By silicon.com, 27 July 2004 09:05
NEWS A pesky new variant of the MyDoom worm has slammed four popular search engines and continued to clog email accounts around the world.
The new version, variously dubbed MyDoom.M or MyDoom.O, was first detected early on Monday morning and quickly went on to flood many mailboxes with hundreds of messages. It has also slowed Google, Yahoo!, AltaVista and Lycos to a crawl, because once it infects a PC, the virus automatically performs web searches on those search engines.
Email screening company MessageLabs said it had intercepted more than 23,000 copies of the variants in the first five hours of their existence. McAfee Avert, the virus-tracking squad at the antivirus software maker, rated the worm a "medium on watch," or right below a high-risk vulnerability. Tens of thousands of PCs have been infected by the worm, which was first detected just before 6 a.m. PDT. The biggest impact, however, has been on the search engines.
Google, Lycos and AltaVista have been sporadically out of service all morning, while Yahoo! has been slow. That's a function of how the worm spreads, said Craig Schmugar, a virus researcher at McAfee. Once installed, the virus searches for email addresses on the host computer's hard drive, and then it looks for more by running queries on all four search engines.
"It is kind of an inadvertent [denial-of-service] attack," he said, because the search sites are being knocked out in the quest for more email addresses. This is a twist on MyDoom: Earlier variants looked for email addresses only on the host hard drive.
The worm uses the search sites to find any published email addresses with the same domain name as the main email address on the infected computer, said Vincent Weafer, senior director for security company Symantec's security response centre. If you're infected, and your main email address ends with @mycompany.com, for example, the worm will mainly attempt to propagate itself to other mycompany.com addresses.
The technique offers several evolutionary advantages, Weafer said, most significantly the psychological advantage of having infected messages look as if they come from co-workers. "It's really the special engineering aspect of making you think it's coming from someone inside your company," Weafer said.
Keeping infections in-house may also be a technological advantage, Weafer said. "We've seen from other viruses that if you propagate on the local network, it's just faster," he said.
Security experts said the new variants first surfaced in Europe and spread quickly, thanks to several factors. Messages sent by the variants pose as either a "returned mail" message from a postmaster or an alert from an internal IT administrator. Although the bounced mail spoofs weren't likely to prompt a second look, said Joe Telafici, director of operations McAfee, those posing as a corporate IT missive were realistic enough to fool some workers.
"It appears close enough to something your IT department might send you that it could fool some people," Telafici said.
The worm also delivers a mixed payload, with only a handful of messages going through with a .zip attachment, a recently popular technique used by virus writers to avoid corporate security systems. MyDoom.M mainly arrives as a simple executable program file, Telafici said, making it more damaging for anyone who gets fooled into opening a message. "It takes fewer steps to infect yourself, which is helping [the worm] spread," he said.
Individuals may not notice a huge performance hit on their own PCs if they are connected to broadband and have a computer that is only a few years old, Schmugar said. The queries are fairly low-impact events. However, only a few medium-on-watch risks come up a year, he said, and the search engines are feeling the pinch.
The original MyDoom surfaced early this year and quickly ranked as one of the worst email pests ever. The original worm has since spawned numerous offshoots, including one specifically programmed to attack Linux antagonist SCO.
Marty Lindner, senior member of the technical staff at the Computer Emergency Response Team (CERT) at Carnegie Mellon University, added that the virus also comes with a back door that potentially enables a hacker to take control of an infected system. Several worms open back doors and harvest email addresses. The novelty of this latest variant is that it appears to be able to launch queries. Linder, however, stated that CERT has not fully confirmed the query function as yet.
David Becker and Michael Kanellos write for CNET News.com
Comments
There are 7 comments. Join the discussion
1. anonymous
When virus writers are eventualy tracked down they should be made to pay for the problems they have created i.e. fixed penalty, no time off for good behaviour. If the cost of their bit of fun runs into millions they should be locked up untill they have paid it off, the same goes for hackers, maybe then they would not think it was such a good idea and do something constructive with their lives.
2. Ed
Quite right they should be forced to atone for their actions but if you lock them up how are they going to work to earn any money to pay the millions in damages? And just who is going to foot the bill to keep them locked up?
3. Jeremy Chatfield
What about tracking down and penalising the people that write software that is so easily penetrated? It's not the users, it's not the virus writers, it is the authors of the daily tools and OS's we use that are mostly to blame.
Don't focus on the virus, focus on the reason why the virus survives. This is how effective AIDS programmes work, and is the way that likely cures may work (reduce exposure -> fix the bugs in the software and protocols; slow the viral reproduction -> improve software security design; attack the symptoms of infection -> design systems so that infections can be easily identified and neutralised).
The cause is that the Windows operating system and utilities are designed and implemented so badly that they can be easily subverted, in hundreds of different ways. Despite Microsoft crowing about how much security work they've done, it remains incontrovertible that using Windows is damaging businesses because of lost time working round the bugs, the spam, the viruses, the 3rd party driver bugs - which all, eventually come down to one factor. Windows is (still) a security nightmare.
Cheers, JeremyC.
4. Goten Xiao
In a way, they are doing something constructive. Many virus writers aren't doing it for the purely sadistic reasons, but to highlight exploits and problems in operating systems or security. Time and time again the attachment problem has been warned about. No. One. Listens.
Corporate businesses should setup a common fileserver, with an upload facility, and whenever Employee A tries to send Employee B a file, he just sends them a path rather than the file itself. Then the company can block attachements altogether, or route them off to a safebox PC where they can be scanned and checked etc.
User ignorance is probably the biggest security hole in the world, and it STILL hasn't been addressed properly. Time and again users will open spam emails and emails with attachments, even though they have been told not to. For example, the "Microsoft" poser emails that ask the user to open the attachment; since when has Microsoft sent attachments? Since when has it developed ANY fix/patch that is less than 100KB?
Someone ought to develop an email attachment filter that splits off all attachments, puts them in a specified safe folder (where they cannot be accessed by average Joe Users) and keep them there until they are verified as safe. Or simply check emails against a database of templates, since most virus emails do not vary that much - I've received at least 40 "Microsoft" emails that were almost identical. Same goes for spam, too; the sender might change, but the content rarely does.
5. anonymous
Perhaps it is time to 'bite the bullet' & drastically restrict Internet access. Meaning non essential users, children, etc.
In fact it has started to happen, driven by the users themselves, who are tiring of the seemingly non-stop torrent of viruses, worms, trojans, spam, spyware, phishing attacks, etc.
I know of quite a number of people who have effectively almost stopped using the Internet. Many having been encouraged, (conned) into buying a PC by peer pressure & the incessant advertising campaigns by the boxshifters & ISP's. Learning the hard way that using computers & the Internet is not quite as simple as the advertising makes out. It is perhaps amazing that so many of the population are still computer illiterate, but it is perhaps better they stay that way & well away from computers & the Internet...unless more draconian penalties are swiftly & internationally enacted.
All operating systems have flaws & bugs & always have done. Each incarnation allegedly 'fixing' the bugs of its predecessor but inevitably bringing some new bugs of its own & that includes Mac's & Linux.
Before the users of both platforms get on their high horses, as is usual, as they do!
6. anonymous
Hackers and virus makers are doing something constructive. At least we know how to fight them, it's like being ill, the only way we have medicine is because so many people have fallen ill, forcing us to improve health etc. The same goes for computers, viruses make companies like Microsoft create more resilliant packages.
7. anonymous
Hardly constructive, as such denizens of the 'dark side' have their own agendas of malice, profit, villiany, etc. For the immediate future if any potential new user asks me about, "getting on the Internet" I will probably endeavour to dissuade them from doing so. For unless something is done & soon, the Internet will become unusable, as is rapidly happening right now.