Linux

Mydoom.FUD: a lesson in Fear, Uncertainty, and Doubt

Fear, Uncertainty, and Doubt (FUD for short) can have very real effects on security, especially when used by security crackers to manipulate uninformed "experts" too quick to jump to conclusions. Mydoom was the canonical example of this idea in practice.

In the last week of January 2004, a new worm was discovered squirming its way across the Internet. Security researchers quickly realized this was the fastest-spreading email worm yet, eclipsing even the promiscuous Sobig worm. Craig Schmugar of McAfee saw a line of code containing the text "mydom", and said of his decision to call it Mydoom:

It was evident early on that this would be very big. I thought having "doom" in the name would be appropriate.

The original Mydoom worm carried two payloads:

  1. a distributed denial of service time bomb, set to go off on the first of February that year
  2. a remote access backdoor that allowed an infected MS Windows computer to be controlled without its user's knowledge

The DDoS Attack

The DDoS attack payload targeted SCO Group, a Unix vendor now famous for running itself into the ground making tremendously bad business decisions like trying to sue IBM on the strength of copyright claims related to Linux kernel source code. Several years of litigation led to SCO failing to substantiate its claims, breaking itself apart on the rocky shores of IBM's stable of intellectual property lawyers like a termite-eaten rowboat in stormy seas. Novell joined in the fun, winning judgments against SCO showing that the SCO Group didn't even "own" the copyrights it claimed were infringed by IBM and the Linux kernel in the first place. Such a DDoS attack was just salt in the wound.

SCO representatives played the event for all it was worth, of course, claiming that "the Linux community" just had a case of sour grapes and was targeting the corporation in retaliation for its copyright claims. Ultimately, however, security researchers and law enforcement agencies alike decided that wasn't the case. They came to the conclusion that the entire SCO DDoS escapade was more smokescreen than petulant assault on an enemy of the Linux community, meant only to distract people from a much more insidious purpose of the email worm.

The Backdoor

Credulous commentators, willing to leap upon the most facile and sensational explanation that presented itself, had already bitten into the bait exactly as the worm's author must have intended. They quickly dismissed any potential financial motivations for the creation of the worm, blaming it on those eeevil Linux "hackers". By the time the truth started to surface, the damage was already done; while heads were turned in the direction of SCO and the Linux community, Mydoom and the Mydoom.B variant were still spreading.

Eventually, the backdoor was used to gain direct access to millions of infected computers, and on day eight after Mydoom was discovered personal data was downloaded from infected systems, resulting in billions of dollars of damage. Writers eager to publish dramatic headlines and boost readership, or just with an axe to grind, were hoodwinked and, unbeknownst to them, enlisted as part of the worm's own disinformation campaign -- which distracted just enough security researchers and law enforcement agencies, just long enough, to prove remarkably successful at its real aim.

You might say that Mydoom was one of the most successful attempts at security cracking through social engineering in history.

The Real Problem

The reasons people write viruses are many and varied. Some surely do so as a means of retribution for slights real or imagined. Many others, however, do so for profit, as was the case with the author of the Mydoom worm. This latter breed may boast very sophisticated, intelligent, and at best amoral individuals who do not hesitate to take advantage of technology commentators who leap at shadows. Security researchers, too, can be susceptible to manipulation, especially with the help of the IT trade press. Without such self-reinforcing tendencies to jump to conclusions, more attention may have been paid to the implications of the worm's "other" payload, and much of the damage done might have been avoided.

Almost a year ago, I pointed out that security alarmism helps the bad guys win. It does more than that, though -- it also directly hurts some of the good guys. The open source development community can claim many of the most respectful of copyright licenses and digital security of any software developers in the world. Despite this, incidents such as the early media frenzy about mythical disgruntled Linux "hackers" attacking SCO Group via an email worm that infected millions of computers in mere days continue to occur, creating in the minds of the most incredulous the impression that Linux is "a hacker's OS", with a decidedly pejorative bent to the use of the term "hacker".

When you run across unsubstantiated claims in the information technology trade press, I hope you'll look at the facts from every angle, and realize that many interpretations are often possible. Don't become part of the problem -- part of the social machinery that makes unsupported fear, uncertainty, and doubt so easily propagated.

When the next Mydoom comes around, your security may well depend on it.

About

Chad Perrin is an IT consultant, developer, and freelance professional writer. He holds both Microsoft and CompTIA certifications and is a graduate of two IT industry trade schools.

36 comments
scarville
scarville

I posted a link to an old article about this in a discussion on virus writers. I think it's one of the best recent examples of how easy it is for a "conspiracy" explanation to substitute for lack of information.

ogregator
ogregator

Thanks for the insight. These days, I'm treating IT security much like going into a fight. If all you're doing is reacting, then you'll get floored. Think first, fist later.

JCitizen
JCitizen

and also, as usual, I just can't get enough of this IT security stuff!

Sterling chip Camden
Sterling chip Camden

Nothing is ever as simple as it seems, because our brains evolved to survive by categorizing threats as quickly as possible at the expense of accuracy of detail. Mydoom's social engineers took advantage of that tendency.

BALTHOR
BALTHOR

Somehow the file gets signed by Microsoft.He's got the gold and diamonds trick there with opening up a file.

seanferd
seanferd

Aside from never seeing the whole story laid out like that, it is a good object lesson. Nice transition from the other thread I was reading,(Why do people write viruses? ) for which you so graciously provided this article.

apotheon
apotheon

A would-be client once objected to the very suggestion of a Linux server replacing his aging MS Windows NT 4.0 file server in a small business network of six computers, saying "I won't use that hacker's OS!" I refrained from informing him that his consumer-grade router appliance came from the factory with an embedded Linux-based OS running on it. In fact, I refrained from doing any work for the man. When a client refuses to let me help because his prejudices are too superficially formed and run too deeply to allow him to listen to reason, I won't take his money just to give him what he thinks he wants. He can get ripped off without my help. I'd dismiss it as unimportant if it wasn't for the fact that this incident was more than just a one-time annoyance. It is, in fact, symptomatic of a much more significant and far-reaching problem in the IT industry, and it makes me sad.

apotheon
apotheon

That's good advice. I'm glad you got some value from the article.

apotheon
apotheon

I definitely appreciate the compliments.

apotheon
apotheon

I wish I had thought of mentioning that evolutionary angle while writing the article.

edthered
edthered

This really looks like the B.C. police had tried and failed to pin something on this guy previously, so they are just grasping at straws with this. They look to have no idea what they are on about anyway. Very scary stuff no matter how you look at it...

Saurondor
Saurondor

I'm still cracking up with : "uses two different operating systems to hide his illegal activities. Ones is the regular B.C. operating system and the other is a black screen with white font which he uses prompt commands on" Maybe they mean cygwin or putty? Hardly an OS.

apotheon
apotheon

Can we just sterilize everyone who makes assumptions about what expertise means without having any expertise themselves? Please? I really don't want their idiotic tendency to jump to conclusions without any understanding of the circumstances to be propagated through their children.

Slayer_
Slayer_

I never would have imagined this intepreation, and this one actually hangs together very well and is certainly plausable. And the interesting subcontext that whoever made this virus knew that linux dev's would be blamed. Maybe it was Linux dev's, who knows? Thats the beauty of viruses. It's also why the theory that AV companies may be making viruses, since it would be near impossible to prove it. Was there ever any arrests, did they ever catch the people that made the virus?

apotheon
apotheon

I appreciate the compliment, and I'm glad you found it a worthwhile read.

seanferd
seanferd

The second paragraph of your comment reminds me of Raymond Chandler's Phillip Marlowe character. Partly the way it was phrased, partly the dynamic of the ethic. Maybe an odd comparison, but it just lept to mind.

seanferd
seanferd

Could have been using a Windows command prompt, for all we know. But they found an Ubuntu CD in his room! Scandal!

JCitizen
JCitizen

laughing my @ss off if it weren't for the gross violation of the individual's rights.

seanferd
seanferd

and the superhuman crew come out and round up everyone that knows more than they do" -Hey, I don't understand that, and now I feel threatened.- Yes, I believe a counterstrike on the willfully and proudly ignorant is in order. What kills me more is that the motions from the EFF have been denied, which I discovered by revisiting the link. Personally, I can't see how the search was legitimate in the first place, and the judge signing the warrant is worse than the officers deciding that the original complaint had any merit. On the other hand, perhaps we could get these folks to enforce existing law against real crackers and malware writers within their reach. But on the gripping hand, There is no legal solution to malware.

apotheon
apotheon

They tracked it back toward its source as far as Russia. Investigators believe someone commissioned one of a number of Russian professional malware writers to create the worm -- probably someone who wanted valuable identity fraud data. They haven't nailed down a specific perpetrator, though.

goehms
goehms

This was meant to be a top-level response to the author, but... Thank you. A very sensible and well written example of the need to rethink issues, a main theme I emphasize in all venues of life. Disinformation may be deliberate or the product of error and self-delusion. Your article may raise some peoples alert levels and help them develop the necessary "crap-detector" that must accompany all reading. I once encountered a graduate student at a party who said to me (when I commented on my disagreement with a particular author) that she had never thought to question what she read in a book. That was the closest I ever came to spluttering, but I managed to respond, "You have to question everything." Good job.

apotheon
apotheon

I've never read any Chandler, but I really liked the movie adaptation of The Big Sleep -- mostly because of the chemistry between the main characters, and the ever-present witty banter. I guess I'll take the comparison to Bogie's character as a compliment (since Bogie's portrayal is my only familiarity with the character).

apotheon
apotheon

During The Cold War, The Code To Unlock Nuclear Missiles Was "00000000"

JCitizen
JCitizen

I'd long forgotten about that case. It always seems a bit scary to the knowledgeable person to see such ignorance reflected by our legal system. Because then you realize how many folks get pinned by street crime cases for reasons just as stupid, but no one realizes it except the hapless victim of the system. I'd rather let 5 criminals go free, that put one innocent person in jail.

Neon Samurai
Neon Samurai

if the kid can't find rational thinking in the legal system, he'll end up infront of a judge with as much technological knowledge as the arresting officer. Remember, Mr. Mitnic laughed out loud in court when they read the charges against him. To someone with five minutes technology reading behind them, the court claims where absurd. Instead of being laughed out of court, the prosecution was allowed to proceed as if Mr. Mitnic could magically whistle missile launch codes through any phone within five meters of him. (That doesn't say much for how well secured the launch mechanisms where assumed to be either though does it..)

JCitizen
JCitizen

if you ask me; they aren't particularly friendly to 2nd Amendment rights either.

Slayer_
Slayer_

They should be hanged as an example to all malware writers!

apotheon
apotheon

I once encountered a graduate student at a party who said to me (when I commented on my disagreement with a particular author) that she had never thought to question what she read in a book. That was the closest I ever came to spluttering, but I managed to respond, "You have to question everything." I not only appreciate the compliments, with regard to the article, but this sort of advocacy by you for people to think for themselves. In fact, I'm more grateful for the latter, even though it doesn't directly impact me -- because, in the grand scheme of things, I think I benefit quite a lot more it than from a compliment. I still like the compliment, of course.

edthered
edthered

in the Red Cross life saving course I took as a kid: If they are going to fight you when you are trying to save them then let them drown.

seanferd
seanferd

Now I want to watch The Big Sleep. I find I like Bogart in a lot of his roles.

seanferd
seanferd

Marlowe has a similar ethic of turning down work, and payment for work for similar reasons: The client won't really allow Marlowe to help properly, by withholding info, not really wanting the root problem solved, asking for services better provided by someone other than a PI (or not at all). This plays out a few times in The Long Goodbye, but it's been a while since I've read the Big Sleep, even longer since I've seen the film, and cannot recall a particular example of this behavior from that story. Suffice it to say that whereas some find this ethic or behavior to be "shooting oneself in the foot", I find it admirable.

Editor's Picks