Latest MyDoom worm exploits Web site guestbooks

A new variant of the MyDoom worm discovered on Tuesday downloads malware from an MP3-downloading site and a personal Web site, according to security experts, who claim that hackers have compromised these sites by exploiting scripting vulnerabilities in their guestbooks.

Security company F-secure is trying to close down the hacked sites but has not yet managed to contact the US-based site administrators or ISPs hosting the threat. Mikko Hyppönen, director of antivirus research at F-Secure, warned that until the sites are brought down and the security holes closed, the worm, MyDoom.S, will continue to cause problems.

"As long as the sites are up and running we have to keep monitoring them," says Hyppönen. "The hackers can keep changing what is on the sites -- if we block a data-stealing Trojan, they can simply replace that with a different application."

Many Web developers use standard scripts to add features to their sites such as guestbooks or feedback forms. Hyppönen warns that these scripts create security problems.

"If a script is very popular and lots of sites use it, then it is vulnerable to being hacked," he says. "Hackers can quickly scan a large number of different Web sites to find those which have vulnerable applications."

F-secure recommends that companies protect themselves by setting their firewalls to block the URLs of the compromised Web sites, www.richcolour.com and www.zenandjuice.com. More details of the MyDoom.S can be found here.