Paul Couture has graciously agreed to write an article for Groklaw on MyDoom. I found him when I was reading about MyDoom on Slashdot for the story I did about the crank calls, and I noted a comment from someone who seemed knowledgeable about protecting companies from such things, who said that he dealt with such issues on a daily basis in connection with his work, and that in his opinion, this had all the emarks of professional spammers, not a Linux enthusiast. How, he wondered, could the media get this so wrong?
So I contacted him, after researching a little about him and his work (he did computer work for six years for the US Air Force and now works in network support and does web design). I asked him to explain a bit about MyDoom and why he is convinced from the way MyDoom was written that it is professional spammers. SCO isn't the main target, in his opinion.
He isn't alone in that opinion, by the way. Did you know that MyDoom will attack Kazaa next? It seems MyDoom will create worm-laden copies of entertainment software after the attack on SCO.
Here's information on this angle:
"After the planned assault on licensing company SCO, other coming MyDoom backdoor attacks will target users of the Kazaa peer-to-peer file sharing network by creating worm-laden copies of popular entertainment software swapped over Kazaa like the Winamp music player and the game Nuke2004. When run, these generate new floods of MyDoom e-mail."
The Independent also has a very thorough report, and a number of experts confirm that this looks like the work of criminals known to do this sort of thing. Here's a snip or two to give you an idea:
"But to security experts, MyDoom marked a serious step up in the evolution of the virus because it had all the fingerprints of organised crime. MyDoom did not just email itself to addresses found in the files of any computer it infected. It also installed a "back door" that would let hackers control your machine remotely; it installed "keylogging" software that would silently note every keypress, including bank passwords and credit card numbers when you used web pages; and it could direct a deadly attack on a particular website belonging to a software company called SCO."
It seems the purpose of the backdoor is often to threaten the company: pay a ransom or it will happen again. Such threats did happen just before the SuperBowl to gambling sites:
"Couldn't MyDoom just be an annoyed Linux programmer's revenge? It is possible, but unlikely when you view it in the context of other well-organised online crime. A week ago, as the American Super Bowl was ramping up, the owners of online gambling sites were nervously staring at their screens, waiting to see if they would be hit by a DDOS that would make them disappear from the internet, just at the time they would want to be open and ready for gambling fans.
"Before the game started, Ido Raviv, the manager of Netgames in Belize, which runs the Yahoops.com online sports book, said: 'I expect that on Sunday, during the Super Bowl, you're going to see a lot of [sports betting] websites down. I know it for a fact. Everybody's scared.'
"They were right to be. Though Riverhead Networks, a company which offers entirely legal network protection against DDOS onslaughts, was able to fend off a number of attacks against gaming sites which began on Friday and continued through the weekend, far more sites were not so lucky. They were disabled. "DDOS attacks are becoming a significant and growing threat to online enterprises, government agencies and providers of all sizes," said Steve Woo, who is in charge of business development at Riverhead."
Of course, the ransom demand could be drop the lawsuit instead of money, they acknowledge, but even then, they conclude, the demand wouldn't be from anybody but a well-organized criminal gang. The sophistication of the code and the general MO points to that conclusion. There is also a box at the end of the article, listing things to look for on your Windows computer that would indicate your computer is compromised.
So there is more to this story than SCO. In fact, SCO doesn't seem to be the primary target after all. With that background, here is the article by Paul Couture. (For those interested in the what-has-happened-to-journalism topic, here is a related article on that very subject in Online Journalism Review.)
Whatever Happened to Investigative Journalism?
~by Paul Couture
After making a post on /. a few days ago regarding the Mydoom.a virus and the now infamous media stories from authors that were apparently easily duped by a secondary exploit that the worm carried out, I was shocked to find a request from our own beloved hero, Pamela Jones, in my inbox requesting that I expand a bit on some of the points in the post for the loyal readers (and those of you just stopping by) here at Groklaw. I couldn't resist the opportunity.
First off, let me tell you a bit about myself. One of the things I find unnerving about "Internet Media" is the fact that you often know little about the source of information, I'll do my best to explain why I feel qualified to make the comments I will be making. First off, I love computers, all computers, always have - almost as far back as I can remember. My first computer was a Commodore Vic-20 and I was lucky enough to get it when I was the tender young age of eight, and I was a published programmer not long after. I helped to set up and run one of the first BBSs in the Southeastern United States, and learned all I could about making these wonderful new tools, do the things I wanted them to do. Since those early days I have tried to remain active with computing because it has always been one of my true loves. The advent and growth of the Internet only fueled that passion, and I have been professionally developing web sites, and providing computer and network support for close to five years now. I spend most of my waking hours cultivating quite a monitor tan.
I am a Linux user, my preferred distro is Mandrake 9.1 - but I spend quite a bit of time behind the keyboard and mouse of Windows machines, probably more than I get to spend on my own Linux box. I have provided technical support for almost every major operating system since Windows 3.1. I have done well over a thousand clean OS installs, I build PCs, I do my best to teach "newbies" the ropes, and I troubleshoot computer issues every day. I work for a well known web-based software developer for the automotive industry, and I am a strong advocate for diversity in operating systems because of the security against large cascading failures that it provides. Furthermore, as I learned in six years in the USAF, you work most efficiently when you apply the "Primitive Pete" rule - use the right tool for the right job.
One thing I have learned over the past few years, is something that most of you already know; since the dot-com bubble burst, there has been a huge increase in the number of people who want to get rich quick with the Internet, and they won't let things like morals or scruples stand in the way. The vast majority of problems I deal with aren't buggy software issues, hardware failures, or gaping security holes being exploited; they are spyware and spammers. People that are getting rich quick off the backs of unsuspecting users - and viruses like Mydoom, Sobig, and many of the latest fast spreading e-mail worms are just the latest tool in these unscrupulous types' bag of tricks. Most of the media aren't tech-savvy enough to realize this, and so when something is attached like a distributed denial of service attack (DDoS) on SCO, a company that seems to love playing the victim for the media's cameras, it's easy for them to point their fingers at that rogue group that use the "other, other operating system - Linux"
Mydoom.a was the fastest spreading Internet worm in history. The most reported, and most common misconception is that this virus's purpose was to create a DDoS against SCO's web servers. While this is partially true, anyone who takes as much as 5 minutes to research the virus, will find that Mydoom.a is a vicious, evil wolf in grumpy, annoyed, yet still scary, wolf's clothing.
Let's examine what MyDoom really does. A quick visit to http://symantec.com is where I usually start my research into these little nasties when they start to affect my world. Symantec is the maker of Norton Anti-virus software - my personal choice in anti-virus protection for Windows based PCs. By visiting the Security Response section, and searching for the virus by name, or by looking at the 10 latest virus threats, you can find the following information about the Mydoom.a virus. I'll save you the clicking on the links and provide you with a a quote right here:
Quote From Symantec: Norton Security Response - mydoom.a
"W32.Mydoom.A@mm (also known as W32.Novarg.A) is a mass-mailing worm that arrives as an attachment with the file extension .bat, .cmd, .exe, .pif, .scr, or .zip.
"When a computer is infected, the worm sets up a backdoor into the system by opening TCP ports 3127 through 3198, which can potentially allow an attacker to connect to the computer and use it as a proxy to gain access to its network resources.
"In addition, the backdoor can download and execute arbitrary files.
"There is a 25% chance that a computer infected by the worm will perform a Denial of Service (DoS) on February 1, 2004 starting at 16:09:18 UTC, which is also the same as 08:09:18 PST, based on the machine's local system date/time. If the worm does start the DoS attack, it will not mass mail itself. It also has a trigger date to stop spreading/DoS-attacking on February 12, 2004. While the worm will stop on February 12, 2004, the backdoor component will continue to function after this date."
Ok, first off, let's see what the real purpose is here, since most of the media reports I have seen appear convinced that the only purpose of this virus is to attack SCO in retaliation for their attacks on the Linux community.
Only one in four infected machines will participate in a DDoS attack on SCO, and those that are infected and set to participate, will in fact, cease spreading the virus to other computers (probably in an attempt to appear uninfected as anti-virus programs are updated, but users are too "busy" to allow for a full system scan.) Still, though this means that 75% of the infected machines will have a whole different purpose to their infection.
Both the 75% that do not participate in the DDoS and the 25% that do will be in the same boat after February 12, 2004. They will cease spreading, and attacking, yet will remain active "zombie boxes" for other uses. The simple fact that only one in four machines are going to be part of the DDoS attack tells me right off the bat, that can't be the virus writers main intention. If it were, the virus writer is weakening how effective the DDoS will be. When I was in the military, they called this type of thing misdirection and camouflage - and it seems to be working extremely well for those behind this little gem.
To give another comparison, think about the first Gulf War. Allied forces used a small group of the US Marines and the Navy to stage an attack on the Kuwaiti coastline to the east, while the vast majority of the forces moved in from the southwest catching the Iraqi army completely off guard, dug in with their turrets turned the wrong way. That is what is happening here. The virus writer is sacrificing 25% of the machines he/she can infect to launch a weak, brief, and what should have been a largely ineffective DDoS against SCO and drawing fire away from his/her true intent of creating a vast network of "zombie boxes" to do his/her bidding at a later date.
Next, let's look at one of the largest and most reported viruses of the last year, aptly named Sobig. Like the vast majority of computer worms in the past year or so Sobig had the primary purpose not of destroying data, not of being destructive to networks and systems, but in spreading and creating a vast network of "zombie boxes" for the purpose of launching more and more unsolicited commercial e-mail, commonly known as spam. Just like Mydoom, but without the nasty payload on 25% of the infected machines. A quick search on Google provided the following information:
Quote from C|Net's Robert Lemos's Article "Sobig spawns a recipe for secret spam" - June 25, 2003
"Initial analysis by antivirus companies indicated that the mass-mailing computer worm, called Sobig.E, doesn't have a malicious payload. However, e-mail service provider MessageLabs believes spammers will use the virus's mail program on victims' computers to send anonymous messages.
"'This is almost certainly being precipitated by a spammer that is trying to create more open relays to send spam,' said Mark Sunner, chief technology officer for the New York-based company."
This has been the norm for the most common viruses/worms over the past year. Mydoom shares a lot in common with these other viruses as well. It appears to have been written by an individual or very small group, it also appears to be written for hire (at least in the ".b" variant) and seems to have originated in Russia - the same place that much of the worst spam you get originates. For most of the press, it was easy to see that Sobig was a way to send more spam every day via infected computers with new open relays because that was the main and obvious purpose of the virus. Suddenly, when Mydoom hits, everyone seems to forget that, and decides that because a small percentage of the infected machines do something sensational, attack a company that thrives on this sort of publicity for example, they ignore the fact that the majority of infected machines will be doing the same thing that happened with Sobig.
The camouflage worked.
Something else that these viruses have in common, is they remain on the system to receive further instructions down the road, create their own self-controlled SMTP server so that they can e-mail out whatever, and whenever the virus writer pleases.
That is the true intention behind Mydoom, and Sobig, and many other fast spreading viruses over the past year. To generate more spam. The war on spam has escalated to the point that laws are being passed to try to stem the flow, filters are becoming the norm, and the average user is learning the old trick of not buying from, and deleting spam when it shows up in their inbox. That means you have to send more spam to get those few sales you do get and therefore make your effort profitable.
I find it interesting how quickly this worm spread. It almost instantly spread out from thousands of "infected" machines. My own e-mail account had received almost sixty copies of the virus an hour before it was even given a name. Who in the world has the ability to suddenly mass e-mail out to millions a virus laden e-mail? Maybe it would be the same people that send out millions of e-mails everyday - professional spammers.
If indeed the purpose, and it appears that it is, of this snippet of code, is to make more spam launching points by including the DDoS on SCO the virus writer(s) accomplished their job, made the uninformed, and spoon fed in the technology reporting sector take the bait and misdirect the anger toward the virus writer at a completely different group, Linux users- commonly known as a group to despise this sort of tactic and one of the primary reasons most of the community will state they migrated away from other operating platforms, because they love the security and relative safety that Linux provides. They have also chosen to ignore the more deadly and dangerous payload that is the true purpose of the worm.
If I were to stoop to the level that I would write a virus like this, I would probably be thinking along the same lines, by including something like a DDoS, I would be masking my true purpose, and make it hard to find me based on my intention and purpose. By attacking a rather unpopular company, I would also become a needle in a stack of needles, instead of the proverbial needle in the haystack.
I won't lie, and I look at this whole situation objectively. I honestly believe that there could be a tiny minority of Linux users somewhere that might attack SCO. Comparing the entire Linux community to such a small sub-group that might ignore the law is like saying that everyone that owns an automobile supports late-night drag racing. There are zealots for everything on this planet, and you can't blame an entire community of millions for the actions of a few. There are probably many more "script kiddies" out there using Windows to hack away at Yahoo Messenger in VB so they can boot people they don't like from chat rooms. Does that mean that all Windows user's hate Yahoo and are busy coding away in their parents basement? Of course not.
By attacking the entire user base, SCO and the media spoon-fed by their press releases have certainly given this impression of our community. Furthermore, they have drawn the ire of millions away from the true people that deserve it, the people that flood your child's inbox with advertisements for porn and offer to sell you illegal prescription drugs in plain packaging.
It would do us all some good to learn to research before we react, especially if our reaction is to publish a story that will affect the opinion millions of readers have about a community as diverse as Linux users.