Security threats Toolkit

MyDoom compromises Web

Tags:
Mimail.R,
Mass Mail,
Email,
Novarg

Published: 28 Jan 2004 08:15 GMT

The mass-mailing MyDoom virus has become the fastest spreading program to date and the damage could continue for months or years.

The virus, also known as Novarg and Mimail.R, spread quickly across the Internet on Monday, travelling as an email attachment and infecting PCs whose users opened the malicious file.

When opened, the virus installs a stealth program on the victim's computer that opens up a software "back door." Attackers can then bypass the PC's security and turn the system into a bounce point, or proxy, for any network-based attack.

The virus has programmed infected PCs to send data to the SCO Group's Web server between 1 February and 12 February. The SCO Group has incurred the wrath of the Linux community for its claims that important pieces of the open-source operating system are covered by SCO's Unix copyrights. IBM, Novell and other Linux backers strongly dispute the claims.

Perhaps more troubling is the fact that other online vandals could route new attacks through the infected PCs, said Alfred Huger, senior director of engineering for security software firm Symantec.

"For people that handle incident response, [the proxies] will cause problems," he said. Attackers can use the proxies to hide their real locations, making it very difficult to trace the origin of an online assault. "This is going to hang around and hound us for a long time -- if Code Red is any indication, for years."

The Code Red worm infected Windows computers running Microsoft's Web server software, called Internet Information Server. While the primary infection hit in July 2001, tens of thousands of computers remain infected with the worm, which is still scanning the Internet looking for vulnerable systems to infect.

The effects of the massive spread of the MyDoom virus have already been felt.

The virulent program has flooded the Internet with email messages bearing the program, doubling the time it takes most major Web sites to deliver a page. About one in every 12 messages being sent through the Internet contains the virus, said email service provider MessageLabs. The previously most prevalent mass-mailing virus, called Sobig.F, only accounted for one out of every 17 email messages.

"This is the most aggressive that we have seen to date," said Mark Sunner, chief technology officer for MessageLabs, which filters email for corporate customers. However, Sunner believed that the infection rate of the virus had begun to slow by Tuesday afternoon. "It has had one cycle around the world, so it's likely that it's peaked." In the first 27 hours of the infection, MessageLabs quarantined more than 1.5 million messages that included the virus.

The virus affects computers running Windows versions 95, 98, ME, NT, 2000 and XP, and arrives in the user's inbox as an attachment to an email message that appears to be an error response from an email server.

The message sports one of several different random subject lines, such as "Mail Delivery System," "Test" or "Mail Transaction Failed." The body of the email contains an executable file and a statement such as: "The message contains Unicode characters and has been sent as a binary attachment." and "The message cannot be represented in 7-bit ASCII encoding and has been sent as a binary attachment."

The Web site for SCO Group, the target of the virus, was slow to load on Monday and Tuesday, a SCO spokesperson acknowledged. The site has had intermittent problems responding to requests during the past two days, according to Internet performance measurement firm NetCraft.

SCO's Web site was knocked offline by denial-of-service attacks several times in the past year, none of which had been initiated by a virus. In the past, the company has blamed Linux sympathisers for at least one of the attacks.

The MyDoom virus also copies itself to the Kazaa download directory on PCs, on which the file-sharing program is loaded. The virus camouflages with one of seven file names: Winamp5, icq2004-final, Activation_Crack, Strip-gril-2.0bdcom_patches, RootkitXP, Officecrack and Nuke2004.

Not everyone agreed that the attack tools installed on infected systems will have a significant impact on Internet security. With the large number of PCs with poor security, MyDoom-infected computers will be a drop in the bucket, said Vincent Gullotto, vice president of antivirus research for security software company Network Associates.

"There are lots and lots of people that are out there that are compromised today," he said. "I think the mass-mailing part will have more of an impact."