in case nobody else noticed it, there was a mail worm released today
my copies (500 or so, before i filtered) are in a ~7MB gzip'd mailbox file called http://sa.vix.com/~vixie/mailworm.mbox.gz (plz don't fetch that unless you need it for comparison or analysis). there's a high degree of splay in the smtp/tcp peer address, and the sender is prepared to try backup MX's if the primary rejects it, though it appears to try the MX's in priority order.
Paul Vixie [1/27/2004 7:22 AM] :
my copies (500 or so, before i filtered) are in a ~7MB gzip'd mailbox file called http://sa.vix.com/~vixie/mailworm.mbox.gz (plz don't fetch that unless you need it for comparison or analysis). there's a high degree of splay in the smtp/tcp peer address, and the sender is prepared to try backup MX's if the primary rejects it, though it appears to try the MX's in priority order.
MyDoom / Novarg etc http://news.com.com/2100-7349_3-5147605.html?tag=nefd_top -- srs (postmaster|suresh)@outblaze.com // gpg : EDEDEFB9 manager, outblaze.com security and antispam operations
We are seeing 2 wide spread worms right now, mydoom and dumaru.* NAI has info at http://vil.nai.com/vil/content/v_100983.htm and http://vil.nai.com/vil/content/v_100980.htm They rate of it is quite surprising. By the description, the trick / method of infection does not seem all that different than past worms viri. Makes me wonder how many people in a room would reach into their purse/pocket on hearing, "Wallet inspector" ---Mike At 08:52 PM 26/01/2004, Paul Vixie wrote:
my copies (500 or so, before i filtered) are in a ~7MB gzip'd mailbox file called http://sa.vix.com/~vixie/mailworm.mbox.gz (plz don't fetch that unless you need it for comparison or analysis). there's a high degree of splay in the smtp/tcp peer address, and the sender is prepared to try backup MX's if the primary rejects it, though it appears to try the MX's in priority order.
: They rate of it is quite surprising. By the description, the trick / : method of infection does not seem all that different than past worms : viri. Makes me wonder how many people in a room would reach into their : purse/pocket on hearing, "Wallet inspector" Every single person that still opens these damn attachments! :-( scott
: They rate of it is quite surprising. By the description, the trick / : method of infection does not seem all that different than past worms : viri. Makes me wonder how many people in a room would reach into their : purse/pocket on hearing, "Wallet inspector"
Every single person that still opens these damn attachments! :-(
IN WINDOWS!
scott
On Mon, Jan 26, 2004 at 09:00:40PM -0500, mike@sentex.net said:
We are seeing 2 wide spread worms right now, mydoom and dumaru.*
NAI has info at
http://vil.nai.com/vil/content/v_100983.htm
and
http://vil.nai.com/vil/content/v_100980.htm
They rate of it is quite surprising. By the description, the trick / method of infection does not seem all that different than past worms viri. Makes me wonder how many people in a room would reach into their purse/pocket on hearing, "Wallet inspector"
I've been wondering lately, after about 10 years of email worms spreading in exactly the same manner with every incarnation ... why do you think people haven't learned not to open unexpected attachments yet? It would seem to me that even the most clueless user would modify his/her behavior after, say, the 25th time they've been infected and had to 1) call tech support or 2) reinstall their OS (or more likely, have someone else reinstall their OS). Worms today are exploiting the same fundamental flaws they were using 10 years ago, so maybe the question above has the wrong focus. Maybe we should be asking why vendors haven't bothered to fix these problems - it's not like they haven't had enough time or examples. (Note: I really do not want this to degenerate into another rant against vendor M; for once, I really am curious as to why we're still getting bit by bugs using the same holes they were using with Windows 95 and NT 4. Worms obviously pose a significant financial cost to business, and I heard this latest one mentioned at least 3 times from various non-Internet media outlets yesterday, so public awareness isn't the probem either.) -- Scott Francis | darkuncle(at)darkuncle(dot)net | 0x5537F527 "I gave you the chance of aiding me willingly, but you have elected the way of pain!" -- Saruman, speaking for sysadmins everywhere
At 07:17 AM 1/28/2004 -0800, Scott Francis wrote:
I've been wondering lately, after about 10 years of email worms spreading in exactly the same manner with every incarnation ... why do you think people haven't learned not to open unexpected attachments yet? It would seem to me that even the most clueless user would modify his/her behavior after, say, the 25th time they've been infected and had to 1) call tech support or 2) reinstall their OS (or more likely, have someone else reinstall their OS).
Several reasons, 1) in each of those 10 years there is one more years worth of human beings for whom this is their first email virus and they have no idea what it is they are clicking on. 2) some people's job legitimately involves getting lots of mail attachment and just as people reflexively click on the "Are you sure you want to do X? Yes, No" messages, these people reflexively open every attachment they get. 3) some people believe everything they read and will always fall for the "here is the response you requested" line du jour, just like there are people who believe that Elvis isn't dead but is living in an East Texas rest home (see www.bubbahotep.com :-) 4) some people never learn :-( face it, the following quote has always been true and will always be true "Programming today is a race between software engineers striving to build bigger and better idiot-proof programs, and the Universe trying to produce bigger and better idiots. So far, the Universe is winning." Rich Cook. jon bennett
The worm is being talked about on news.com and all the major virus vendors already have advisories on their websites. The worm in my case masqueraded as a Mailer Daemon bounce. Source email address appeared to be valid and matching a domain of a website I visited recently (but have not for a long time). Anyone know the worm generates the sending domain. -----Original Message----- From: owner-nanog@merit.edu [mailto:owner-nanog@merit.edu] On Behalf Of Paul Vixie Sent: Monday, January 26, 2004 8:52 PM To: nanog@merit.edu Subject: in case nobody else noticed it, there was a mail worm released today my copies (500 or so, before i filtered) are in a ~7MB gzip'd mailbox file called http://sa.vix.com/~vixie/mailworm.mbox.gz (plz don't fetch that unless you need it for comparison or analysis). there's a high degree of splay in the smtp/tcp peer address, and the sender is prepared to try backup MX's if the primary rejects it, though it appears to try the MX's in priority order.
participants (8)
-
Alexei Roudnev
-
jon bennett
-
Mike Tancsa
-
Paul Vixie
-
Scott Francis
-
Scott Weeks
-
Suresh Ramasubramanian
-
Wojtek Zlobicki