Security threats Toolkit

Zindos worm relies on its pal MyDoom

Munir Kotadia ZDNet.co.uk

Published: 28 Jul 2004 13:25 BST

The latest variant of the MyDoom worm appears to form the first part of a two-pronged attack by preparing the path for a new type of worm that, in this case, is designed to assault Microsoft.com.

MyDoom first appeared in January 2004 and overnight became the worst worm ever. Within a month, different variants of the worm had knocked SCO's Web site offline and launched an attack on the Microsoft.com Web site.

More than a dozen variants later, the MyDoom authors seem to have a new strategy. This week, the MyDoom worm infected as many machines as possible and sent information about the infected systems back to the worm's author. Within hours, the Zindos worm was sent to those machines already infected by MyDoom to open a secret back door and kick off a DDoS attack on Microsoft's Web site.

Katrin Tocheva, team manager of antivirus systems at F-Secure, said that she is almost certain that MyDoom and Zindos were written by the same programmer because they worked together so well.

"MyDoom prepared the way by infecting a large number of systems and creating a list of compromised systems. Zindos then uses this list and the back doors prepared by MyDoom to quickly spread and hit its target," said Tocheva.

Graham Cluley, senior technology consultant for Sophos, agrees that the two worms seem too similar to have been written independently.

"There are similarities in their code and the fact that Zindos seems to know MyDoom so intimately -- in terms of the back door it opens. It's like Zindos knows the secret handshake to get into a private club," Cluley said.

Cluley is concerned because the way MyDoom and Zindos work together, it will be relatively simple for the author to "reprogram" MyDoom-infected computers to attack a different target or become a spam proxy.

"It is Microsoft this time, but it could be any other site in the future. The hackers could send out a different piece of software (instead of Zindos) and then the infected computers could be used for sending spam or even for stealing personal information," said Cluley.

However, not all virus experts are convinced that the two worms are written by the same author, and even if they are, Mike Small, director of security strategy at Computer Associates, believes it will be almost impossible to find forensic evidence linking the two.

Small said the hacker community is very good at sharing ideas and code, so although it may look like both worms came from the same source, it is virtually impossible to prove.

"There is a community of people out there that share ideas, and people can and do copy things. It is very difficult to produce forensically acceptable evidence that the worms are traceable to the same person," said Small.

Microsoft's Web site has so far been unaffected by Zindos' DDoS attack.

Microsoft has refused to discuss the steps it is taking in order to keep its Web site online. To avoid the MSBlast worm last August, the company temporarily changed the DNS of its Microsoft.com domain so that requests for pages were transferred to Akamai's cache service -- which consists of 15,000 Linux-based servers spread around the globe.

"While Microsoft is unable to discuss the specific remedies it has taken to prevent the reported DDOS attack, Microsoft has taken steps to ensure that Microsoft.com remains available to customers," said a Microsoft spokesperson.