Paul Couture has graciously agreed to write an article for Groklaw on MyDoom. I found him when I was reading about MyDoom on Slashdot for the story I did about the crank calls, and I noted a comment from someone who seemed knowledgeable about protecting companies from such things, who said that he dealt with such issues on a daily basis in connection with his work, and that in his opinion, this had all the emarks of professional spammers, not a Linux enthusiast. How, he wondered, could the media get this so wrong?
So I contacted him, after researching a little about him and his work (he did computer work for six years for the US Air Force and now works in network support and does web design). I asked him to explain a bit about MyDoom and why he is convinced from the way MyDoom was written that it is professional spammers. SCO isn't the main target, in his opinion.
He isn't alone in that opinion, by the way. Did you know that MyDoom will attack Kazaa next? It seems MyDoom will create worm-laden copies of entertainment software after the attack on SCO.
Here's information on this angle:
After the planned assault on licensing company SCO, other coming MyDoom
backdoor attacks will target users of the Kazaa peer-to-peer file
sharing network by creating worm-laden copies of popular entertainment
software swapped over Kazaa like the Winamp music player and the game
Nuke2004. When run, these generate new floods of MyDoom e-mail.
The Independent also has a very thorough report, and a number of experts confirm that this looks like the work of criminals known to do this sort of thing. Here's a snip or two to give you an idea:
But to security experts, MyDoom marked a serious step up in the evolution of the virus because it had all the fingerprints of organised crime. MyDoom did not just email itself to addresses found in the files of any computer it infected. It also installed a "back door" that would let hackers control your machine remotely; it installed "keylogging" software that would silently note every keypress, including bank passwords and credit card numbers when you used web pages; and it could direct a deadly attack on a particular website belonging to a software company called SCO.
It seems the purpose of the backdoor is often to threaten the company: pay a ransom or it will happen again. Such threats did happen just before the SuperBowl to gambling sites:
Couldn't MyDoom just be an annoyed Linux programmer's revenge? It is possible, but unlikely when you view it in the context of other well-organised online crime. A week ago, as the American Super Bowl was ramping up, the owners of online gambling sites were nervously staring at their screens, waiting to see if they would be hit by a DDOS that would make them disappear from the internet, just at the time they would want to be open and ready for gambling fans.
Of course, the ransom demand could be drop the lawsuit instead of money, they acknowledge, but even then, they conclude, the demand wouldn't be from anybody but a well-organized criminal gang. The sophistication of the code and the general MO points to that conclusion. There is also a box at the end of the article, listing things to look for on your Windows computer that would indicate your computer is compromised.
Before the game started, Ido Raviv, the manager of Netgames in Belize, which runs the Yahoops.com online sports book, said: "I expect that on Sunday, during the Super Bowl, you're going to see a lot of [sports betting] websites down. I know it for a fact. Everybody's scared."
They were right to be. Though Riverhead Networks, a company which offers entirely legal network protection against DDOS onslaughts, was able to fend off a number of attacks against gaming sites which began on Friday and continued through the weekend, far more sites were not so lucky. They were disabled. "DDOS attacks are becoming a significant and growing threat to online enterprises, government agencies and providers of all sizes," said Steve Woo, who is in charge of business development at Riverhead.
So there is more to this story than SCO. In fact, SCO doesn't seem to be the primary target after all. With that background, here is the article by Paul Couture. (For those interested in the what-has-happened-to-journalism topic, here is a related article on that very subject in Online Journalism Review.)
Whatever Happened to Investigative Journalism?
~by Paul Couture
After making a post on /. a few days ago regarding the Mydoom.a virus
and the now infamous media stories from authors that were apparently
easily duped by a secondary exploit that the worm carried out, I was
shocked to find a request from our own beloved hero, Pamela Jones, in my
inbox requesting that I expand a bit on some of the points in the post
for the loyal readers (and those of you just stopping by) here at
Groklaw. I couldn't resist the opportunity.
First off, let me tell you a bit about myself. One of the things I
find unnerving about "Internet Media" is the fact that you
often know little about the source of information, I'll do my best to
explain why I feel qualified to make the comments I will be making.
First off, I love computers, all computers, always have - almost as far
back as I can remember. My first computer was a Commodore Vic-20 and I
was lucky enough to get it when I was the tender young age of eight, and
I was a published programmer not long after. I helped to set up and run
one of the first BBSs in the Southeastern United States, and learned all
I could about making these wonderful new tools, do the things I wanted
them to do. Since those early days I have tried to remain active with
computing because it has always been one of my true loves. The advent
and growth of the Internet only fueled that passion, and I have been
professionally developing web sites, and providing computer and network
support for close to five years now. I spend most of my waking hours
cultivating quite a monitor tan.
I am a Linux user, my preferred distro is Mandrake 9.1 - but I spend
quite a bit of time behind the keyboard and mouse of Windows machines,
probably more than I get to spend on my own Linux box. I have provided
technical support for almost every major operating system since Windows
3.1. I have done well over a thousand clean OS installs, I build PCs, I
do my best to teach "newbies" the ropes, and I troubleshoot
computer issues every day. I work for a well known web-based software
developer for the automotive industry, and I am a strong advocate for
diversity in operating systems because of the security against large
cascading failures that it provides. Furthermore, as I learned in six
years in the USAF, you work most efficiently when you apply the
"Primitive Pete" rule - use the right tool for the right
One thing I have learned over the past few years, is something that
most of you already know; since the dot-com bubble burst,
there has been a huge increase in the number of people who want to get
rich quick with the Internet, and they won't let things like morals or
scruples stand in the way. The vast majority of problems I deal with
aren't buggy software issues, hardware failures, or gaping security
holes being exploited; they are spyware and spammers. People that are
getting rich quick off the backs of unsuspecting users - and viruses
like Mydoom, Sobig, and many of the latest fast spreading e-mail worms
are just the latest tool in these unscrupulous types' bag of tricks.
Most of the media aren't tech-savvy enough to realize this, and so when
something is attached like a distributed denial of service attack (DDoS)
on SCO, a company that seems to love playing the victim for the media's
cameras, it's easy for them to point their fingers at that rogue group
that use the "other, other operating system -
Mydoom.a was the fastest spreading Internet worm in history. The most
reported, and most common misconception is that this virus's purpose was
to create a DDoS against SCO's web servers. While this is partially
true, anyone who takes as much as 5 minutes to research the virus, will
find that Mydoom.a is a vicious, evil wolf in grumpy, annoyed, yet still
scary, wolf's clothing.
Let's examine what MyDoom really does. A quick visit to http://symantec.com is where I usually start my
research into these little nasties when they start to affect my world.
Symantec is the maker of Norton Anti-virus software - my personal choice
in anti-virus protection for Windows based PCs. By visiting the Security
Response section, and searching for the virus by name, or by looking at
the 10 latest virus threats, you can find the following information
about the Mydoom.a virus. I'll save you the clicking on the links and
provide you with a a quote right here:
Quote From Symantec: Norton Security Response - mydoom.a
"W32.Mydoom.A@mm (also known as W32.Novarg.A) is a mass-mailing worm that
arrives as an attachment with the file extension .bat, .cmd, .exe, .pif,
.scr, or .zip.
"When a computer is infected, the worm sets up a backdoor into the system
by opening TCP ports 3127 through 3198, which can potentially allow an
attacker to connect to the computer and use it as a proxy to gain access
to its network resources.
"In addition, the backdoor can download and execute arbitrary
"There is a 25% chance that a computer infected by
the worm will perform a Denial of Service (DoS) on February 1, 2004
starting at 16:09:18 UTC, which is also the same as 08:09:18 PST, based
on the machine's local system date/time. If the worm does start the DoS
attack, it will not mass mail itself. It also has a trigger date to stop
spreading/DoS-attacking on February 12, 2004. While the worm will stop
on February 12, 2004, the backdoor component will continue to function
after this date."
Ok, first off, let's see what the real purpose is here, since most of
the media reports I have seen appear convinced that the only purpose of
this virus is to attack SCO in retaliation for their attacks on the
Only one in four infected machines will participate in a DDoS attack
on SCO, and those that are infected and set to participate, will in
fact, cease spreading the virus to other computers (probably in an
attempt to appear uninfected as anti-virus programs are updated, but
users are too "busy" to allow for a full system scan.) Still,
though this means that 75% of the infected machines will have a whole
different purpose to their infection.
- To spread as far and as fast as possible.
- To make the machine what is commonly called a "zombie
box" for the worm writers true intentions down the road.
Both the 75% that do not participate in the DDoS and the 25% that do
will be in the same boat after February 12, 2004. They will cease
spreading, and attacking, yet will remain active "zombie
boxes" for other uses. The simple fact that only one in four
machines are going to be part of the DDoS attack tells me right off the
bat, that can't be the virus writers main intention. If it were, the
virus writer is weakening how effective the DDoS will be. When I was in
the military, they called this type of thing misdirection and camouflage
- and it seems to be working extremely well for those behind this little
To give another comparison, think about the first Gulf War. Allied
forces used a small group of the US Marines and the Navy to stage an
attack on the Kuwaiti coastline to the east, while the vast majority of
the forces moved in from the southwest catching the Iraqi army
completely off guard, dug in with their turrets turned the wrong way.
That is what is happening here. The virus writer is sacrificing 25% of
the machines he/she can infect to launch a weak, brief, and what should
have been a largely ineffective DDoS against SCO and drawing fire away
from his/her true intent of creating a vast network of "zombie
boxes" to do his/her bidding at a later date.
Next, let's look at one of the largest and most reported viruses of
the last year, aptly named Sobig. Like the vast majority of computer
worms in the past year or so Sobig had the primary purpose not of
destroying data, not of being destructive to networks and systems, but
in spreading and creating a vast network of "zombie boxes" for
the purpose of launching more and more unsolicited commercial e-mail,
commonly known as spam. Just like Mydoom, but without the nasty payload
on 25% of the infected machines. A quick search on Google provided the
Quote from C|Net's Robert Lemos's Article "Sobig spawns a recipe for secret
spam" - June 25, 2003
"Initial analysis by antivirus companies indicated that the
mass-mailing computer worm, called Sobig.E, doesn't have a malicious
payload. However, e-mail service provider MessageLabs believes spammers
will use the virus's mail program on victims' computers to send
"'This is almost certainly being precipitated by a spammer that is
trying to create more open relays to send spam,' said Mark Sunner, chief
technology officer for the New York-based company."
This has been the norm for the most common viruses/worms over the
past year. Mydoom shares a lot in common with these other viruses as
well. It appears to have been written by an individual or very small
group, it also appears to be written for hire (at least in the
".b" variant) and seems to have originated in Russia - the same place that
much of the worst spam you get originates. For most of the press, it was
easy to see that Sobig was a way to send more spam every day via infected
computers with new open relays because that was the main and obvious
purpose of the virus. Suddenly, when Mydoom hits, everyone seems to
forget that, and decides that because a small percentage of the infected
machines do something sensational, attack a company that thrives on this
sort of publicity for example, they ignore the fact that the majority of
infected machines will be doing the same thing that happened with Sobig.
The camouflage worked.
Something else that these viruses have in common, is they remain on
the system to receive further instructions down the road, create their
own self-controlled SMTP server so that they can e-mail out whatever,
and whenever the virus writer pleases.
That is the true intention behind Mydoom, and Sobig, and many other
fast spreading viruses over the past year. To generate more spam. The
war on spam has escalated to the point that laws are being passed to try
to stem the flow, filters are becoming the norm, and the average user is
learning the old trick of not buying from, and deleting spam when it
shows up in their inbox. That means you have to send more spam to get
those few sales you do get and therefore make your effort
I find it interesting how quickly this worm spread. It almost
instantly spread out from thousands of "infected" machines. My
own e-mail account had received almost sixty copies of the virus an hour
before it was even given a name. Who in the world has the ability to
suddenly mass e-mail out to millions a virus laden e-mail? Maybe it
would be the same people that send out millions of e-mails everyday -
If indeed the purpose, and it appears that it is, of this snippet of
code, is to make more spam launching points by including the DDoS on SCO
the virus writer(s) accomplished their job, made the uninformed, and
spoon fed in the technology reporting sector take the bait and misdirect
the anger toward the virus writer at a completely different group, Linux
users- commonly known as a group to despise this sort of tactic and one
of the primary reasons most of the community will state they migrated
away from other operating platforms, because they love the security and
relative safety that Linux provides. They have also chosen to ignore the
more deadly and dangerous payload that is the true purpose of the worm.
If I were to stoop to the level that I would write a virus like this,
I would probably be thinking along the same lines, by including
something like a DDoS, I would be masking my true purpose, and make it
hard to find me based on my intention and purpose. By attacking a rather
unpopular company, I would also become a needle in a stack of needles,
instead of the proverbial needle in the haystack.
I won't lie, and I look at this whole situation objectively. I honestly
believe that there could be a tiny minority of Linux users somewhere that might attack SCO. Comparing the entire Linux community to such a small
sub-group that might ignore the law is like saying that everyone that owns an
automobile supports late-night drag racing. There are zealots for
everything on this planet, and you can't blame an entire community of
millions for the actions of a few. There are probably many more
"script kiddies" out there using Windows to hack away at Yahoo
Messenger in VB so they can boot people they don't like from chat rooms.
Does that mean that all Windows user's hate Yahoo and are busy coding
away in their parents basement? Of course not.
By attacking the entire user base, SCO and the media spoon-fed by
their press releases have certainly given this impression of our
community. Furthermore, they have drawn the ire of millions away from
the true people that deserve it, the people that flood your child's
inbox with advertisements for porn and offer to sell
you illegal prescription drugs in plain packaging.
It would do us all some good to learn to research before we react,
especially if our reaction is to publish a story that will affect the
opinion millions of readers have about a community as diverse as Linux