MyDoom.B Rapidly Spreading - NOT!
Tuesday February 3, 2004
An Open Letter to US CERT
US CERT is a newly formed partnership between the Department of Homeland Security's National Cyber Security Division and the CERT Coordination Center (CERT/CC) run by Carnegie Mellon University. They claim, "We have taken great care to be accurate, fair, and honest about the security risks you face, and we feel a tremendous professional obligation to bring you the best, most trustworthy advice we can to help you protect your systems."
Their first alert in this new capacity? A claim that MyDoom.B is "rapidy spreading", that they have "credible data" it only attacks Microsoft, and that the worm "appears to have different 'MIMI' data for malicious e-mails."
The first time I received this 'Technical' alert, I ignored it. Chalked it up to growing pains or bad NIPC karma. But now they've sent it a second time. As an antivirus professional, their inaccuracies make me cringe. As a U.S. citizen, their incompetent reporting embarrasses me, prompting this Open Letter to US CERT.
In the interst of my being Accurate, Fair, and Honest, here's the truth: MyDoom.B is barely a blip on the radar. Case in point: MessageLabs, who first spotted the MyDoom.A worm, recorded over 20,000 copies within hours of its discovery and had stopped over 1 million copies the day after. Their MyDoom.B tally at the height of its 'frenzy' - a whopping 7 copies. Not 7M, not 7,000, not even 700, or 70, but SEVEN. Trend Micro reports only 1 copy of MyDoom.B ever detected by their World Virus Tracking Center. For the record, at the time of this writing they've seen over 734,692 instances of MyDoom.A.
So now you know. Seven copies seen by MessageLabs in email and 1 copy seen on a system by Trend Micro's World Virus Tracking Center. Not quite the definition of 'Rapidly Spreading', eh? Oh, and that Microsoft-only DoS and the alluding to 'credible data'? Maybe it's time you got really credible resources for that 'credible data'. The DDoS in MyDoom.B is directed at both SCO and Microsoft. But don't take my word for it, read the analyses from NAI (McAfee), F-Secure, Sophos, or any other antivirus vendor that actually analyzed the worm before putting pen to paper.
And by the way, it's MIME data, not MIMI.
US CERT is a newly formed partnership between the Department of Homeland Security's National Cyber Security Division and the CERT Coordination Center (CERT/CC) run by Carnegie Mellon University. They claim, "We have taken great care to be accurate, fair, and honest about the security risks you face, and we feel a tremendous professional obligation to bring you the best, most trustworthy advice we can to help you protect your systems."
Their first alert in this new capacity? A claim that MyDoom.B is "rapidy spreading", that they have "credible data" it only attacks Microsoft, and that the worm "appears to have different 'MIMI' data for malicious e-mails."
The first time I received this 'Technical' alert, I ignored it. Chalked it up to growing pains or bad NIPC karma. But now they've sent it a second time. As an antivirus professional, their inaccuracies make me cringe. As a U.S. citizen, their incompetent reporting embarrasses me, prompting this Open Letter to US CERT.
In the interst of my being Accurate, Fair, and Honest, here's the truth: MyDoom.B is barely a blip on the radar. Case in point: MessageLabs, who first spotted the MyDoom.A worm, recorded over 20,000 copies within hours of its discovery and had stopped over 1 million copies the day after. Their MyDoom.B tally at the height of its 'frenzy' - a whopping 7 copies. Not 7M, not 7,000, not even 700, or 70, but SEVEN. Trend Micro reports only 1 copy of MyDoom.B ever detected by their World Virus Tracking Center. For the record, at the time of this writing they've seen over 734,692 instances of MyDoom.A.
So now you know. Seven copies seen by MessageLabs in email and 1 copy seen on a system by Trend Micro's World Virus Tracking Center. Not quite the definition of 'Rapidly Spreading', eh? Oh, and that Microsoft-only DoS and the alluding to 'credible data'? Maybe it's time you got really credible resources for that 'credible data'. The DDoS in MyDoom.B is directed at both SCO and Microsoft. But don't take my word for it, read the analyses from NAI (McAfee), F-Secure, Sophos, or any other antivirus vendor that actually analyzed the worm before putting pen to paper.
And by the way, it's MIME data, not MIMI.
No comments yet. Leave a Comment