"Larry Seltzer" <larry@larryseltzer.com> wrote: Sorry -- I missed this yesterday... > All the AV companies are calling this new outbreak "Doomjuice" Indeed, for reasons explained in my message yesterday... > They all have it as a low-incidence in the wild. What I don't > understand is that if it hasn't spread, what caused the attack against > Microsoft this morning? There are two aspects to this. First, as Gadi suggested, depending on the nature of the DDoS attack, a "low incidence" DDoS attack agent can still perform a very effective attack (this is particularly so if the DoS part of the attack involves some significant multiplier effect -- very few bytes sent, massive CPU, network response, etc load generated). I'm not entirely sure this is the case here, but haven't looked closely at it with this in mind... Second, how does AV (mostly) judge the incidence of viruses, worms and so on? Right -- from incident and rate data collected from their scanners, etc. Such measures, by their very nature, will be almost blind to Doomjuice. Why? Because Doomjuice _only_ spreads via Mydoom.A/.B infected machines and only across the net, P2P-like in direct machine-to-machine manner. By and large, AV does not monitor such things and to do so, it would actually have to run a Mydoom- emulating listener. If AV did monitor for this kind of threat, what would it cost? First, it would be soaking up the user's CPU cycles and other resources for the "benefit" of monitoring this attack vector which is the something the user is not actually vulnerable to because they have up-to-date AV and thus, we can assume, are not infected with Mydoom in the first place. Multiply by all the other similar backdoors and what have you and the load AV s/w imposes on your typical PC (which many users of some products already describe as "crippling" the machine) would increase considerably. So, Doomjuice only spreads through machines that do not have up-to-date AV (else they wouldn't have Mydoom to let it in) and only spreads through a medium that AV developers (in particular) do not monitor at all closely (notice that Email-specific services/vendors such as MessageLabs and Postini will not be reporting Doomjuice _at all_ -- I haven't checked, but if they are it will be tiny numbers and due to an occasional user-initiated action, such as attaching a suspect .EXE to an Email and sending it to a security or AV vendor). However, a few folk do have relatively specific monitoring for such things. Given the rate I'm hearing of _proven_ Doomjuice distribution attempts (i.e. the code sent through the "Mydoom update" mechanism is actually captured and well-fingerprinted rather than assumed to be Doomjuice from some very limited partial capture/signature such as some IDS systems are using), it certainly is no Slammer, CodeRed or Blaster, but it is definitely out there and probably in numbers enough to trouble www.microsoft.com... (That said, www.microsoft.com did not seem troubled from New Zealand for much of yesterday. It was dead slow late last night but seems OK again this morning -- for now it is resolving to www2.microsoft.akadns.net, IP:207.46.245.92.) -- Nick FitzGerald Computer Virus Consulting Ltd. Ph/FAX: +64 3 3529854
