madison
Home / News & Blogs

Gloomy forecast for MyDoom fallout

Robert Lemos | January 27, 2004 7:35 PM PST

Summary

The virulent program ranks as the Net's fastest spreading virus, butsecurity firms warn that the code left behind on PCs could cause morechaos than the initial infection.

Topics

Robert Lemos, Software
The mass-mailing MyDoom virus has become the fastest spreadingprogram to date and the damage could continue for months or years.

The virus, also known as Novarg and Mimail.R, spread quickly across the Internet onMonday, traveling as an e-mail attachment and infecting PCswhose users opened the malicious file.


Get Up to Speed on...
Enterprise security
Get the latest headlines and
company-specific news in our
expanded GUTS section.

When opened, the virus installs a stealth program on the victim's computer that opens up a software "back door." Attackers can then bypass the PC's security and turn the system into a bounce point, or proxy, for any network-based attack.

The virus has programmed infected PCs to send data to the SCO Group's Web server between Feb. 1 and Feb. 12. The SCO Group has incurred the wrath of the Linux community for its claims that important pieces of the open-source operating system are covered by SCO's Unix copyrights. IBM, Novell and other Linux backers strongly dispute the claims.

Perhaps more troubling is the fact that other online vandals could route new attacks through the infected PCs, said Alfred Huger, seniordirector of engineering for security software firm Symantec.

"For people that handle incident response, (the proxies) will causeproblems," he said. Attackers can use the proxies to hide their reallocations, making it very difficult to trace the origin of an onlineassault. "This is going to hang around and hound us for a long time--ifCode Red is any indication, for years."


Special report
20-year plague
From the first experiments
to today's epidemics,
computer viruses have
come a long way.

The Code Red worm infected Windows computers running Microsoft's Web server software, called Internet Information Server. While the primary infection hit in July 2001, tens of thousands of computers remain infected with the worm, which is still scanning the Internet looking for vulnerable systems to infect.

The effects of the massive spread of the MyDoom virus have already been felt.

The virulent program has flooded the Internet with e-mail messagesbearing the program, doubling the time it takes most major Websites to deliver a page. About one in every 12 messages being sentthrough the Internet contains the virus, said e-mail service providerMessageLabs. The previously most prevalentmass-mailing virus, called Sobig.F, only accounted for one out of every17 e-mail messages.

Audiocast
arrow Latest computer virus runs rampant in a high-risk outbreak
play audio

"This is the most aggressive that we have seen to date," said MarkSunner, chief technology officer for MessageLabs, which filters e-mail for corporate customers. However, Sunnerbelieved that the infection rate of the virus had begun slowing by Tuesday afternoon. "It has had one cycle around the world, so it's likely that it's peaked." In the first 27 hours of the infection, MessageLabs quarantined more than 1.5 million messages that included the virus.

The virus affects computers running Windows versions 95, 98, ME, NT,2000 and XP, and arrives in the user's in-box as an attachment to ane-mail message that appears to be an error response from an e-mailserver.

The message sports one of several different random subjectlines, such as "Mail Delivery System," "Test" or "Mail TransactionFailed." The body of the e-mail contains an executable file and astatement such as: "The message contains Unicode characters and has beensent as a binary attachment." and "The message cannot be represented in7-bit ASCII encoding and has been sent as a binary attachment."

The Web site for SCO Group, the target of the virus, was slow to load on Monday and Tuesday, a SCOspokesperson acknowledged. The site has had intermittent problems responding to requests over the past two days, according to Internetperformance measurement firm NetCraft.

SCO's Web site was knocked offline by denial-of-service attacks several times in the pastyear, none of which had been initiated by a virus. In thepast, the company has blamed Linux sympathizers for at least one of theattacks.

The MyDoom virus also copies itself to the Kazaa download directory on PCs, on which the file-sharing program is loaded. The virus camouflages with one of seven file names: Winamp5, icq2004-final, Activation_Crack,Strip-gril-2.0bdcom_patches, RootkitXP, Officecrack and Nuke2004.

Not everyone agreed that the attack tools installed on infected systemswill have a significant impact on Internet security. With the large number ofPCs with poor security, MyDoom-infected computers will be a drop in thebucket, said Vincent Gullotto, vice president of antivirus research forsecurity software company Network Associates.

"There are lots and lots of people that are out there that arecompromised today," he said. "I think the mass-mailing part will havemore of an impact."

Talkback - Tell Us What You Think

Formatting +
BB Codes - Note: HTML is not supported in forums
  • [b] Bold [/b]
  • [i] Italic [/i]
  • [u] Underline [/u]
  • [s] Strikethrough [/s]
  • [q] "Quote" [/q]
  • [ol][*] 1. Ordered List [/ol]
  • [ul][*] · Unordered List [/ul]
  • [pre] Preformat [/pre]
  • [quote] "Blockquote" [/quote]

The best of ZDNet, delivered

ZDNet Newsletters

Get the best of ZDNet delivered straight to your inbox

Facebook Activity