Full Disclosure: RE: MyDoom.b samples taken down

[Todd Burroughs <todd () hostopia com>]

I think it is purely social engineering, there is nothing special about
this malware, it is pretty common now.  What it seems to have done
different is that it made Windows users see an icon that looked like a
text file, one that they have been trained to accept as "safe"

I think that there's a good possibility that this is run by organized
crime for spam purposes or maybe worse.  I really hope that someone
from Microsoft follows this list and realizes the danger of allowing
this situation to go on.

Users can be trained to have to save a file to disk before running it,
this would remove most of this problem and people who actually use email
to send executable files would get used to it pretty quickly.

One can only hope...

Todd Burroughs

---
The Internet has given us unprecedented opportunity to communicate and
share on a global scale without borders; fight to keep it that way.

On Mon, 2 Feb 2004, Dowling, Gabrielle wrote:

> Bill....
>
> You make some good points, but as to your comment that "Mydoom.B was not
> as successful as mMydoom.A because people had already been warned about
> clicking on messages with that format. It has nothing to do with the
> lethality of the virus. What makes a virus dangerous today is much less
> the actual virus code (as Nick says there are very much alike), but the
> social engineering of the message and the smarts about where it gets the
> email addresses to propagate"...
>
> I don't think there's any way you can support your conjecture of the
> success of A over B.  I haven't checked since Friday evening, but before
> then I didn't see the volume of messages received at our gateway
> diminish, which pretty strongly indicates that either a) we've got the
> same base infection rate as when it first hit (and therefore, systems
> that got hit don't know that they got hit, and aren't aware that they
> might have been hit and thus haven't been reading anything about how
> they should deal with this specific message if it comes in,and therefore
> are likely to click on Mydoom.B if they received it) , or b) new systems
> are getting infected as soon as existing systems are getting cleaned up.
> While I don't think educational efforts are fruitless (and in fact far
> from it, I think the fact that they have simply been inadequate), I
> don't think there's any reason to think that anyone has "learned" about
> this one and thus abstains.  I know quite definitively that when the
> "FriendGreetings" malware was circulating a couple of years ago, we had
> users continue to click on links (despite it having exactly the same
> message format) as each new linked site was added, despite clear
> information that was sent to them immediately upon the first site
> becoming known.
>
> What no one here seems to be interested in how this thing got so big, so
> fast, and its apparent kinship in that respect to it's Sobig predecessor
> (in terms of volume, and probably also in terms of ultimate goal).  It
> seems an important thing for this forum to consider, yet no one has
> (other than to assume that there is something special about the code,
> which there is not).
>
> G
>
>
> **********************************************************************
> This e-mail is sent by a law firm and contains information
> that may be privileged and confidential. If you are not the
> intended recipient, please delete the e-mail and notify us
> immediately.
> ***********************************************************************
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html