By David Becker, 29 January 2004 08:45
NEWS It's only two days old and still growing fast, but at least one security firm is ready to crown the MyDoom virus as the worst ever.
Finnish security software and services company F-Secure made the coronation late Wednesday, declaring the MyDoom the fastest-spreading worm ever and "the worst email worm incident in virus history" in a letter research director Mikko Hypponen wrote.
MyDoom crawled onto the Internet on Monday, quickly clogging email servers, as it propagated itself with millions of messages laden with malicious software code. An offshoot of the pest surfaced Wednesday but did not appear to be spreading nearly as quickly as the original.
F-Secure estimated that the worm was accounting for 20 per cent to 30 per cent of worldwide email traffic Wednesday, putting it well ahead of previous nasties, such as the SoBig.F worm.
F-Secure credited the worm's fast spread to several factors, including aggressive harvesting of email addresses and the fact that it was released in the middle of the North American workday, giving it several hours to spread unchecked among corporate networks.
Other security companies had evaluations almost as dire. MessageLabs said it had intercepted more than 3.4 million copies of MyDoom, which infected one of every 12 messages, at its peak. That compares with a total of 33 million infections and a peak rate of one in 17 for SoBig.F.
David Becker writes for News.com
Comments
There are 26 comments. Join the discussion
1. Lee Finlay
I don't know about you but my anti-virus software failed to pick this threat. I had just updated it last week. When I updated it there was three updates since then.
If you think about, everybody moans about MS software needing a patch every month.
That's nothing, my anti-virus needs three updates a week!!!
Isn't about time anti-virus vendors sold some software that prempts any virus like activity?
We pay £3000 plus per year for a product that doesn't stop viruses unless it is patched. What is wrong with this? If it was MS or Sun or Oracle or OSS needed three patches every week the masses (you and me) would defect to a better product.
Come on Anti-virus vendors, sell me some good anti-virus software which acts on virus like qualities (infect files, auto send email, auto start-up etc) AND uses signatures so I can check what viruses I've caught.
2. John Taylor
And the IT Community still seem more concerned with rolling out new OS implementations and new infrastructure than investing in better Security ----- yup ----we saved a nickel --- and spent a dollar in lost productivity----- strange!
3. Scott Kerr
It's now getting to the point where colleagues in my workplace are so paranoid to actually switch on their machine, that the broadband connection (which they have only had for a few months) is going unused. Surely all the ISP's need to toughen up their control through their POP servers, and supply the appropriate patches to the common user, more readily.
I happen to have my machine up to date when it comes to virus definitions and patches, but what about the common user out there who isn't even aware they need to run a firewall? This simple act by the ISP's would surely stamp out these malicious worms and codes in relatively no time, and control the spread... Seems like common sense to me.
4. Justin Wheatley
In reply to Lee's comment, I see your point but to be fair to anti-virus software vendors, the functionality of anti-virus software is required to change every day, whereas that of the other disciplines (OSs, office applications and the like) stays largely the same. To address this, products like McAfee ASAP are available, whose updating is managed by those best qualified to guarantee it - the authors. Personally I prefer to retain control and manage the updating myself, but there's a lot to be said for this kind of automated outsourcing of a function that you yourself have indicated is unwanted.
5. Justin Wheatley
Scott you are right.
I am aware of ISPs offering antivirus services at source, but most of them want to charge a premium. This seems absurd since they are the ones who reap direct financial benefit from the absence of viruses (and junk for that matter), since they would no longer have to provide the bandwidth to transmit it.
It is high time ISPs all stood up and took responsibility for this. - Not because it's their fault, but because they are best placed to crush the problem completely. The only reason I can see for this being resisted is that the anti-virus (and spam) industry could suddenly lose a vast number of customers. Is that why it hasn't happened yet?
6. Pete Wheatfill
I wholeheartedly agree with Scott Kerr
As he said "Surely all the ISP's need to toughen up their control through their POP servers, and supply the appropriate patches to the common user, more readily". My Broadband ISP is Tiscali and they have the nerve to demand extra revenue from users to stop virus activity on their accounts. If you don't pay, it appears that all the rubbish is channelled through to the user. I think it should be compulsory that ISP's stop the trouble at the server. If it doesn't land on the users computer, it can't be sent elsewhere. As usual, greed always wins in the end.
7. Darren Boyden
In response to some of the previous comments, i can only feel you have the wrong software installed, or you havent configured it properly. I administer (by myself) 22 sites and around 300 PC's and 20 servers across the UK, and managed to get a total of one infection (immediately stopped by the desktop av, which updated 35 minutes before the mail server AV for somer reason), despite having to date seen (and stopped) around 40,000 discrete infected emails....
And as for Lee's bemoaning the AV vendors, this is clearly the comment of someone who has no idea of the technicalities involved..rather odd to expect something to autodetect anything rather like a virus and also expect it to be able to give it a name.
8. anonymous
With regards to the anti-virus software comments. I use E-Trust which happily updates by companies antivirus software every hour or so. we have not been hit by this virus physically but have been receiving no end of delivery notification failures. To blame the antivirus companies is unfair, we must take responsibility for our machines
9. Paul Timmins
We have been succesfully protected by mailsweeper and McAfee TVD which checks for updates every hour (bit overkill but you never know!)and thankfully has'nt created us a problem. In reply to Lee's comment i dont see what the problem is as long as you have a good TVD solution you should not have a problem. Only pian is server beeping its head of when it denies access to the infected file which is currently over 400 infections a day!
10. David Dryden
I've mentioned before what firms need to start doing, use your server to block the payload files at the gateway and prohibit incoming EXE, SCR, BAT, COM etc etc, if the facility exists, then you wont catch it, excellent first line defence as AV software alone cant be updated fast enough to get things like this.
In saying that however I am getting hacked off at the traffic this thing is generating, mainly non-delivery reports for non-existent company mail accounts, this virus seems to be lifting common names and using them as addresses, I also start getting annoyed at the false reports from people saying we are sending viruses to them due to the forged sender ID and this one has been the worst so far.
Hopefully it calms down soon and home and business users alike start actually taking this seriously in future.
11. Phil Wilson
Let's stop blaming Microsoft, the antivirus companies, and the virus authors, and start taking responsibility for the security of our own systems and data. A properly configured firewall, an enterprise class antivirus solution, and a rigidly enforced "Acceptable Internet Usage Policy" is all that's required. Companies must be forced to implement effective antivirus measures, through legislation if necessary, with fines for every infected e-mail message proven to eminate from their network, and disconnection from the public internet if they can't get their house in order.
12. John Taylor
Justin and Lee are demonstrating that many of us in the Industry are aware of the problems but have difficulty with the solutions on offer! Patch Management solutions for example don't seem to really provide what is needed. I have been working for the past year with Computer Associates and other Authors to remedy this. (Watch this space!) On the subject of AV updates CA also thought this one through carefully. You can manage it all yourself but have the notebook and/or desktops users automatically updated over the internet from CA.
13. John Wilson
What do you expect if you use 'No-Outlook'
I receive these viruses like most other people. But the same old rules apply if you want to be protected. Don't use mail clients that allow any form of execution or opening of attachments automatically, and always ask yourself why you've received any mail with attachment before you open it. If you stick to these rules, the risk of infection is pretty low.
For a start, I don't use Outlook as a mail client, as the viruses that circulate are always designed to exploit weaknesses in that product.
Of course, this won't stop viruses that attack mail servers themselves or the sheer weight of traffic resulting from such attacks. But it does at least stop you becoming a contributor to the problem.
14. John Wilson
What do you expect if you use 'No-Outlook'
I receive these viruses like most other people. But the same old rules apply if you want to be protected. Don't use mail clients that allow any form of execution or opening of attachments automatically, and always ask yourself why you've received any mail with attachment before you open it. If you stick to these rules, the risk of infection is pretty low.
For a start, I don't use Outlook as a mail client, as the viruses that circulate are always designed to exploit weaknesses in that product.
Of course, this won't stop viruses that attack mail servers themselves or the sheer weight of traffic resulting from such attacks. But it does at least stop you becoming a contributor to the problem.
15. Tony Lamb
I was lucky we moved over to using a company in the UK called Star Internet on Friday last week. Their Messagelabs servers trapped this immediately
16. Jon Scobie
There's an easier solution. Stop using Microsoft!
17. George Alland
If you are concerned that your antivirus software is letting you down why not switch ?
There are many products that will automatically download updates. I personally check with the vendors website every day, subscribe to their warning emails and when away from my desk use a batch file to check and instal updates every 30 mins.
18. Jason Gates
Lee: What a silly thing to say! Of course virus software needs updating regularly! By its very definition it is going to be "late" with fixes or "cures" for viruses. Heuristics (intelligent software looking for "virus like activity") can only do so much - and you'd be quite surprised how effective it actually is! However, if I were to write a virus my first priority would be to ensure that it would not be detected by anti-virus software - these coders use increasingly sophisticated techniques and exploit holes in software that anti-virus vendors could never hope to discover and patch before they do - and besides - why should they!? It's not their code that is "faulty".
If you want someone to blame LOOK TO THE ORGANISATION - most recent viruses rely on exploiting "social engineering" and take advantage of people's curiosity to look at attachments! Our office has adopted an email policy and we have taught out employees to only open attachments if the email was EXPECTED or the communication was initiated by them. If it has arrived "out of the blue" it is to be deleted or the person who sent it contacted to ensure that it was intentional. A pain in the ar*e - yes, but thousands of times safer than the most expensive and most intelligent anti-virus software. This longer route must have saved us thousands of pounds in down time over the years. FYI we also have procedures for dealing with SPAM including the "sharing of company email addresses with other websites". We stop a lot of spam at the server using intelligent filters but some still gets through!
19. anonymous
Which "IT community" John? The software companies are certainly interested in new operating systems etc. Those of us that have to provide the IT services to our organisations would often rather stick with something we know - but then where would innovation be?. And what do we say to to our marketing departments, users, and customers who demand all the latest software gizmos they see advertised. The "IT community" spends millions of pounds and countless man-hours every year trying to prevent virus attacks but is often hampered by a lack of appreciation of the risk. Unfortunately all the time IT gets it right no one notices. It is not until a company does get hit that the problem is appreciated - and then it will be IT that is at fault - a no win situation. While companies are often happy to spend many thousands of pounds in other forms of insurance and physical security, there is rarely the same sort of enthusiam to spend money securing systems, data, and communications, all of which are just as vital to continued opperation. All company directors should not only be aware of the risks but asking the questions "have we analysed the risk and have we allocated the budget?"
BTW Lee, our AV software picked up MyDoom as a Mimail variant. Ask about and see who's worked and who's didn't, it might be time to change.
20. alan bruce
It seems to me that very few people realise that it's their systems that are spreading the viruses in the first place. Not the servers, the desktops.
I know of people in the IT business who have 1000's of messages in their inbox, dating back years, because they can't be bothered to clean them out.
So, when they run a virus scan, it takes so long that they abort it before its finished. Hows that for stupid ?
I run web servers, on Linux, and I do scan all mail for viruses and executables as they pass through the server. How-ever, as a previous poster pointed out, the number of fake return addresses makes bouncing such messages almost impossible. I send them straight to the bit bucket now /dev/null ! In any case, sending the messages back to a user who is unaware they have a virus is pointless
So before you blame the ISPs, I suggest the users get their house in order. Why should I waste my bandwidth clearing up after basic user laziness ?
BTW, I have not had a virus on my windows workstation ever ! I currently run PC-Cillin 2003.
Also, switching to linux would not necessarily work, as the virus authors go for the easiest targets, which is currently M$. If Linux were more prevalent, then that may start getting hit too. But even then, with built in iptables firewalls, it is easier to block after you know where the stuff is currently coming from. (China, Russia etc)
21. Gene Small
Several years ago before rewards were being offered I predicted to myself that such destructive activity would eventually result in an undercover group of "hit men". Essentially, they would quietly be paid large amount of money to locate and eliminate people, young or old, who create these virus.
Now, reading that two different companies have offered $250,000.00 for information leading to the identity of the virus writer(s), I think I am probably right. Look for these headlines in the near future: VIRUS WRITER COMMITS SUICIDE
22. Gary Lowe
My Anti virus software keeps this piece of rubbish out, and it didn't cost me a penny, AVG by Grisoft.
Also buy/Install Office 2003, the new version of Outlook, although annoying sometimes (I'll explain why further down) eliminates any executable attachments.
Eudora, has done this for some time I'm told, but I like Outlook.
The annoying side, is when a known friend sends you an executable, that too gets mashed (Although you can add them to your safe senders list)
So Executable files are better sent as compressed files, easily uncompressed by Winzip, Originallly owned by PKWare, then Niko Mak, and now I may be wrong, but I think Microsoft.
I wish the obvious talents of some of these virus writers could be put to a good use, I know a lot of Virii are created using "Kits", written by the "masters", but the guys who write the "kits" and the major virii obviously have a great talent, and maybe we should be channeling thier talents for creative programming to better ends
23. Craig Cleaver
I have to say that Norton picks up the virus on every mail that comes in. We are only a small company, but we averaged last week about 600 emails a day, that were infected.
Luckily enough our firewall intercepts the emails going out, so no propagation commences.
It has been almost impossible to work with Norton asking to Disinfect every five minutes. Big cheer to Symantec releasing the antivirus tool as quick as they did.
24. MELVYN BELL
Rather than bemoan the Antivirus software vendors and the need for multiple updates, I would suggest that the perpitrators of these viruses were found and dealt with rather more harshly.
With automated virus updates across the networks that I manage I did not get one hit - touch wood. Thank you Network Associates.
25. Lee Williams
With regards to all comments, I do agree that ISPs should make more of an effort to protect our PCs. My ISP (NTL Home) gives me a internet connection Firewall but this is not as effective as what it is made out to be. These companies probobly have the experts and the technology to create a suitable solution for these viruses and worms. Why not spread the wealth? PROFIT. That is what they are interested in. They must make money because that is what they are there to do.
26. anonymous
The FBI, DHS, and others recently announced their intentions to engage in Cyber Warfare Research & Counter-Information Attack; not that they ever were out of the running. Many years ago there was a story of an FBI-written virus called Protocol 5 - this may be a myth, but the principle is worth considering... If you are creating electronic weaponry, there comes a time when you MUST test it in the field. In this scenario, there is an interesting juxtaposition between the technical possibilities of 'virus' propagation and proliferation, and the Psychological Warfare value of watching how the masses respond (or rather, fail to retain common sense) to these realtively innocuous but extremely annoying outbreaks. In the event of "Global Emergency" (which has been thoroughly planned and scoped, and doesn't seem so unlikely these days), the 'Authorities' will be wanting as an option the means to switch off large parts of the Internet, bearing in mind that they have their own secure alternatives. And my point? Get used to it, we ain't seen nothing yet. One of these days, there's gonna be a payload which makes all previous infections look like mere glitches. At which point, a patch becomes kind of redundant.
As for the ISPs - Spam could be stopped tomorrow Server-side, but in the long run, it is not profitable - it is all part of the economic cog in the Commercial Internet Machine.