's Web site. It appears somebody needs to apologize to somebody for leaping to ugly conclusions about the Linux community.
Update: Also today SCO issued another press release, offering money for clues leading to the arrest and conviction of the evildoer who wrote MyDoom and sent it SCO's way. $250,000.
|
|
|
|
| Authored by: brenda banks on Tuesday, January 27 2004 @ 10:47 PM EST |
amazingly
why would we bother with sco
they are toast already in court
just waiting on the judge
hehehehe
---
br3n
irc.fdfnet.net #groklaw[ Reply to This | # ]
|
| |
| Authored by: Anonymous on Tuesday, January 27 2004 @ 10:49 PM EST |
Appologize? They put a $250,000 reward out to prove that a Linux freak
did it. If I would be BayStar, I would start wondering for what SCO spends
my (customers) money.[ Reply to This | # ]
|
| |
| Authored by: OK on Tuesday, January 27 2004 @ 10:51 PM EST |
They could only talk about the FIRST COPY THEY RECEIVED. Whether it is the FIRST
COPY SENT is still questionable. And since when did SCO start to apologize for
anything they'd said?[ Reply to This | # ]
|
- Hmmm - Authored by: stevem on Tuesday, January 27 2004 @ 10:56 PM EST
- Hmmm - Authored by: Scriptwriter on Tuesday, January 27 2004 @ 11:07 PM EST
- Hmmm - Authored by: OK on Tuesday, January 27 2004 @ 11:30 PM EST
- Hmmm - Authored by: TItan on Wednesday, January 28 2004 @ 12:24 AM EST
- Hmmm - Authored by: RJDohnert on Wednesday, January 28 2004 @ 01:38 AM EST
- Hmmm - Authored by: sircus on Wednesday, January 28 2004 @ 07:48 AM EST
| |
| Authored by: Anonymous on Tuesday, January 27 2004 @ 10:52 PM EST |
Sorry, but that's wrong.
There are plenty of people in Russia (and everywhere!) who use Linux, and care
just as much about this case as their fellow enthusiasts in the US.
Because the SCO case affects everyone using Linux, and everyone who cares about
Linux, and indeed the entire open source/free software movement.
[ Reply to This | # ]
|
| |
| Authored by: lpletch on Tuesday, January 27 2004 @ 10:56 PM EST |
The Perens article has something about Viagra Spam. Has anyone seen this claim
anywhere else. I cant help but wonder where he got that information. I have not
seen it anywhere but from Perens.
I don't see that well though.
---
lpletch@adelphia.net[ Reply to This | # ]
|
| |
| Authored by: Anonymous on Tuesday, January 27 2004 @ 10:58 PM EST |
Let's see if the media as well as SCO acknowledge this as publicly as they
implicated the Linux community.[ Reply to This | # ]
|
| |
| Authored by: brooker on Tuesday, January 27 2004 @ 11:10 PM EST |
I don't think that anyone truly believed this ugly worm had anything whatsoever
to do with the Linux Community...not even SCO.
But shame on them for the dispicable opportunists they are, to have jumped so
fast to use it to gain attention for themselves.
They really are a rather tiresome bunch, and I am very glad this has all been
cleared up so fast (as far as unfairly laying blame on the Linux folks). Now,
if only that worm could be squashed as easily as ugly rumors.
I have to say that spammers and virus writers are an even lower, and far more
cowardly, form of life than the folks at SCO....by a few centimeters anyway.
brooker
[ Reply to This | # ]
|
| |
| Authored by: Anonymous on Tuesday, January 27 2004 @ 11:13 PM EST |
All viruses bad. One virus is too many. One computer with a virus, is too many.
But I wonder just how widespread this virus is.
There seems to be a slight discrepency between various news sources:
1. There's the news stories saying it's major:
(a) New email virus 'is biggest threat yet'
http://www.telegraph.co.uk/news/main.jhtml?xml=/news/2004/01/28/wemail28.xml&
;sSheet=/news/2004/01/28/ixnewstop.html
Some quotes:
Millions of corporate and personal email systems were swamped
MX Logic, an American security firm, was detecting more than 1,200 e-mails per
second infected with MyDoom
With one out of every nine emails worldwide infected, it declared MyDoom a
"critical threat"."
MessageLabs, an email filtering company, picked up 1.2 million copies in the
first 24 hours, some 200,000 more than the Sobig.F virus.
(b)
http://news.ft.com/servlet/ContentServer?pagename=FT.com/StoryFT/FullStory&c
=StoryFT&cid=1073281357188
could quickly become the biggest viral outbreak yet.
Hundreds of thousands of machines worldwide were believed to have been infected
by midday yesterday
Mydoom infected hundreds of businesses from small firms to at least 10 Fortune
500 companies.
(c) etc.
2. But on the other hand, some reports have thousands or tens of thousands of
computers infected.
(a) Damage from `Mydoom' virus limited
http://www.taipeitimes.com/News/biz/archives/2004/01/28/2003092765
"Mydoom" or "Novarg" that may have swept through about
30,000 computers globally and was considered the worst attack since last
August.
As of the press time, Symantec had received 1,990 Mydoom infection reports
worldwide, including 10 from the Asia-Pacific region.[ Reply to This | # ]
|
| |
| Authored by: Tim Ransom on Tuesday, January 27 2004 @ 11:33 PM EST |
CNN for this little
gem.
Thanks again,[ Reply to This | # ]
|
| |
| Authored by: pyrite on Tuesday, January 27 2004 @ 11:40 PM EST |
The Linux community is an international community. I kind of think that's what
SCO is getting at (I don't agree with their point of view, though - but that's
OK, everyone is entitled to their own opinion as far as I am concerned). But the
fact that it came from Russia isn't going to stop the rhetoric from the
anti-Linux crowd. A "Linux enthusiast" could be from any country in
the world. This might very well be spun in a way so as to tie into the national
security argument. The idea of Linux "falling into the wrong hands",
or something like that - when actually, Linux is immune from the virus, and it
would be more difficult to have these types of virii if more people used Linux.
We need to get Linux into the hands of people who forget to not click on
attachments!
In any case, no country wants for its enemies to have technology that is
superior to their own technology; I would imagine that most countries try to
implement the same level of cutting-edge technology that their enemies have
implemented, or plan to implement - it levels the playing field. It's going to
be hard for the proprietary OS companies to cough up the truth about the fact
that Linux is, in fact, quite a bit easier to get going on a much wider range of
hardware, and can represent what could be considered "superior
technology" to proprietary OS's. This superior technology can then be
used for good pursuits, or for not-so-good pursuits. Hopefully people will use
it for beneficial things like education, to improve living conditions, to
further freedom of information and freedom of speech, and to bring a brighter
future to millions of people all over the world. Linux is superior in a greater
variety of situations, with a greater variety of hardware. Proprietary operating
systems tend to be "spoiled", they have to have everything
"just right". Linux doesn't care. It just works. That's why it's
good to use it. Our governments, our businesses, and our citizens should not be
afraid of Linux, they should embrace it. It's an extremely significant
development in the history of computing, although perhaps we don't realize it
yet. Or maybe we do. Anyway, people should use Linux, and not be afraid of it.
[ Reply to This | # ]
|
| |
| Authored by: Anonymous on Tuesday, January 27 2004 @ 11:43 PM EST |
This one could be SCO's doing, then blame it on Linux commnunity.[ Reply to This | # ]
|
| |
| Authored by: Anonymous on Tuesday, January 27 2004 @ 11:49 PM EST |
PJ, I find you remark about russia offensive.
This is far from truth. People in Russia do care about Linux and the SCO case.
And it will affect them just as it will affect everybody. Of course, russia is
not very computer populated. Nevertheless.
[ Reply to This | # ]
|
- Read between the lines - Authored by: Anonymous on Tuesday, January 27 2004 @ 11:55 PM EST
- Not true - Authored by: PJ on Wednesday, January 28 2004 @ 12:52 AM EST
- Not true - Authored by: ile on Wednesday, January 28 2004 @ 01:57 AM EST
- Please... - Authored by: Anonymous on Wednesday, January 28 2004 @ 04:16 AM EST
- Please... - Authored by: Anonymous on Wednesday, January 28 2004 @ 04:50 AM EST
- Please... - Authored by: ile on Wednesday, January 28 2004 @ 08:02 AM EST
- It's not the legal implications that bother us - Authored by: Captain on Wednesday, January 28 2004 @ 04:33 AM EST
- reply to PJ - Authored by: Anonymous on Wednesday, January 28 2004 @ 08:13 AM EST
- Not true - Authored by: Anonymous on Wednesday, January 28 2004 @ 12:59 PM EST
| |
| Authored by: belzecue on Tuesday, January 27 2004 @ 11:58 PM EST |
Linus just made me cho
ke on my lunch from laughing so hard:
"There are
literally several levels of SCO being wrong. And even if we were to live in
that alternate universe where SCO would be right, they'd still be wrong."
[ Reply to This | # ]
|
| |
| Authored by: Tim Ransom on Wednesday, January 28 2004 @ 12:00 AM EST |
Here's
more damaging conjecture from another twittering
thimblewit:
'Alan Bell, Marketing Director for software security
firm McAfee says MyDoom has not yet reached its peak, and will continue to
spread for the next day or two.
Mr Bell told Newstalk ZB that SCO, the
company whose website is under attack is in the middle of legal action over the
Linux operating code, so it is suspected that the author of the virus is an
opponent of the company's legal stance.'
Thanks again,
[ Reply to This | # ]
|
| |
| Authored by: Anonymous on Wednesday, January 28 2004 @ 12:11 AM EST |
Given the global nature of the internet, it is of little significance that the
first detected virus came from Russia. Whoever is responsible might have used
an open SMTP relay in Russia. It'd be interesting to look at the header of the
captured message - I imagine that the FBI is doing that right now.
I personally doubt that anti-SCO sentiments were the primary motivation for the
virus writer. Crime seems to have been the main purpose, with the DDOS an
afterthought.
I don't want these people on our side, if indeed they are.
[ Reply to This | # ]
|
| |
| Authored by: Sunny Penguin on Wednesday, January 28 2004 @ 12:17 AM EST |
Interesting; Russia was the only country to step up
(or is that slip up) and root for the SCOX.
Does this mean anything, probably not, except for the tinfoil hat crowd.
I do hope the authorities can pin this one down fast, it looks bad on us.
I could do a tinfoil hat rant but we should wait and see.
BTW Gentoo has a SE Linux install; I should login to mine in about 12
hours......
Good night
---
Litigation is no sustituite for Innovation.
Say No to SCO.
IMHO IANAL[ Reply to This | # ]
|
| |
| Authored by: M on Wednesday, January 28 2004 @ 12:19 AM EST |
| An interesting technical
description of the virus was just posted to the BugTraq mailing list. Can't
vouch for its accuracy, but it's an interesting read, if you like code
disassembly.
The interesting quote (from near the bottom) is
this:
Has anyone seen the DOS against SCO actually happen?
I
have the new critter in a test environment where we conducted a preliminary and
rudimentary functionality and threat analysis and the only activity I can get it
to perform related to www.sco.com is to resolve the name.
He goes
on to describe the various things he attempted (including changing the
computer's time/date, etc), and how the virus failed to attempt to contact
www.sco.com other than resolving the domain name, even with the computer's clock
set to be within the supposed period in which the DDoS is supposed to be
active...[ Reply to This | # ]
|
| |
| Authored by: webster on Wednesday, January 28 2004 @ 12:22 AM EST |
Linux As Vaccine
I just amended my automatic signature on my home email client which is Mozilla.
I added the following:
(Stop viri - use Linux, or at least Mozilla on Windows.)
I communicate with family, soccer parents, school groups, lawyers groups, and
joke groups. I may be the only one that uses a Linux machine. I may be the
only one that has even heard of Linux to say nothing of open source and the GPL.
As a named party in the local Microsoft Antitrust suit, no one else involved
knows of any alternative to Windows, not the lawyers, other parties, or the
class of people represented. They do not think about operating systems. Using
the computer means using it as it comes. The savvy among these people are doing
a great job if they have antivirus software and a firewall. They don't
consider this the added cost of using Windows or why these features are not
included in the operating system. [Are you annoyed that I didn't just write
'OS'?] They may have heard of the Windows Antitrust case, but this does not
translate into a realization that their operating system is insecure, stifles
innovation, is deliberately incompatible, continues to try and crush every other
software alternative.
Only recently have I started using Linux. I have a guru without whom I would
have had to abandon this project. It is a struggle. I do not enjoy relearning
how to mount a floppy when one of my three user-kids needs to take a file to
school. They want me to plug in the speakers so they can get the music rolling
again. I don't tell them that it is not a speaker problem but my fear of
having to learn to mount a CDRW; I'm hardly a techno-stud. I also cringed when
my son told me that Backyard Baseball doesn't work on the new computer. I tell
him I will set up the old computer, Windows. But it sits in disarray sans
monitor, twisted within by spy and adware uncaught by antivirus and carved into
an HP recovery system. But my kids are using GAIM to chat with their AOL
friends. I hope they are spreading the word. I even hope one of them latches
on to Linux and shows me a thing or to. But alas a game of “Marbles” left a
frame that blocked a logout. And why did those quotes on marbles in the last
sentence come out as question marks in this OpenOffice draft? Linux can be such
a challenge.
But my faith is not shaken. Having had my Windows office network invaded and
slowed to molasses with our new DSL, there is no turning back particularly after
putting a pricy Linux firewall box to resolve the problem. But I am on my own.
The DSL technical support people hung up when I said I had a Linux firewall.
All this is to say we have to get the word out and things have to get better.
One will help the other. We have to raise our flags and don our Penguin armor.
So every one even you on your windows machines add something to your signature
and documents to let others know that there is something else out there that is
better for the spirit of the world...or tell them they can save $600 per
workstation with Linux and OpenOffice.
---
webster
Recent Windows refugee[ Reply to This | # ]
|
| |
| Authored by: Tim Ransom on Wednesday, January 28 2004 @ 12:31 AM EST |
From Here:
<
br>
John Donovan, Managing Director of Symantec Australia:
'The
virus itself is programmed to get all of the infected systems that it has around
the globe together and launch what's called a denial of service attack on a
company called SCO, Santa Cruise Operation. The issue being that SCO has some
cases before the court at the moment, where they claim ownership of portions to
the Unix operating system. That's upset a lot of the IT community and
particularly some of the hackers, so their payback is to launch this denial of
service attack, which is aiming at bringing down that company's website. So
quite unusual from that perspective.
HAMISH FITZSIMMONS: So it is, as
has been said, a case of cyber terrorism?
JOHN DONOVAN: Well, I think
that's taking it a couple of steps beyond where it is. It is an example of a
special interest group motivated attack, or politically-motivated
attack.
Thanks again,[ Reply to This | # ]
|
| |
| Authored by: Anonymous on Wednesday, January 28 2004 @ 12:36 AM EST |
| According to Netcraft
www.sco.com is finally down, and has been for the last hour.
As we approach
Feb 1, one would expect to see more and more machines with incorrectly-set dates
to start attacking. I don't know if the IP address is encoded into the worm, or
if they go through DNS, but if it is DNS then just changing the IP address won't
help them (as helped with a recent worm that was attacking the
whitehouse.gov)
Good luck to SCO to taking care of this problem. I agree
with those who think that this attack of SCO is just a diversion -- the real
purpose of the worm is likely to take over machines to be used as spam
zombies.
thad [ Reply to This | # ]
|
| |
| Authored by: hamjudo on Wednesday, January 28 2004 @ 12:39 AM EST |
| The "virus" announced each infection to www.sco.com.
If SCOG is serious
about finding the source, they will publish the webserver log entries from the
first few minutes of the attack.
The only interesting parts are the log
entries that match the signature of the denial of service attack. SCOG can
filter out the legit website traffic.
For those who've analyzed the malware,
are there any delays
before it launches the denial of service attack? If the
thing has a random pause, then we need more data to track it.
If SCOG doesn't
want to find the source, they can just sit on the evidence until it becomes
worthless. [ Reply to This | # ]
|
| |
| Authored by: Anonymous on Wednesday, January 28 2004 @ 12:43 AM EST |
I don't know much about viruses, but I read in a news report that this virus is
also known as "mimail.r"
So I started wondering about "mimail.a" to "mimail.p"
and whether they existed, and what they did. I mean presumably "a"
was discovered before "b" before "c" and son on, and
likely written by the virus-author before "b", that's likely
right??
A quick search on Symantec's site and I found that all or most of them do.
Symantec uses the name "w32.mimail.r@mm" to describe these.
I didn't look through all the descriptions, but the ones that I did read seem
to say:
1. All the variants that I read about spread by email attachment and mass
emailing.
2. Before massing emailing, the viruses seem to try to resolve a particular site
(I guess to check for an Internet connection). Google.com seems a popular
choice to be used in this function.
3. Some variants include stuff to capture user's personal info. Getting PayPal
or credit card info, seems to be a running theme in several descriptions.
4. Some variants include a function to launch DoS on certain site(s). Which site
is targeted seems to vary quite a bit.
I admit that I am not knowledgeable about viruses, but three questions then
arose in my mind.
(A) Is sco.com being used for resolving (like Google.com in some variants) or
for a DoS attack target. I am not sure which it is from reading the virus
company info (as opposed to the news reports), but I guess they are the DoS
target?
(B) Why is mimail@r ("mydoom") getting all this press? I have never
even heard of the other variants until today.
(C) Is it likely that the mimail@a to mimail@p variants were written by the same
person. If they were, I guess this might tell us something about the
perpetrator?
Here are some noteable bits about a few (like I said I didn't look over all of
'a' to 'p'):
http://securityresponse.symantec.com/avcenter/venc/data/w32.mimail.c@mm.html
- Resolve google
- DoS darkprofits
http://securityresponse.symantec.com/avcenter/venc/data/w32.mimail.d@mm.html
- Resolve google.com
- DoS fethard.biz fethard-finance.com
http://securityresponse.symantec.com/avcenter/venc/data/w32.mimail.e@mm.html
- Resolve google
- DoS mysupersales.com
http://securityresponse.symantec.com/avcenter/venc/data/w32.mimail.f@mm.html
- Resolves google.com
- DoS attacks spamhaus.org spews.org spamcop.net
http://securityresponse.symantec.com/avcenter/venc/data/w32.mimail.g@mm.html
- Resolve google
- DoS attacks spamhaus.org spews.org
http://securityresponse.symantec.com/avcenter/venc/data/w32.mimail.l@mm.html
- DoS www.authorizenet.com disney.go.com www.spamcop.net www.carderplanet.net
www.cardcops.com www.register.com www.spews.org www.spamhaus.org
http://securityresponse.symantec.com/avcenter/venc/data/w32.mimail.m@mm.html
- Dos attacks darkprofits.com etc
[ Reply to This | # ]
|
- Some clues? - Authored by: Anonymous on Wednesday, January 28 2004 @ 05:57 AM EST
- Some clues? - Authored by: Anonymous on Wednesday, January 28 2004 @ 08:38 AM EST
| |
| Authored by: Anonymous on Wednesday, January 28 2004 @ 12:46 AM EST |
Why couldn't this be written by a MS Virus / Spammer specialist? They
certainly would not want to see a more secure OS unseat MS. That would put many
of them out of business. Let's face it, when Linux takes over the world the
job of writing virii and trojans and worms gets a great deal more difficult.
They are just protecting their turf!!!
While this is TIC.. who knows???[ Reply to This | # ]
|
| |
| Authored by: IMANAL on Wednesday, January 28 2004 @ 01:29 AM EST |
That pretty much rules out any Linux enthusiast trying to get back at
SCO, as far as I can see. Nobody in Russia cares about a legal case in the US
that won't affect them one bit.
What?! That was a silly
analysis, to say the least.
Maybe, it was a US Linux enthusiast trying
to get back at SCO by putting the blame on the Russians.
Had they been
more cunning they would have had it originate from Israel, and we would have had
endless discussions from then wo did it - the Jews or the Arabs.
Well,
another theory is that SCO paid someone to include them in that virus, in a last
attempt trying to get sympathy for their case...
In other words, I
don't know either[ Reply to This | # ]
|
| |
| Authored by: shoden on Wednesday, January 28 2004 @ 01:30 AM EST |
Its interesting...
Every time SCO is desperate for some press, something always comes up... they
are either spinning or trying to look like the victim of a vast OSS conspiracy
to somehow hurt them by taking out SCO.com.
I don't think SCO wrote the code themselves (I don't think there are any
programmers left), but you could probably pay the 5th grade cracker down the
block to download, tweak, and send the virus out to the world.
Honestly, why would we want to take SCO.com down? I'm just interested to see if
they use this in Feb as an excuse as to why they couldn't meet their deadline.
---
S.K.
MR. MCBRIDE: Your Honor, I have a smaller, obviously --[ Reply to This | # ]
|
| |
| Authored by: red floyd on Wednesday, January 28 2004 @ 01:36 AM EST |
KCAL-9 in Los Angeles just did a report on the worm, and said that the SCO's
CEO said he didn't know why his company might have been targeted.
---
The only reason we retain the rights we have is because people *JUST LIKE US*
died to preserve those rights.
[ Reply to This | # ]
|
| |
| Authored by: Anonymous on Wednesday, January 28 2004 @ 01:45 AM EST |
| http://www.linuxstolescocode.com/
[ Reply to This | # ]
|
| |
| Authored by: Anonymous on Wednesday, January 28 2004 @ 01:59 AM EST |
PJ, sorry for duplicating what other says, but why
shouldn't a russian care about the SCO case? The US have
succesfully enforced its silly IP laws (through WIPO) on
the rest of the world. What happens in the US will happen
in Europe, Russia, etc.
I am from Europe (Denmark) and I care. I can't see why a
Linux used in Russia shouldn't.
The really annoying thing about this windows/virus thing
is that I can see why a number of (newer) Linux user would
do something like it. It would be seriously misguided, but
nevertheless: I think it is a probable as it not beeing a
Linux user.
rant:
If only MS would fix their stupid, stupid Outlook apps
ability to "run" attachments, the world would very quickly
become a better place. Seriously, it has been demonstrated
without a doubt, that the "normal" Windows user _can_not_
figure out the "don't click on attachments" part. Why oh
why does MS insist on it beeing part of the "email
experience"?
Mads Bondo Dydensborg [ Reply to This | # ]
|
| |
| Authored by: Anonymous on Wednesday, January 28 2004 @ 02:06 AM EST |
The virus writer is likely a Windows user since they needed to use Windows to
write and tested the virus.
[ Reply to This | # ]
|
| |
| Authored by: Anonymous on Wednesday, January 28 2004 @ 02:08 AM EST |
It appears somebody needs to apologize to somebody for leaping to ugly
conclusions about the Linux community.
Yeah, right. Somehow
I have my sincere doubts any of the fat-mouthed journalists or Litigious Bastards will bother to appologize for
their broad application of presumed guilt and generalization of the Linux
community as a whole.
Regardless, we all knew it wasn't a Linux buff
who did this - this is merely more proof to that.
However, one thing
poor ol' Groklaw and presumptious Linux users failed to learn from SCO is that
even if you're right - the media can and will print what gets them better
ratings - regardless of the facts.
In other words, those who said it
was a Linux enthusiast who did this out of hatred -- will continue to say
exactly that.
Like another moron we all know - those who wish to
conspire to harm the Linux community will turn an apple into an orange to better
benefit their cause.
These new facts clearly show a Linux
enthusiast added additional poorly coded features to this payload in an attempt
to disguise their true intent, harming SCO to gain revenge and further infringe
on SCO's IP rights to the letter a, b, c, etc al..
I'm so sick
of hearing about SCO related propoganda, how much louder could we possibly
scream, cry, and whine to get the FTC and SEC involved in an investigation to
SCO's business practices and flagrant lies? *sigh*
By the way, I really
own the rights to Unix. I bought it from space aliens visiting from Mars. Yeah,
that's right. And I intend to enforce those rights.....
*laughs* You
know what the sick part of that lame attempt at humor is? If I had the money I
could do just what SCO is using those claims. Though, I must admit - my story is
more beleivable. :P[ Reply to This | # ]
|
| |
| Authored by: Anonymous on Wednesday, January 28 2004 @ 02:23 AM EST |
has anyone considered this?
SCO writes virus itself, and sends it on it's way. Headlines are grabbed,
keeping SCO in the press. Sympathy is raised (Poor SCO attacked yet again).
And inevitably, an excuse in court if they're ever unable to respond timely
because all their resources are being tied up to combat this threat.
And the part about the keylogger--- Why it's probably seeking out SCO IP via a
secret scan of everyone's hard drive so they can really mount those cases
against the end user.
[ Reply to This | # ]
|
| |
| Authored by: minkwe on Wednesday, January 28 2004 @ 02:45 AM EST |
<s>
Check closely, maybe on Feb. 1st, the worm will try to use the credit card
numbers gathered to buy SCO's Unix IP License from SCO.com. Watch out for
availability of the possibility to buy such licenses by credit card online by
the end of the week. :-)
<s/>
---
SCO's lawsuit is a little like locking the door on Martin Luther King Jr.'s jail
cell and expecting to stop the civil rights movement. [C|net][ Reply to This | # ]
|
| |
| Authored by: Anonymous on Wednesday, January 28 2004 @ 03:05 AM EST |
Just curious, but how do they know it came from Russia when according to the
report the email address is randomly spoofed? [ Reply to This | # ]
|
| |
| Authored by: Anonymous on Wednesday, January 28 2004 @ 03:26 AM EST |
Don't waste time on 'How could it be Linux geeks, it came from Russia' and
'There are plenty of Linuxers in Russia'. That is an argument which will make
more heat than light.
Think instead on the motivation of the Virus Authors. They want to have
thousands of Zombie machines available to do their spamming. Thus they need a
substantial Windows population. What better convergence of interest than doing
their malware, putting in references to SCO, getting Linuxers blamed, destroying
the image of Linux in the eyes of The Naive.
The Naive just say 'Oh look what those Linux geeks done! Perhaps I'll stick
with Windows after all.' This is exactly what the spammers need, to ensure a
continuing population of machines they can access illegally.
There is nothing else to say on the subject, apart from get this message out.
vl[ Reply to This | # ]
|
| |
| Authored by: Anonymous on Wednesday, January 28 2004 @ 04:20 AM EST |
Enough already with the Russia stuff....we can speculate all we want. As said,
we should keep our eye on the ball.
That being said, perhaps we
should concentrate on things we can actually quantify, measure and affect. I
offer the following challenges to those more able than I to do this stuff, and I
will try where I can. Here goes:
1) Calculate how much time elapsed
between when the worm was first announced as being designed to attack
SCO, and when SCO released a press statement about a $250k bounty. [Not very
much time, considering the fact that I would imagine setting up a quarter
million dollar bounty is no simple task from a
business/accounting/legal/shareholder/investor/banking standpoint.]
2)
Quantify just how much of a DDOS attack was being waged against SCO at the time
of their press release when they said "are currently experiencing a
DDOS". [As far as I know they would only be attacked by the rare computers
that have their calendars set for or five days in advance, and others have noted
that all the worm seems to do is "resolve" their website to check for an
internet connection, not actually attack it.]
3) Put the message out to
the media that, as linux users, we do NOT condone this action because it makes
us look bad, and suggest that the SCO thing is just a scapegoat for the true
intentions of the virus: backdoor hacking.
You may remove your foil
hats now.
Mike A.[ Reply to This | # ]
|
| |
| Authored by: Anonymous on Wednesday, January 28 2004 @ 04:50 AM EST |
With all the talk about a Linux Community member or fan being responsible for
DDOS attacks etc can someone give me a definition on what it entails to become a
community member. What rights does this give you and what are the
responsibilities? Who defines these rules? What is the difference between the
definition of 'Linux Community' and 'general population'.[ Reply to This | # ]
|
| |
| Authored by: belzecue on Wednesday, January 28 2004 @ 04:57 AM EST |
Why? Why write a fast-spreading virus and then program it to sleep for a week,
knowing that virus labs around the world will have dissected the mechanics of
your payload within a few days of release? Why pull your punch and give SCO
such a big window to route around the expected DDOS?
Surely the whitehouse routing around Code Red taught virus writers that DDOSing
a victim who knows it's coming defeats the purpose?
Have virus labs got this completely wrong? If Feb 1 NOT the scheduled date of
attack? Why is SCO getting (allegedly) DDOSed NOW, four days before the
deadline? Why are some labs now reporting that they can't trigger any SCO-DDOS
payload whatsoever? (perhaps the code uses an internet time server to
synchronize its actions? But then surely the boffins would see that when
unraveling the code??)
The seemingly illogical aspects could, of course, have perfectly normal answers.
Truth is stranger than fiction and all that. But...
One thing is for sure -- actually, two things:
* Lots more people are talking about SCO, and the press is towing the 'SCO is
the victim of the Linux war' line.
* This latest noisy episode has, once again, temporarily overwhelmed the
investigations by PJ, Groklaw, and others of SCO's corporate malfeasance. I
(and probably you) continue to be astounded by the timing of these diversions,
and how they occur like clockwork after SCO takes a sustained beating in the
press or the stock market.[ Reply to This | # ]
|
| |
| Authored by: TAZ6416 on Wednesday, January 28 2004 @ 04:58 AM EST |
http://www.theregister.co.uk/content/56/35159.html
This bit struck me...
"SCO also advises anyone who notices strange executable files, possibly in
their /usr/bin directory and messages bearing the text /Copyright (C) 1989, 1991
Free Software Foundation, Inc. 59 Temple Place - Suite 330, Boston, MA
02111-1307, USA to contact SCO directly."
What's that about?
Jonathan
~~~~~~~~
Team IFG Racing - http://www.car-care-centre.co.uk/racing.htm
[ Reply to This | # ]
|
| |
| Authored by: TerryL on Wednesday, January 28 2004 @ 05:28 AM EST |
Does it matter where it came from?
We can speculate all we want but
that's never going to prove
- that the writer was/wasn't a rabid Linux
fudamentalist terrorist bent of destroying SCOG
- that the writer was/wasn't
working for SCOG to discredit the Linux developers and users as rabid
fundamentalist terrorists bent of destroying SCOG and the freedom of people to
make money
- that the writer was/wasn't A.N.Other with other motives using the
SCOG v Linux things as a diversion away from the backdoor element of the virus
and so he can snigger at the fuss and trouble they caused
- that the writer
was/wasn't someone who did it just because they could, they were bored and they
just bolted in a topical DDoS element and a backdoor element to show they could
do those things
- any other theory you or anyone else comes up
with
What are facts are; that it's out there; that it was a criminal
act; that it is distracting from the real SCOG v Linux thing; that anti-Linux
groups will claim it as an example of what "bad people" Linux people are; that
Linux supporters saying "serves them right", "it couldn't happen to a nicer
bunch", etc. just makes us look bad and as if we support criminal activities.
All of that may affect the undecided and make them step back from Linux, not
want to play with "juveniles" and "criminals".
OK, it's not my place to tell
anyone else how to behave, maybe I over-react, but I do think a calmer response
that states that all responsible members of the "Linux community" (however you
describe that), which is the vast majority
- think that releasing viruses
is a criminal act to be deplored
- think that carrying out a DDoS attack
against ANY group or individual is a criminal act and to be deplored
- will do
anything they can to assist the proper legal authroities to help track down and
bring the people responsible to account
would better serve the Linux
community better.
I don't think saying the above should be necessary but I
think it doesn't hurt to say it anyway (and mean it).
---
All
comment and ideas expressed are my own and do not necessarily reflect those of
any other idiot... [ Reply to This | # ]
|
| |
| Authored by: Anonymous on Wednesday, January 28 2004 @ 05:42 AM EST |
I'm just waiting for Bill to tell us how Windows is the most secure OS and that
other OS authors are complacent about security or some such crap. Bill?[ Reply to This | # ]
|
| |
| Authored by: Anonymous on Wednesday, January 28 2004 @ 05:50 AM EST |
There is this one press release which disturbs me.
http://www.f-secure.com/news/items/news_2004012700.shtml
Written by Mr. Mikko Hypponen, Director, Anti-Virus Research F-Secure
Corporation, a Finnish Anti-Virus company.
He accuses some Linux user about writing MyDoom-virus, although i think he (nor
anybody else right now) can prove anything about writer or origin. And he missed
some details about the virus initially, like keylogging capabilities and
probably smtp-spam-engine, so this virus could be just another spammer tool
harvesting zombie-machines while disguised like its primary purpose is to spread
and DDoS www.sco.com
And yes, I think every virus writer should be caught and brought to justice for
lawful punishment, which should be fines calculated by some formula like 1$ *
reported infected computer... It gets in millions quite fast.
[ Reply to This | # ]
|
| |
| Authored by: Anonymous on Wednesday, January 28 2004 @ 07:06 AM EST |
This is just another spammer intended to compromise machines but they wanted to
tag it with something to muddy the waters - ie. the SCO 'payload'. That's it,
end of story.
p.s. PJ - not so sure about the whole Russia thing at all but noone is right
100% of the time ;-)[ Reply to This | # ]
|
| |
| Authored by: Peter Simpson on Wednesday, January 28 2004 @ 07:12 AM EST |
The SCO reference in the virus was just a "tweak". It wasn't
written by a Linux fan pissed off at SCO. Hell, it's designed to capture
keystrokes and create a zombie spam relay host. I don't know too many
mainstream Linux people, but the ones I do know aren't into credit card fraud
and spam.
The good news for RBC and Baystar, is that, given past performance, the FBI/USSS
effort to find the perpetrator will
be stunningly unsucessful. That means their money is safe with SCO :-).
Oh...and did anyone else find SCO's offer of a reward for the apprehension of
the perpetrator reminiscent of OJ's vow to "spend the rest of his life
looking for the killer"?[ Reply to This | # ]
|
| |
| Authored by: Jude on Wednesday, January 28 2004 @ 07:40 AM EST |
The apparent origin in Russia might not have any significance WRT the actual
origin of the virus. Russia might simply be the place that had the most people
who were awake at the time of the original sending.
Viruses that depend on recipients opening bogus attachments do not propagate
when the recipients are asleep in bed.
[ Reply to This | # ]
|
| |
| Authored by: Anonymous on Wednesday, January 28 2004 @ 07:42 AM EST |
I just spoke to MessageLabs and it's worth noting that even though they have
identied that the first copy was sent from Russia, doesn't mean it acyually
originated there... Doesn't seem to be any evidence that it's a Linux advocate
behind it though[ Reply to This | # ]
|
| |
| Authored by: cybervegan on Wednesday, January 28 2004 @ 07:45 AM EST |
... is that the virus is a spam relay drone.
Looks like a simple 'edit job' to me, so I wouldn't be inclined to draw too
many conclusions about it.
The fact that it apparently targets SCO is an annoying aside, which just gives
SCO more ammunition.
I think the 'author' may have simply thought it would be 'funny' to target
SCO: they're not necessarily aligned any particular way wrt the SCO debacle.
I condemn this action just as much as I condemned the actions of the last SCO
DDoS'ers - it does the F/OSS community no good and provides fortuitous
publicity to SCO; They get another chance to paint themselves as the victim
again - and we all get tarred with the same brush.
Yes it's possible that the purportrator may be a Linuxian, but just as possible
they could be Windozian or whatever - their agenda may have nothing at all to do
with anything we know or care about.
-cybervegan
---
Stand and fight we do consider
Reminded of an inner pact between us
That's seen as we go
And ride there
In motion
To fields in debts of honor
Defending
[ Reply to This | # ]
|
| |
| Authored by: AtiLaw on Wednesday, January 28 2004 @ 08:12 AM EST |
Virus could have come from anywhere, the hacker could have hacked a computer in
russia, or passed the virus to a friend via ftp or instant messaging, then they
either knowingly or unknowingly sent it out. Also, there is Kazaa to remember,
this thing copies itself into Kazaa's shared folder and is distributed that way
too!! As far as Im aware they have only checked mail servers, maybe they should
look for the original file through Kazaa servers or something like that!?
[ Reply to This | # ]
|
| |
| Authored by: Anonymous on Wednesday, January 28 2004 @ 08:34 AM EST |
| I was surprised when the technical analyses of the new worm appeared that it
just did a simple "GET / HTTP/1.1" and "Host: www.sco.com" request, which is the
bare minimum you need to get a page from a Web site, but not a complete
set of headers that a typical Web browser sends when it makes a page request (a
better worm would simulate a referral from a Google search for SCO using IE6 as
an user agent string, but I digress).
Hence, I think that Netcraft's current
graph
that's monitoring SCO's site is wrong because they too are doing just a
simple GET/Host: request, which if you telnet to www.sco.com on port 80 and do
yourself now comes back with a 403 Forbidden code (hence the red parts of the
graph).
Now fire up your Web browser and you seem to be able to surf the
SCO site OK (including sub-pages). I suspect
they've put a user agent or some other header check to reject the worm-style
minimal requests. Note you can do "GET /" or "GET / HTTP/1.0" without a "Host:"
header and have the home page served up OK ! www.sco.com is, though, getting
slower by the hour, simply because the number of worm requests it's fending off
is increasing as more and more machines with the wrong clock times join in. [ Reply to This | # ]
|
| |
| Authored by: Nick_UK on Wednesday, January 28 2004 @ 08:40 AM EST |
Well, here is the mail I sent out to all my users this morning - I wnated to
ensure that they know the truth about the news reports - I suggest all that are
in a position to do so to inform their ignorant masses also.
===========================================================
Dear all,
As you may be aware (or not!) there is a new windows virus propogating over the
Internet (became apparent in the early hours of 26th Jan, 2004).
For me, this one is interesting as it does not utilize any of the known security
holes in the Windows operating system (as did Nimda, Nachia, Klez), but has
spread at an alarming rate all through people willingly running the attachment
in the e-mail!!!!
Here are the brief details:
http://www.sophos.com/virusinfo/analyses/w32mydooma.html
*NOTE* - XXXXXXX mail filters remove these attachments as the mail passes
through the system.
So, I remind you all again:
If you receive any e-mail that raises doubt, carries an attachment with
instructions to open it, and for any pretence and purpose makes you curious as
to what it is --------> STOP!! Just think and delete it. If it is a
legitimate it can easily be sent again.
Curiosity killed the cat!!!
Remember also, that these infected e-mails spoof 'sender' addresses, so even
if it appears to come from a legitimate source, IT MAY NOT.
As I had said before during the Melissa virus, treat every e-mail as 'guilty'
unless proven otherwise.
One more word on this. There are several news reports saying that this latest
virus was coded by the Linux community to seek revenge against the USA Company
SCO for ongoing legal disputes against IBM, Novell, Redhat and various other
Linux open source venders.
As an active member of the Linux community, and an avocate of the Linux OS, I
can tell you this is utter nonsense, and should be disregarded. The virus
originated in Russian, and more than likely was created by the usual bored
teenager with nothing better to do.
============================================================
Nick[ Reply to This | # ]
|
| |
| Authored by: jmc on Wednesday, January 28 2004 @ 09:14 AM EST |
http://news.bbc.co.uk/1
/hi/technology/3436835.stm
Funny how their anti-virus advice never
reads "Avoid M$ Windows OR (all that lot)
Also backup of important
files is a good idea whatever OS you're using and whether viruses (ii?) affect
them or not isn't it? (Says he who's learned the hard way more often than he
cares to admit....)
Can us Groklaw folk get together and track down the
source - just imagine the immense pleasure it would give SCO to hand over
$250K to PJ!!!
[ Reply to This | # ]
|
| |
| Authored by: Jude on Wednesday, January 28 2004 @ 09:17 AM EST |
I have read reports that this virus does resolve the name www.sco.com, but does
not do anything with the IP adress it gets. IE, it only gives a superficial
appearance of being written to attack SCO, but doesn't really carry out the
attack.
Wouldn't it be a hoot if this proved to be the case, and SCO's website went
down anyway? That would be a massive black eye for SCO's PR efforts, because
it would show the world that SCO really was faking an "attack" by
manipulating their server(s).
[ Reply to This | # ]
|
| |
| Authored by: T. ProphetLactus on Wednesday, January 28 2004 @ 09:31 AM EST |
1. NO ONE knows who wrote/adapted this virus as yet.
2. Spammers are using very skilled 'black hat' rogue coders.
3. Spammers are internationally based and trade in misdirection to do fraudulent
business.
4. Keystroke loggers and backdoors are not the tools of OSS philosophical
advocates.
5. SCOG has damaged their own creditability to the point that nothing they can
be accused of is beyond belief.
6. The inclusion of the "SCO" code in this virus is an opportunistic
device to slur the Linux community (who are proven threats to the 'spam
industry') while the real purpose of the virus payload seems to be gaining
0wn3d boxes to use as spam relays and the keystroke logging of passwords and
credit card numbers for criminal activity. The true motivation of the coder who
set this up can be inferred from this aspect of the payload.
TPL
"Your shopping cart STILL contains [0] copyrights"[ Reply to This | # ]
|
| |
| Authored by: Anonymous on Wednesday, January 28 2004 @ 09:42 AM EST |
in communist russia,
the virii write you.[ Reply to This | # ]
|
| |
| Authored by: TerryL on Wednesday, January 28 2004 @ 11:02 AM EST |
I'm in the UK too - but the threat (implied) by their announcements still
affects Linux and people who support Linux. "No smoke without fire",
some will say, add claims that "Linux supporters resort to crimial
activities" and you've got some people who may never have heard of Linux
before, and maybe some who were thinking about trying it, starting to think of
it in negative terms.
It's what upsets me most. In pub with a bunch of mates it's fun to speculate
and make silly comments and poke fun at the "opposition".
Unfortunately a pub is a public place (like the pages of Groklaw) and there may
be others listening in who aren't part of the "in group" just
messing about and having fun, who may take what they over hear as serious
comment. Then is when a "bit of harmless fun" turns into a liability
that can tarnish the groups reputation unintentionally.
I actually think the strength of Groklaw is the vast amount of reseach and
material it has found and made public (should any jounalist want to use it to do
an in-depth feature on the whole sorry mess) and the analysis of the court
proceedings and documents and all the history gathered together in a single
site. It's brilliant, I am amazed that so much can and has been done by PJ and
her diverse and dispersed band. It would be a shame to take the edge off all
that by accident and a few casual and joke comments that others can (and will
be) taken out of context and quoted to suit their agendas.
---
All comment and ideas expressed are my own and do not necessarily reflect those
of any other idiot...[ Reply to This | # ]
|
| |
| Authored by: blacklight on Wednesday, January 28 2004 @ 11:14 AM EST |
The Linux enthusiast who creates the type of worm that collects credit card
numbers and other confidential information must be a pretty unusual Linux
enthusiast. In fact, he would be considered part of the Linux community only if
the Linux community tolerates crooks - and I know that as a community, we have
zero tolerance for crooks, spammers and other distinguished denizens of the
underbellies of our societies. The Open Source movement was created to fight
exploitation of end users, and I just don't see how coddling exploiters such as
crooks logically fits in with the Open Source movement's mission.
[ Reply to This | # ]
|
| |
| Authored by: Anonymous on Wednesday, January 28 2004 @ 11:22 AM EST |
... and so does about 75% of the spam that I receive. (Unless the Nigerian
scammers have switched en masse to using a Cyrillic character set.)
[ Reply to This | # ]
|
| |
| Authored by: Anonymous on Wednesday, January 28 2004 @ 11:23 AM EST |
As you may read on
there is a quite interesting remark on the bottom of the
page:
http://www.math.org.il/newworm-digest1.txt
D'Aloisio Marc
observed some things about the DoS attack, and raised some preliminary
questions:
-----
Has anyone seen the DOS against SCO actually happen?
I have
the new critter in a test environment where we conducted a
preliminary and
rudimentary functionality and threat analysis and the
only activity I can get it
to perform related to www.sco.com is to
resolve the name. In fact, it seems
very unhappy if it cannot resolve
www.sco.com. Once it can, it happily scans
local files for anything
that can be construed (very loosely) as a domain and
tries to resolve
mail servers based on these. In fact, right now it's trying to
resolve
'mx.makewin.rsp'. "Makewin.rsp' is a file referenced in the help
files
of my DigitalMars C++ compiler on a test machine, so it's not a very
smart
worm. The worm also seems to like to increment the third octet of
the host IP
by one and syn to port 25 of that address over and over and
over... I have
played with the date, etc, but still no activity directed
toward www.sco.com.
It did die after 12 February, but gladly
resurrected when the date was set back
prior to that.
I haven't had time to go through a code analysis - that will
come later
as time permits.
-----
I am wondering if SCO ist
fighting against an attack that will never happen.
[ Reply to This | # ]
|
| |
| Authored by: blacklight on Wednesday, January 28 2004 @ 11:29 AM EST |
As for waiting for a SCO Group's apology: (1) I am not holding my breath; (2) I
accept apologies only from those I respect and since I have nothing but contempt
for the SCO Group's top management, they don't need to waste their breath
apologizing to me.[ Reply to This | # ]
|
| |
| Authored by: dcs on Wednesday, January 28 2004 @ 12:07 PM EST |
How come? Every linuxen worth his salt KNOW that the SCO case won't affect
ANYONE, because SCO won't win.
Still, it seems linuxen all over USA are pretty much upset. And that's because
SCO is claiming their work for itself, out of corporate greed, no less. This is
no less insulting to russian linuxen than it is to american linuxen, so the
virus coming out of Russia holds little water, IMHO.
---
Daniel C. Sobral
[ Reply to This | # ]
|
| |
| Authored by: Anonymous on Wednesday, January 28 2004 @ 12:22 PM EST |
Are we getting too overly worked up with conspiracy theories, and the like, and
forgetting the really important things of this virus :
1. It was setup to do spamming
2. It has keylogging capabilities and looks for credit card information, etc.
3. It only does superficial name resolve to SCO.
4. It is a Windows virus.
I think if we highlight these to the journalists politely, they will quickly get
the idea that it really has nothing to do with SCO or Linux. Whether that author
is a Linux author or not is not the issue at all. It is just a criminal activity
doing spamming and credit card information stealing. I believe this is way way
more effective than jumping up and down and demanding this apology and that. Let
them have egg on their own face (thrown by themselves in fact).[ Reply to This | # ]
|
| |
| Authored by: red floyd on Wednesday, January 28 2004 @ 12:25 PM EST |
| The Los Angeles Times speculates Is Virus the Work of Linux Lovers?" [warning -
sacrifice of firstborn required for registration].
Now because of these
idiots we're getting a black eye in the mainstream media. ---
The only
reason we retain the rights we have is because people *JUST LIKE US* died to
preserve those rights.
[ Reply to This | # ]
|
| |
| Authored by: Captain on Wednesday, January 28 2004 @ 12:34 PM EST |
This seems to be the best thing to happen to SCO in these circumstances. Some
sources are already calling this the biggest Windows worm in history.
At the same time, SCO has already been given a delay in producing e-mail
evidence about their executives that were on holiday at christmas time. Could
they claim that they STILL cannot produce that evidence because their mailserver
was down, due to the virus?
What's in the e-mail evidence? Is it something SCO could be afraid of? Are they
actively sifting through and deleting e-mails, before the hearing? What could
happen next? Tune in next week. Same Grok time, same Grok channel...
Very unlikely, highly speculative, I admit, but worth mentioning I guess.[ Reply to This | # ]
|
| |
| Authored by: leguirerj on Wednesday, January 28 2004 @ 12:35 PM EST |
This is refreshing opinion from Frank Hayes at computerworld.
http://computerworld.com/governmenttopics/government/legalissues/story/0,10801,8
9342,00.html[ Reply to This | # ]
|
| |
| Authored by: Azmodan on Wednesday, January 28 2004 @ 12:45 PM EST |
I just read an interesting theory on a forum. Maybe the virus didn't came from
a spammer, Microsoft, SCO or anybody that seems to have a reason to target SCO.
Maybe it is just from an ordinary virus writer (the typical moron that writes
viruses for fun). After all, virus writer wants to get noticed. What is a
better way to get noticed than write a virus that target a company that loves to
make press declaration about such thing ?
---
SCO : Proving again and again that human stupid truly is infinite.[ Reply to This | # ]
|
| |
| Authored by: Turing_Machine on Wednesday, January 28 2004 @ 01:10 PM EST |
1. The virus has a keylogger for capturing cc#'s, passwords, etc.
2. The virus sends spam for a herbal viagara company
3. The virus does a DDoS against SCO.
Using the above conditions, I think the virus writer was very aware of what they
were doing.
The first two are ways of generating income.
The third is a way to try to guarantee that those methods of generation are
continued.
Every virus that attacks a MS operating system (the vast majority) obviously
depends on the continued widespread use of these highly vulnerable systems. To
keep the impression of Linux as a "hacker" (cracker) type of system,
and to add doubt to the current legal proceedings, by attacking SCO, the income
stream is less threatened, since many will still fear the more secure systems as
something "evil."
Attacking SCO is simply a round-about way to keep current MS users from changing
to a more secure system, keeping the potential infection population high.
The funny thing is that the mainstream press has absolutely bought the company
line, forgetting that it was a highly suspect MS programming structure that lead
to the ability for this virus writer to have such an effect.
If stolen financial information and the selling of questionable herbal
supplements was my source of income, I would think this attack was very
fortunate for my financial future, since it prolongs the status-quo, which had
been threatened by the more secure and less susceptable Linux OS.
my $.02
---
No, I'm not interested in developing a powerful brain. All I'm after is just a
mediocre brain, something like the President of the AT&T --Alan Turing[ Reply to This | # ]
|
| |
| Authored by: Anonymous on Wednesday, January 28 2004 @ 01:31 PM EST |
There is a report (link on meerkat) of a variant that
targets www.microsoft.com instead of sco, spotted in the wild
by the virus (or is that anti-virus) companies. [ Reply to This | # ]
|
| |
| Authored by: Anonymous on Wednesday, January 28 2004 @ 01:34 PM EST |
PJ Please stop the "Virus Came From Russia, Says
MessageLabs" thread right here.
In "The most reliable and reasonable reason for the
virus", Turing_machine has hit the nail on the head.
Usually the debate is worthwhile, but on this one, I am
sorry to say that the majority are doing headless chicken
impressions.
Until Turing_machine's analysis [shared a few more earlier
up the page] is really listened to, and evaluated and
accepted here as the real truth, we are not able to put it
out to the wider world as the truth. The 'democracy' here
is actually allowing us to drivel on against our best
interests
SO [shouting] PEOPLE, PLEASE TAKE NOTE. If you disagree
with Turing_machine's line of reasoning, fine. But if you
don't understand it, stop until you do. And if you do,
then say so on that thread.
But please stop the babble over 'would a linuxer do that?'
'did it come from russia?' 'did SCO do it?'. The truth is
out there and Turing_machine has brought it to you [ Reply to This | # ]
|
| |
| Authored by: Anonymous on Wednesday, January 28 2004 @ 01:36 PM EST |
According to an analysis
of the worm, it may not even be a DDOS attack!
"I
have the new critter in a test environment where we conducted a preliminary and
rudimentary functionality and threat analysis and the only activity I can get
it to perform related to www.sco.com is to resolve the name. In fact, it seems
very unhappy if it cannot resolve www.sco.com. Once it can, it happily
scans local files for anything that can be construed (very loosely) as a domain
and tries to resolve mail servers based on these. In fact, right now it's
trying to resolve 'mx.makewin.rsp'. "Makewin.rsp' is a file referenced in the
help files of my DigitalMars C++ compiler on a test machine, so it's not a very
smart worm. The worm also seems to like to increment the third octet of the
host IP by one and syn to port 25 of that address over and over and over... I
have played with the date, etc, but still no activity directed toward
www.sco.com. It did die after 12 February, but gladly resurrected when the date
was set back prior to that.
I haven't had time to go through a code
analysis - that will come later
as time permits." [ Reply to This | # ]
|
| |
| Authored by: Anonymous on Wednesday, January 28 2004 @ 01:38 PM EST |
| Infoworld has another story about a big hole in
Internet Explorer that has been reported since 2001 and suggested that
Microsoft doesn't know how to fix it. This big hole is potential for huge
problem. [ Reply to This | # ]
|
| |
| Authored by: Anonymous on Wednesday, January 28 2004 @ 02:12 PM EST |
"It appears somebody needs to apologize to somebody for leaping to ugly
conclusions about the Linux community."
Perhaps, but don't hold your breath waiting! Remember the adage "Never
try to teach a pig to sing. It's can't be done and only annoys the
pig."
The same holds true for asking the pig to apologize.[ Reply to This | # ]
|
| |
| Authored by: Anonymous on Wednesday, January 28 2004 @ 02:33 PM EST |
That pretty much rules out any Linux enthusiast trying to get
back at SCO, as far as I can see. Nobody in Russia cares about a legal case in
the US that won't affect them one bit.
Why does this rule out
anyone in the Linux community? From what I see and read from some zealots, this
is exactly the kind of thing someone would do if they thought they
were saving Linux from the Evil SCO Empire.
It looks
like spammers and worse trying to shift the blame to cover the other ugly things
this virus does, because it tries to install a key logger to get your credit
card and other such details, according to Symantec, something no Linux person
has ever been involved in to the best of my knowledge.
Is it
so far fetched to imagine someone throwing in the key logger to make people
think it's spammers and NOT someone from the Linux community? How many times
have your heard "Oh, he was such a nice man. I can't believe he would do
something like this" when someone is arrested for chopping up his family with an
ax? Just because you don't know of any Linux folks that would do something like
this doesn't mean that one didn't. To be fair, it doesn't mean one did. But
with the current information available, it would be rash to rule anything out at
this point. [ Reply to This | # ]
|
| |
| Authored by: Anonymous on Wednesday, January 28 2004 @ 02:41 PM EST |
This is either of SCO origin, or an international SCO contact started something
from afar; under SCO instructions.
SCO might even have insider(backdoor) information from Microsoft officials on
what would be the best valnerability to exploit so as to construct the
particular virus.
For Msoft there is more benefit to see SCO inflict damage on linux than to have
one more virus in its history of vulnerablities.
This particular angle needs to be <b>investigated exaustively</b>.
P.S. Don't listen to those telling you about "tin foil" hats.
THIS is the beginning of the thread.[ Reply to This | # ]
|
| |
| Authored by: Anonymous on Wednesday, January 28 2004 @ 05:28 PM EST |
http://money.cnn.com/2004/01/27/technology/techinvestor/lamonica/
Here's a pretty good, pretty unbiased, article from CNN, that mentions MyDoom,
the lawsuits, and the "pump and squeeze" (although the author
describes it as bidding up shares)
Over all I'd say it's a decent unbiased piece. If you have a minute, give it
a read.
TBONEZ[ Reply to This | # ]
|
| |
| Authored by: sa on Wednesday, January 28 2004 @ 05:33 PM EST |
www.sco.com seems to have come alive again.
Bearing in mind that the virus allegedly doesn't activate until 1st Feb, maybe
SCO took the site down for maintenance.
Conspiricy theorists might think that the web-site was deliberately slowed down
by SCO to co-incide with their stock market announcement this afternoon.
[ Reply to This | # ]
|
| |
| Authored by: Anonymous on Wednesday, January 28 2004 @ 05:52 PM EST |
From Computerworld - Looks like M$ is the new target.
JANUARY 28, 2004 ( COMPUTERWORLD ) - A new variant of the Mydoom.a (Novarg.a)
worm, which has been spreading swiftly across the Internet since Monday, emerged
today, according to London-based security vendor Mi2g Ltd.
The variant, Mydoom.b, has a larger payload and targets Microsoft’s Web site for
a distributed denial-of-service attack on Feb. 1, instead of The SCO Group
Inc.’s Web site, which was targeted by the first version, Mi2g said in a
statement. Mi2g pointed to minor changes to the text padding in the malware and
said it’s possible that Mydoom.b is being disseminated via infected computers
turned into zombie machines by Mydoom.a, as well as the Kazaa file-sharing
system.
If so, “this could turn the whole Mydoom episode into a much more adverse series
of unfortunate events,” Mi2g said.
[ Reply to This | # ]
|
| |
| Authored by: TAZ6416 on Wednesday, January 28 2004 @ 06:20 PM EST |
http://www.ajc.com/business/content/business/0104/28worm.html
"Experts say the creation of MyDoom was almost certainly funded by e-mail
spammers. The worm takes possession of a computer -- either at a home or one
used in business -- and turns the machine into a remotely controlled robot
programmed to send spam e-mail messages."
Jonathan
~~~~~~~~
Team IFG Racing - http://www.car-care-centre.co.uk/racing.htm
[ Reply to This | # ]
|
| |
| Authored by: Anonymous on Wednesday, January 28 2004 @ 06:44 PM EST |
|
MessageLabs has announced that the MyDoom virus originated in Russia. That
pretty much rules out any Linux enthusiast trying to get back at SCO, as far as
I can see. Nobody in Russia cares about a legal case in the US that won't affect
them one bit. It looks like spammers and worse trying to shift the
blame...
What? LOL, talk about trying to shift the blame.
[ Reply to This | # ]
|
| |
| Authored by: sanoke on Wednesday, January 28 2004 @ 07:15 PM EST |
Just to add a little more to the conspiracy theory, I have been looking at my
firewall log file and I'm seeing a number of port scans on port 3127. This is
the port that has been identified as the backdoor installed by Novarg/MyDoom
virus (http://isc.incidents.org). In tracing the IP addresses back through
http://www.arin.net, I find that most of them are coming from Korea. There were
also some from China but the majority of them are from Korea. Someone would have
to know about the port to look for it so I would guess they would be pretty
close to whoever wrote the virus. Then again, these could just be hijacked
machines being used for anywhere in the world so being in Korea or China may not
mean anything. Just thought I'd share what I've found.[ Reply to This | # ]
|
| |
| Authored by: Tsu Dho Nimh on Wednesday, January 28 2004 @ 07:30 PM EST |
From the Virus Definition:
"The worm (this functionality is in the dropped DLL) opens a connection on
TCP port 3127 (if that fails it opens next available port up to port 3198). The
worm can accept specially crafted TCP transmissions. On receipt of one kind of
such a transmission it will save the embedded binary into a temporary file and
execute it. Then the temporary file is deleted.
On receipt of another kind it can relay TCP packets thus providing IP spoofing
capabilities (possibly to facilitate SPAM distribution)"
Considering the backdoors it opens, my guess would be that it's a just spammer
creating a supply of zombie machines.
The purported SCO DDOS (or the Microsoft DDOS of the next variant) is merely
camoflauge for the real purpose, which is sending spam through the victim's
computer so as to avoid filters. [ Reply to This | # ]
|
| |
| Authored by: Mark_Edwards on Wednesday, January 28 2004 @ 07:49 PM EST |
Just looking at some of the posts on slashdot and came
across this. Sounds a good idea if ibm/redhat/novell did
this to semi counteract the SCO FUD of $250k reward?!?
-------------------------
Re:Off Track (Score:2)
by vanyel (28049) * on Thursday January 29, @12:00AM
(#8118917)
(Last Journal: Thursday August 28, @07:54PM)
I certainly hope the author wasn't a Linux zealot trying
to harm SCO.
Indeed. Personally, I think the Open Source community
should set up a fund to add to the reward SCO is offering
because of the black eye it gives the community if he
was. [ Reply to This | # ]
|
| |
| Authored by: Anonymous on Wednesday, January 28 2004 @ 08:10 PM EST |
According to a UPI story,
Gary Morse, president of Razorpoint Security Technology, blames
'hacktavists':
"This worm appears to be a form of
hacktivism," Gary Morse, president of Razorpoint Security Technology, a computer
consultancy in New York City, told UPI. "It is only infecting machines that are
running Windows as their operating system, not those that are running the Mac
operating system or the Solaris operating system."
[...]
"It
appears to run through a user's address book and then propagate itself as widely
as possible," Morse said. "It makes your machine into a zombie (that) can be
controlled by the hacktivists."
"They have their own flavor of Unix," an
operating system for technical computing projects, Morse said. "They are
embattled with IBM and Red Hat and Novell in a fight over intellectual property
rights for the software. This has set off discussions on Web boards around the
world. And it appears that someone who does not like where SCO stands has taken
matters into their own hands."
This is all part of the global,
ideological war online between the backers of the free operating system Linux, a
version of Unix, and the supporters of the industry standard, Microsoft Windows,
Morse said.
[...]
"There's not too much genius here," Morse said.
"They used a common worm shell we've seen before to effect vulnerability in a
Windows machine. But the real payload is staying dormant for the future
attack."
Pravda according to Gary Morse, president of
Razorpoint Security Technology.
[ Reply to This | # ]
|
| |
| Authored by: Tim Ransom on Wednesday, January 28 2004 @ 09:10 PM EST |
Who the hell are Sophos, and why does this Chris Belthoff guy keep getting his
asinine FUD quoted on CNN?
This is the second time I've seen him quoted
on CNN today.
From here:
'Chris Belthoff, senior
security analyst with privately held anti-software firm Sophos, said that it
looks like the main
intention of MyDoom is to launch a denial of service
attack against the Web site of SCO Group. "This appears to be a facet of
the
Linux war," said Belthoff. "This is the first time we've seen a virus or
malicious code used in this legal battle."
And, earlier:
'"The MyDoom worm takes the Linux Wars to a new intensity," said
Chris Belthoff, an analyst for anti-virus firm Sophos.
"It appears that the
author of MyDoom may have taken the war of words from the courtrooms and
Internet message boards to a new level by unleashing this worm which attacks
SCO's Web site."'
I get the impression this clown patented the term
'Linux War' last week, and wants it promulgated as much as
possible.
Thanks again,[ Reply to This | # ]
|
| |
| Authored by: seantellis on Wednesday, January 28 2004 @ 09:20 PM EST |
The LA Times today, Business section, has a story about the virus. Full text on
their website requires registration, but there are a few noteworthy quotes that
are short enough to type in...
"The virus infects machines running most versions of the Windows operating
system made by Microsoft, which pledged Tuesday to keep security spending the
top priority in its $6.8-billion annual research and development budget."
I find this emphasis a bit strange; it is longstanding security flaws which
allowed this virus to propagate as it did. That's a bit of an aside though.
The final quote was the strangest:
"... Eric Raymond, a leader of the Linux movement, said SCO's suspicions
were misplaced. 'If one of our guys had written it,' he said, 'the thing
would have been much harder to track and much more devastating.'"
No doubt this was a partial quote, but the clear impression one would take away
from this article is that this is almost certainly the work of Linux zealots,
who are in the business of writing viruses that are devastating and hard to
track.
In fact, nothing could be further from the truth. Although it is impossible to
absolutely assert anything about such a diffuse bunch of people, the vast
majority of FOSS developers hate this kind of thing, which is why their product
are often more secure and better protected than the proprietary alternatives.
Although this doesn't give any new solid information, the clear anti-Linux
impression that this article gives, based on nothing more than mere speculation,
is noteworthy in itself.
---
Sean Ellis (sellis@geo-removethis-cities.com)[ Reply to This | # ]
|
| |
| Authored by: Sunny Penguin on Wednesday, January 28 2004 @ 10:56 PM EST |
| The www.knoppix.com website has the cure for your Windows friends. Remember
Friends don't let friends drive Windows....
A bootable Linux KDE/Gnome CD
desktop, that does not have to be installed. (But can install if
wanted)
Knoppix Rocks
Ibibilio.org's
Knoppix
FTP site ---
Litigation is no sustituite for Innovation.
Say
No to SCO.
IMHO IANAL [ Reply to This | # ]
|
| |
| Authored by: LionKuntz on Thursday, January 29 2004 @ 04:42 PM EST |
Russian computers have so many trojans that they are easily used to erase the
origin of actual malicious code. The fact that a bug propagates widely in Russia
first, before globalizing, merely reflects this fact of life.
It is ignorant to make any speculations about any source of malicious cyberwares
in this world. Nothing can ever be proved, except the bottom 2% of clumsey
author's shooting themselves in the foot with Darwin Award feats of
self-destruction.
Pure waste of bandwidth, to even discuss it.
[ Reply to This | # ]
|
|
|
|
|
