Fastest worm requires manual execution?

by Anton Chuvakin

Related link: http://isc.incidents.org/diary.html?date=2004-01-26



By now, everybody knows about the latest "horrible" worm (MyDoom,
Novarg, whatever). On multiple occasions it was called the "fastest
spreading worm ever". I was looking at various anti-virus vendor sites
(linked from this URL), and it struck me as extremely odd that the
user has to MANUALLY execute the attachment to actually be infected
and no vulnerability is being exploited. How does the manual
infection coincides with the fastest spread rate ever? Sure, a bit of
social engineering (masking as the mail server message) helps, but I
still find this whole story very surprising...

4 Comments

jwenting
2004-01-30 03:18:13
gullability forever
There are tens of millions of completely computer illiterate users on the internet these days, many of whom are engaged in highly risky activities (mainly downloading pirated games and other software from P2P networks and searching warez sites for passwords to these programs).


These people are especially at risk (and I have no mercy for them whatsoever if they get hit).
Not only do they lack the knowledge to prevent infection in the first place, and do they lack the knowledge to cure infection once they get infected, they also place themselves with reckless abandon at extreme risk to be infected.


I say I have no mercy for them. IMO anyone who gets a virus or worm while engaged in illegal activities deserves what he or she gets and if termination of service is the result so much the better.
Some of them might genuinely believe they are doing nothing wrong, but the vast majority know full well that they are engaged in illegal activities.
Those that don't know they are acting against the law are lacking education and shutting off their access serves to protect them against themselves as well as the rest of the world against them.


That's not to say the virus writers should not be sought out and destroyed. They too are criminals, and should be prosecuted to the full extend of the law in every single country where they caused damage (which might make for some interesting legal challenges to get them extradited and serving time all over the world).
This latest worm shows signs of having originated in the hardcore Linux movement, specifically targetting those corporate entities this movement hates most: SCO and Microsoft, and feigning to exploit weaknesses in Microsoft operating systems (while indeed a similar attack targetting their own OS would have worked as well if not better).

mxc
2004-01-30 09:44:43
How come there aren't more of these?
I am also perplexed by this. Surely the internet would be awash with this kind of stuff if it were so easy.


I would expect there to be a new record breaking virus every second day.

dumky
2004-01-30 11:40:38
hehe
Reading your post is just... wow! Takes my breath away...


Have any data/proof that people getting the virus are engaged in any illegal activity? How do you connect MyDoom and warez?!


There isn't any hard evidence that MyDoom has originated in the Linux movement, and targetting SCO isn't proof. Maybe SCO wrote it to discredit Linux... Maybe the anti-virus companies wrote it and planted the SCO thing as a decoy... My speculation is as good as yours.


Also, MyDoom doesn't actually exploit an OS weakness (as mentioned in the above blog post). It isn't doing any political damage to windows per-se, as some previous "automatic" viruses have.

dumky
2004-01-30 12:05:27
MyDoom and warez
I didn't know it spread thru Kazaa as well, so I now see the connection with warez... Sorry about that.



To reply to the original topic, the best designed worm is estimated to contaminate all its targets in under a minute...
There is no way a worm that needs manual intervention from users would spread that fast :-(
Although no OS vulnerability was used, I wonder if any OS improvements could help prevent such worms.