lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
From: dowlingg at sullcrom.com (Dowling, Gabrielle)
Subject: MyDoom.b samples taken down

Bill....

You make some good points, but as to your comment that "Mydoom.B was not
as successful as mMydoom.A because people had already been warned about
clicking on messages with that format. It has nothing to do with the
lethality of the virus. What makes a virus dangerous today is much less
the actual virus code (as Nick says there are very much alike), but the
social engineering of the message and the smarts about where it gets the
email addresses to propagate"...

I don't think there's any way you can support your conjecture of the
success of A over B.  I haven't checked since Friday evening, but before
then I didn't see the volume of messages received at our gateway
diminish, which pretty strongly indicates that either a) we've got the
same base infection rate as when it first hit (and therefore, systems
that got hit don't know that they got hit, and aren't aware that they
might have been hit and thus haven't been reading anything about how
they should deal with this specific message if it comes in,and therefore
are likely to click on Mydoom.B if they received it) , or b) new systems
are getting infected as soon as existing systems are getting cleaned up.
While I don't think educational efforts are fruitless (and in fact far
from it, I think the fact that they have simply been inadequate), I
don't think there's any reason to think that anyone has "learned" about
this one and thus abstains.  I know quite definitively that when the
"FriendGreetings" malware was circulating a couple of years ago, we had
users continue to click on links (despite it having exactly the same
message format) as each new linked site was added, despite clear
information that was sent to them immediately upon the first site
becoming known.

What no one here seems to be interested in how this thing got so big, so
fast, and its apparent kinship in that respect to it's Sobig predecessor
(in terms of volume, and probably also in terms of ultimate goal).  It
seems an important thing for this forum to consider, yet no one has
(other than to assume that there is something special about the code,
which there is not).

G


**********************************************************************
This e-mail is sent by a law firm and contains information
that may be privileged and confidential. If you are not the 
intended recipient, please delete the e-mail and notify us 
immediately. 
***********************************************************************

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ