In what is becoming a Super Bowl tradition, another mass-mailing worm this week raced through computers worldwide...
thanks to clever social engineering and a Linux lover with a cause.
The velocity of the Mydoom-A worm outbreak, which surfaced Monday afternoon and by Tuesday morning had begun racking up superlatives within the worm world, is reminiscent of Slammer, malware that hit just before the Super Bowl last year and knocked out networks all over the country.
Also dubbed Novarg and Mimail-R by different antivirus vendors, the randomized e-mail and P2P worm, which copies itself in the KaZaA shared directory, spoofs addresses and includes subject lines that are either blank or "HELLO" and body text that suggests a previous message had errors. Clicking the e-mail attachment -- which includes body.zip, document.zip, message.zip, among other variations -- loads Notepad.exe and displays randomized characters on the screen, according to security vendor iDEFENSE.
"Mydoom is taking advantage of one of the most recent trends in the malicious code world, randomized e-mail worms that include a ZIP attachment to bypass traditional gateway filters," said iDEFENSE director of malicious code Ken Dunham in a statement. Because Mydoom's payload includes launching denial-of-service attacks against The SCO Group's Web site, antivirus experts believe the group's legal challenge of Linux code as proprietary motivated the authors.
"It appears to be a Linux advocate attacking the SCO Web site," explained Darwin Ammala, a security engineer with Harris Corp.'s STAT network security unit. "SCO can block the attack and probably won't be hurt as badly as the attacker would like."
Mydoom's success comes in part from end users' gullibility of opening attachments without seriously considering the source. Experts, however, agree that Mydoom's cleverly crafted message and file names make the malicious code more difficult to detect.
By Tuesday morning, e-mail managed security service provider MessageLabs was processing up to 60,000 copies of the worm an hour for its worldwide customers. Mydoom-A "has exceeded the infamous Sobig-F virus in terms of copies intercepted, and the number continues to rise," according to a company statement.
Postini, the fourth largest e-mail processor in the U.S., quarantined 8 million copies in a 24-hour period.
Experts recommend updating antivirus signatures and training users to be more vigilant about opening e-mail attachments -- even those that appear to be text files.