MyDoom

[R0n1n]

Just for a different take on the subject, this from vmyths.....



"Many headlines now proclaim the new "MyDoom" virus/worm as "the fastest
spreading virus ever." MessageLabs, for example, announced "1 in 12"
emails carried an infected attachment -- much to the delight of
reporters who crave numbers. What was left unsaid (because it's not really
news) is that MessageLabs announced "1 in 2.4" emails carried spam
throughout the month of December. Do the math and you'll see it's two-fifths
versus one-twelfth.

Remember this when virus hysteria strikes:
http://Vmyths.com/resource.cfm?id=31&page=1

Computer firm SCO (a main target of MyDoom's wrath) extended the media
frenzy when they offered a $250,000 reward for the capture of what they
hint is a "radical" Linux user. Vmyths does not accept SCO's
presumption -- we strongly suspect MyDoom came from a Microsoft-centric virus
writer. Vmyths suspects SCO's senior officers (including president Darl
McBride) engaged in media sensationalism at the expense of the Linux
community.

Reporters crave anecdotes; some of their stories proclaimed Boeing lost
its fight with the MyDoom virus. Vmyths notes the aerospace firm has a
long history of losing fights with viruses and making irrational
computer security decisions (see http://Vmyths.com/rant.cfm?id=241&page=4 for
example). It shouldn't impress anyone if MyDoom overwhelmed Boeing's
networks.

(Memo to Boeing's computer security team: Vmyths.com has sent/received
ZERO copies of MyDoom as of Wednesday 18:00 CT.)

Common clichés in the antivirus world:
http://Vmyths.com/resource.cfm?id=22&page=1

Once again, this media hype misses the point. If a firm shut down its
email servers to stop a virus attack, then it did so because their
antivirus solution FAILED to do its job, NOT because infected attachments
overwhelmed their networks. Reporters, and even security experts, often
confuse symptoms (infected attachments) with causes (inferior antivirus
technology).

History tells us someone will soon declare a "guestimate" damage value
for the MyDoom virus/worm, strictly for its PR value. Two of the more
dubious candidates include Computer Economics Inc. and mi2g. Visit
http://Vmyths.com/resource.cfm?id=57&page=1 for links to these firms'
mathematical atrocities.

Vmyths notes stock prices rose for both Symantec and Network Associates
-- despite the fact their products once again failed to do their job.
If your antivirus solution didn't protect you, then you need a better
antivirus solution. (Unless you work for Boeing.) Enough said.

Don't confuse symptoms with causes. Stay calm. Stay reasoned. And
stay tuned to Vmyths."

[RoadClosed]

Good Article, however I must note....

I too have had ZERO infections as of today 14:00 -10

Vmyths notes stock prices rose for both Symantec and Network Associates
-- despite the fact their products once again failed to do their job.
If your antivirus solution didn't protect you, then you need a better
antivirus solution. (Unless you work for Boeing.) Enough said.

And I use one of those in a very big way.

[Negative]

I like that site... it says Tony Bradley needs a better antivirus product

[576869746568617]

No offense to Bradley, but he obviously needs a better antivirus product.

That's hillareous!

[phishphreek]

Originally posted here by RoadClosed
Good Article, however I must note....

I too have had ZERO infections as of today 14:00 -10

And I use one of those in a very big way.

Same here... I've had ZERO infections (knock on wood) on PCs that I'm responsible for in at least two and a half years....

/me prays to the av gods that I didn't just jinks myself.

[cgkanchi]

0 infections in the last 8 years on my home box . The last infection I had was the One/Half virus that destroyed all the data on my 486SL laptop. That thing had a 250 meg hard disk if you can believe it .
Cheers,
cgkanchi

[AngelicKnight]

Same here, zero MYDOOM on my PC too, clean as can be. But remember, we're the folks that know what we're doing, most of the rest of the world isn't.

Also, simple way to avoid MyDoom without AV or anything -- DON'T OPEN EMAIL ATTACHMENTS! Don't do that, don't screw with Kazaa, and no MyDoom for you. Problem solved.

Of course if everybody else did that, we'd all be out of jobs.

[ikalo]

No infection on 8 boxes I am responsible, and I'm usign Symantec Antivurs Enterprise...

Don't confuse symptoms with causes. Stay calm. Stay reasoned.

the software is safe and stable as person who administer it!!!

If you cut off your foot with axe, would you sue steelworks that made that axe??? or will you spend some time practicin aiming so you don't miss log next time

[tonybradley]

No offense to Bradley, but he obviously needs a better antivirus product.

LOL. Who knew that Rob Rosenberger or Negative read my site?

For the record, I have *never* personally had a virus infection whether using McAfee, Norton, Trend Micro, CA or no AV software at all. My wife runs no AV software and has also never had an infection.

IMHO keeping your system patched and having the common sense not to open file attachments called "ParisHiltonNaked.exe" that claim to be from "security@microsoft.com" with messages written in broken English will keep you 100% safe. Viruses and worms tend to rely on exploiting known vulnerabilities. SQL Slammer spread using a vulnerability that users could have patched 6 months prior.

The implication seems to be that heuristics *is* the AV of the future. For zero-day type threats that exploit a vulnerability that nobody was previously aware of or that a patch has not yet been created for, heuristics is a good defense.

However, heuristics- by definition- is making an educated guess about whether something is or is not a malicious program based on past malware or what we think we know about how malware would / should act. It would seem that the only way for heuristics to catch 100% of malware is to have the criteria set so strict that you also catch a good amount of false-positives in the process.

When a file is scanned with a signature, the detection is positive, and it is determined to be either a specific (or family) virus or not. Although While prone to errors or false positives occur sometimes, signature scanning is pretty accurate. Heuristic techniques, on the other hand, are working on the probabilities of a file being infected. Heuristics is not an exact science. Currently, the industry claims a 70%-80% detection rate of new and unknown viruses with heuristic scanning, which is pretty good considering the complexity of the problem...

Full article on ExtremeTech.com: Antivirus Research and Detection Techniques

I do agree with the basic premise of Rob Rosenbergers stance regarding the spread of MyDoom though. I have gotten tons of replies to me from AV software replying to spoofed Sender adddresses and I have received a handful of server notifications letting me know that such and such an email was blocked because the system doesn't allow this file attachment type or that file attachment type- but I personally haven't received an actual MyDoom-infected (or any other virus for that matter) message that made it inside the network.

What saved the corporation I work for though wasn't heuristic scanning- it was the fact that we already block all executable file attachments by default and simply added ZIP to the default stripping rule until the AV software could be updated.

At any rate- I guess I appreciate the exposure. With "fame" (ha ha) comes notoriety. I am certainly not the most knowledgable or experienced security expert and there is more that I don't know than what I do so I am bound to be incorrect at times and critics are bound to find flaws regardless of what I write.

I don't agree that heuristic scanning alone is the holy grail of malware detection though- although I agree completely that the AV industry has no vested interest in providing a true solution- no matter how simple it may be just as the medical industry has a vested interest in finding ways to treat symptoms more than cure diseases- cured people don't come back to spend more money.

[RoadClosed]

I would say also that the level of software engineering and installation has a direct impact. For instance, if you only run an AntiVirus product on each client then heuristic scanning would be less important than say, if you run an enterprise level configuration: Like AntiVirus, NetShield, Groupshield, Outbreak Manager etc, all controlled and monitored by E-policy Orchestrator. (McAfee Plug)