Mydoom.FUD: a lesson in Fear, Uncertainty, and Doubt

Fear, Uncertainty, and Doubt (FUD for short) can have very real effects on security, especially when used by security crackers to manipulate uninformed "experts" too quick to jump to conclusions. Mydoom was the canonical example of this idea in practice.

In the last week of January 2004, a new worm was discovered squirming its way across the Internet. Security researchers quickly realized this was the fastest-spreading email worm yet, eclipsing even the promiscuous Sobig worm. Craig Schmugar of McAfee saw a line of code containing the text "mydom", and said of his decision to call it Mydoom:

It was evident early on that this would be very big. I thought having "doom" in the name would be appropriate.

The original Mydoom worm carried two payloads:

  1. a distributed denial of service time bomb, set to go off on the first of February that year
  2. a remote access backdoor that allowed an infected MS Windows computer to be controlled without its user's knowledge

The DDoS Attack

The DDoS attack payload targeted SCO Group, a Unix vendor now famous for running itself into the ground making tremendously bad business decisions like trying to sue IBM on the strength of copyright claims related to Linux kernel source code. Several years of litigation led to SCO failing to substantiate its claims, breaking itself apart on the rocky shores of IBM's stable of intellectual property lawyers like a termite-eaten rowboat in stormy seas. Novell joined in the fun, winning judgments against SCO showing that the SCO Group didn't even "own" the copyrights it claimed were infringed by IBM and the Linux kernel in the first place. Such a DDoS attack was just salt in the wound.

SCO representatives played the event for all it was worth, of course, claiming that "the Linux community" just had a case of sour grapes and was targeting the corporation in retaliation for its copyright claims. Ultimately, however, security researchers and law enforcement agencies alike decided that wasn't the case. They came to the conclusion that the entire SCO DDoS escapade was more smokescreen than petulant assault on an enemy of the Linux community, meant only to distract people from a much more insidious purpose of the email worm.

The Backdoor

Credulous commentators, willing to leap upon the most facile and sensational explanation that presented itself, had already bitten into the bait exactly as the worm's author must have intended. They quickly dismissed any potential financial motivations for the creation of the worm, blaming it on those eeevil Linux "hackers". By the time the truth started to surface, the damage was already done; while heads were turned in the direction of SCO and the Linux community, Mydoom and the Mydoom.B variant were still spreading.

Eventually, the backdoor was used to gain direct access to millions of infected computers, and on day eight after Mydoom was discovered personal data was downloaded from infected systems, resulting in billions of dollars of damage. Writers eager to publish dramatic headlines and boost readership, or just with an axe to grind, were hoodwinked and, unbeknownst to them, enlisted as part of the worm's own disinformation campaign -- which distracted just enough security researchers and law enforcement agencies, just long enough, to prove remarkably successful at its real aim.

You might say that Mydoom was one of the most successful attempts at security cracking through social engineering in history.

The Real Problem

The reasons people write viruses are many and varied. Some surely do so as a means of retribution for slights real or imagined. Many others, however, do so for profit, as was the case with the author of the Mydoom worm. This latter breed may boast very sophisticated, intelligent, and at best amoral individuals who do not hesitate to take advantage of technology commentators who leap at shadows. Security researchers, too, can be susceptible to manipulation, especially with the help of the IT trade press. Without such self-reinforcing tendencies to jump to conclusions, more attention may have been paid to the implications of the worm's "other" payload, and much of the damage done might have been avoided.

Almost a year ago, I pointed out that security alarmism helps the bad guys win. It does more than that, though -- it also directly hurts some of the good guys. The open source development community can claim many of the most respectful of copyright licenses and digital security of any software developers in the world. Despite this, incidents such as the early media frenzy about mythical disgruntled Linux "hackers" attacking SCO Group via an email worm that infected millions of computers in mere days continue to occur, creating in the minds of the most incredulous the impression that Linux is "a hacker's OS", with a decidedly pejorative bent to the use of the term "hacker".

When you run across unsubstantiated claims in the information technology trade press, I hope you'll look at the facts from every angle, and realize that many interpretations are often possible. Don't become part of the problem -- part of the social machinery that makes unsupported fear, uncertainty, and doubt so easily propagated.

When the next Mydoom comes around, your security may well depend on it.