lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
From: full-disclosure at royds.net (Bill Royds) Subject: MyDoom.b samples taken down Mydoom.B was not as successful as mMydoom.A because people had already been warned about clicking on messages with that format. It has nothing to do with the lethality of the virus. What makes a virus dangerous today is much less the actual virus code (as Nick says there are very much alike), but the social engineering of the message and the smarts about where it gets the email addresses to propagate. Studying yet another mass email virus won't prevent people from clicking on messages that seem to come from friends and have a message that seems reasonable. Many viruses seem to be written by people who don't speak English well and have text that is obviously artificial. When we get viruses that parse email in a victims inbox to respond with valid replies, we will see a horrific epidemic. These latest viruses are easy to spot because of the simplicity of the message. One with a sophisticated message would do vastly more damage. To amateur "virus researchers", unless you have a "Clean room" to test the virus (a completely isolated computer network with the ability to catch all possible traffic and machine state changes), you have little likelihood of finding something new before you re-infect the Internet with the virus. -----Original Message----- From: full-disclosure-admin@...ts.netsys.com [mailto:full-disclosure-admin@...ts.netsys.com] On Behalf Of first last Sent: February 1, 2004 8:15 PM To: full-disclosure@...ts.netsys.com Subject: RE: [Full-Disclosure] MyDoom.b samples taken down >Just because some AV developers did not rush for the publicity >spotlight <snip> Come on. As soon as an AV company discovers something new they tell the press. They love free advertising. Thus we know that the finns @ F-Secure (if I'm not mistaken) were the first ones who found the IP addresses in the Sobig.F virus. It took them 2 days instead of a few minutes had they just dumped the memory of the virus while it was running and disassembled it. > > I never analyzed the MyDoom.A or the MyDoom.B worms because I know the > > anti-virus companies already did that the very same day they got the >virus. > > But from what I've read, the email sent by MyDoom.B is exactly the same >one > > sent by MyDoom.A. No wonder MyDoom.B never succeeded in infecting more > > machines. Even if someone on this list mistakenly got infected by the >copy > > and sent out the virus to other people it's not going to make it any >more > > successful than it is because it looks exactly like MyDoom.A in your >inbox. > >And what made Mydoom.A _so_ successful? > >There is always an element of what, for a better term, the experts >refer to as "luck". Technically identical mass mailers suceed and fail >more or less randomly (of course, you don't see the hoards of entirely >uncessful ones we do, so you wouldn't know this. Mydoom.B has more >chance of striking it lucky the more people run it, simply because of This is not a case of technically similar viruses, this is a case of a two different (related) viruses using the _exact_ same email message to spread its executable code. The probabiltiy that a user clicks a MyDoom.A attachment is the exact same probability that the same user clicks a MyDoom.B attachment. The probability that a user clicks a MyDoom attachment may not be (most likely is not) the same as the probability that the same user clicks some other virus' attachment. So for MyDoom.B to be successful, it would have to get rid of all MyDoom.A emails or use a different email message. _________________________________________________________________ Check out the coupons and bargains on MSN Offers! http://shopping.msn.com/softcontent/softcontent.aspx?scmId=1418 _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Powered by blists - more mailing lists