Tuesday, February 3, 2004

Worm code optimization?

Various talking heads have noted the speed with which Mydoom has spread. Karl Wolfgang (on the Full Disclosure list) even used it in part of a warning to non-MS and supposedly secure networks to "not rest on you laurels".

In reading Karl's post, I noted that the author of Mydoom had modified his code so that it avoided domains that contained specific keywords (see Sophos for the lists). It appears that the author wanted the worm to avoid "wasting its time" in that he may have been trying to skip domains that are Unix-based or known to have better security than the rest of the Internet. At the local ISSA meeting, someone else stated that attacking ".gov" or ".mil" could allow for the use of the Patriot Act? Agree/disagree to either? Comments?

As a side note, Chris Neitzert (on the Full disclosure list) has provide a Procmail recipe to filter Mydoom from incoming mail.