Published February 4th, 2004 by Jim O'Halloran
MyDoom a professional job?
After reading the analysis of Sobig you start to get the impression that some viruses these days are professionally written. SoBig almost seems to look like a traditional iterative development process where you release an initial version, improve it, release the next version and repeat until perfection is acheived.
Sobig started out with a fixed From: address, Sobig.b changed the From address to something we couldn’t block quite so readily. Later versions used faked from addresses to make blocking even harder. Over time SoBig has become more sophisticated at mass mailing itself, and better at hiding its stage 2 payload. SoBig even seems to have a timer which kills off the old version, presumably to stop it from competing with the next one. And most importantly, SoBig has spread faster and further each time.
We haven’t had a new SoBig for a while though, but we did get a “MyDoom”. MyDoom seems to have been a lot more sucessful than SoBig ever was. Instead of receiving 1 or 2 copies through our mail server before out anti-virus program would detect it, we got hundreds. At its peak, MyDoom was well over half of our email traffic.
Now Information Week is reporting that the Slashdot