January 27, 2004

Virus, Vandals and Thieves: An Open letter to the Virii Author(s) of 'MyDoom'

To whom it may concern,

Congratulations on your new found fame. CERT has recently published a new Incident Note about your W32/Novarg.A Virus (aka 'MyDoom') and I could only assume you must be proud. After all, writing such malevolent code with the intent of causing a distributed Denial of Service (DDoS) to SCO is not only creative, but to some enthusiasts downright brilliant. And to boot, you show how user complacency perpetuates the problems on vulnerable Windows machines. This must satisfy you.

I can only imagine how you must feel right now. You have struck a blow to the Internet in a way that many cannot comprehend. You have now clogged up the arteries that make up the Internet’s email backbone. According to InfoWorld, you have even caused significant performance slowdowns to the top 40 US business Web sites, impacting on their ability to do business.

On February 1st and 12th, when the actual DoS payload is executed, be proud in knowing that you have required administrators at SCO’s ISP to respond by making infrastructure changes to try to mitigate the attack. Be content in knowing that your keylogger will have recorded enough passwords and other vital (and private) information that you can keep your script-kiddie ways going for another year. Hey, maybe you can use that credit card information to buy a backbone… or at least a date. (Oops... did I say that out loud?)

But most of all, I would like to congratulate you on now becoming more annoying and cowardous than SCO itself. Striking such an anonymous blow puts another notch in your virogen ways… and has increased your profile in the underground. Of course, what you haven’t thought about is the fact that there is no honour amongst thieves, and authorities are now looking for you. There are real costs associated with the damage you have caused, and those costs are growing as IT professionals confine, eradicate and clean up your mess. Hey, maybe with any luck SCO will turn a suit on you. Or perhaps Mr. Gates will put a bounty on your head. We can only hope.

In closing, thank you for showing the world yet again why information security is important. And showing why the 8 Rules of Information Security are vital.

Now go away. Your 15 minutes of fame are up.

- Dana M. Epp

Posted by SilverStr at January 27, 2004 10:08 AM | TrackBack
Comments

Nice. I would have ended it differently though. Something like:

"Rot in hell you scum sucking pig.

Love, Dana."

:)

Posted by: Arcterex at January 27, 2004 10:24 AM

amen!

Posted by: Richard Acton at January 27, 2004 10:36 AM

Great letter! Now you just need to convince the miscreants that wrote the worm to read your note.

Cheers,

Ken

Posted by: Ken van Wyk at January 27, 2004 01:51 PM

Do you think it is a good idea portraying yourself as being so much full of hatred that you loose the grip on logic? Go for a walk, sleep over it.

Obviously the Author of MyDoom fits not the generally accepted (and elitist) definition of a script kiddie which is "using only tools written by others without understanding them".

The way of dealing with criminals is prosecuting them, not insulting them. If you live with the idea of the pimpled, sexually inexperienced, credit carding virus writer you mainly show your ignorance on all research on cyber criminals in the last 15 years - which really surprises me considering the general cluefullness shown in your writing.

Posted by: Max at January 27, 2004 03:39 PM

Hey Max,

You are right that virus writers should be prosecuted to the fullest extent of the law. But my assessment of this attacker is still the same.

When I look at this attack, and profile how the attacker has approached this, I have to look at it from the point of view of being a nuisance.

What keeps me up at night is not attacks like this. It was too easy to detect, and strong infosec policies have prevented this attack from propagating in areas I am responsible for. There were signature updates for this threat from vendors shortly after launch and most infosec professionals are already on top of it.

Don't get me wrong... the writer is criminal in intent and action, and this attack is bad. I am just frustrated in seeing such blatent disregard for other people's online resources, in an effort to make a big spectacle about it.

Want to impress/scare me? Build a new attack vector based on an unknown vulnerability that can covertly collect information from a targeted source and get past all layers of defense without me knowing. You can name it "Magic Lantern v2" if you like. Its these kind of blended threats that I worry about. And they exist, thanks to professional cybercrimals who are learning from these more public attacks and applying lessons learned into their own code.

I don't live with a fascade believing its always a PFY that is causing this sort of havok. But I also don't believe its always a sophisticated attacker who really benefits from this sort of attack and gets away with it.

I'm sorry that you feel that my tounge in cheek letter was insulting. I am not on the employee payroll for CSIS or the FBI and don't have the resources to build evidence to criminally prosecute the attacker(s).

The intent was to raise awareness of the attack, and by you even reading about it... I met that intent. Thank you for taking the time to read it, and respond. I appreciate the comments.

Posted by: SilverStr at January 27, 2004 05:25 PM

Another good one, Dana.

Posted by: Kent Tegels at January 27, 2004 08:12 PM

Well, Microsoft may not have placed a bounty on the head of the MyDoom author yet, but SCO has! They have offered $250,000 for turning in the author.

SCO Offers Reward for Arrest and Conviction of Mydoom Virus Author

Posted by: Martin at January 28, 2004 11:17 AM

And so too has Microsoft:

http://www.microsoft.com/presspass/press/2004/jan04/01-29MyDoomBRewardPR.asp

Posted by: Peter Torr at January 31, 2004 04:06 PM