MyDoom: How it became the fastest worm ever

Security services firm MessageLabs reports that MyDoom, at its peak last Tuesday, was responsible for 1 out of every 12 e-mails. That compares with 1 out of every 17 e-mails for SoBig.f.

But what's even more incredible is that MyDoom does nothing special; instead, it relies largely upon classic, tried-and-true e-mail infection methods dating back at least four years. Which means we have only each other to blame for this outbreak.

So how did MyDoom do it? According to F-Secure, a Finnish antivirus company, MyDoom employed classic social engineering techniques. The author of MyDoom (which gets its name from a misspelling in the code for "my doomain," hence "MyDoom") crafted basic messages that looked like they could be legitimate e-mails.

The subject lines said things like, "Mail transaction failed," Server report," "Test," or simply "Status." The body text read, "The message cannot be represented in 7-bit ASCII." This prompted many otherwise computer-savvy individuals to open the Zip file attachment, and thus launch the virus on their system.

MyDoom also spread among Kazaa users, depositing a copy of itself in that program's shared file folder, again with enticing names such as "office_crack" and "rootkitXP."

To further increase its impact, MyDoom struck in the middle of the workday in the United States -- prime time for e-mail usage. Businesses have long been the target of e-mail worms because of the rich diversity of e-mail addresses that pass through corporate mail servers. A worm that infects a multinational corporation could find itself spreading to several countries within minutes. Also, because MyDoom used the common Zip file format, it was able to sneak through most corporate e-mail gateway filters in the first few hours of the attack.

To slow the spread, many corporations have since disallowed Zip file attachments on their networks, further compromising worker productivity in addition to the already slow e-mail delivery.

The final secret to MyDoom's success is its ability to guess e-mail addresses by randomly combining common user names with domain names. The domains ".msn," ".yahoo," and ".hotmail" are hard-coded into the worm code. Add in some random collections of letters before an "@" symbol, and MyDoom is able to "create" e-mail addresses and spam those domains with bogus messages. This prompts the servers at those domains to fire back the familiar "address undeliverable" messages, which further increase and slow down the flow of e-mail traffic on the Net.

While MyDoom sticks mostly to the virus-spreading basics, it does have at least one sophisticated capability: It appears to be building a network of infected machines. After infecting a system, MyDoom opens TCP ports 3127 through 3198, presumably to listen for instructions from the worm's author. These may tell the system how to upgrade to the latest variant or launch a distributed denial-of-service attack.

This is a trick learned from recent worms like Sobig, MiMail, and Bagle. What it means is that subsequent variations of MyDoom won't have to entice users to open its messages; it'll already have a base of several thousand infected computers from which to broadcast itself the next time around.

A variation of the worm, MyDoom.b, already exists. It's virtually the same as MyDoom.a, except that it instructs infected computers to launch a denial-of-service attack on Microsoft.com. Because of this, Microsoft has offered a US$250,000 reward for information leading to the arrest of MyDoom's creator or creators. MyDoom.b appears to have many flaws, so it hasn't spread as quickly as its predecessor. But don't breathe a sigh of relief yet -- someone, somewhere will probably have fixed the buggy code and sent out a MyDoom.c by the time you read this.

As with most worms, we have to fight MyDoom one computer at a time. You can do your part to stop it and other worms, too, by updating your antivirus protection regularly. For additional protection, I recommend a personal firewall; in particular, check out the free version of ZoneAlarm 4.5. ZoneAlarm has some antivirus capabilities, but more importantly, it prevents any malicious code that lands on your hard drive from contacting other systems on the Internet.

You can also sign up for the United States Computer Emergency Response Team's new Cyber Alert System. It's free, and promises to e-mail you regarding the latest threats to your PC.

MyDoom may be the quickest worm ever. But we don't have to let its creators continue to afflict us with subsequent variations. I promise to do my part -- now will you do yours?