Article

Mydoom variant targets security features, Microsoft

Edward Hurley, News Writer

A new variant of the Mydoom worm emerged Wednesday, adding to the sea of messages already clogging inboxes.

The new variant is particularly damaging because, like its predecessor, Mydoom-A, which

    Requires Free Membership to View

is already being labeled by some experts as the most prolific worm of all time, Mydoom-B opens several ports that could enable remote access by an attacker, and it contains denial-of-service capabilities.

Mydoom-B also tweaks infected systems so they cannot access antivirus and security Web sites, making it difficult for users of infected machines to download signature files or cleanup tools.

"That is a particularly nasty thing to do," said Mikko Hypponen, manager of antivirus research for Finland-based F-Secure Corp.

The worm will tweak the host files on infected machines so that Web browsers will go to the invalid IP address 0.0.0.0 when users try to access security and antivirus sites.

Mydoom-B has Microsoft in its sights

On the plus side, Mydoom-B doesn't appear to be spreading nearly as fast as its predecessor. Visually, the two are similar, and they both use a variety of fairly benign-sounding subject lines like "Status," "hi" and "Server Report."

Both variants will try to launch a denial-of-service attack on the SCO Group's Web site on Sunday. A couple of days later, Mydoom-B will launch an attack on Microsoft's Web site.

Specifically, the worm will launch eight threads against www.sco.com every 1,024 milliseconds on Sunday at 16:09:18 UTC (coordinated universal time), according to F-Secure. On Tuesday, it will launch 14 threads against www.microsoft.com every 1,024 milliseconds.

The DoS attack from the original worm may affect overall Internet traffic.

"There are a couple of bugs in the [DDoS] code against SCO that would produce a lot of SYN flooding out of your own machines," said Pete Allor, director of X-Force intelligence at Atlanta-based Internet Security Systems Inc. "That would consume a lot of bandwidth. By now, everyone should have downloaded their antivirus definitions to eradicate the problem."

Dangerous breeze from open back doors

The DoS attack on SCO will likely not be the most damaging aspect of Mydoom-A. The worm spread so much that e-mail servers slowed to a crawl, as millions of messages containing the worm traveled about.

This variant also opens back doors that can be exploited. Mydoom-B opens ports 1080, 3128, 80, 8080 and 10080, according to McAfee Security's Antivirus Emergency Response Team. Infected machines are then able to accept specific TCP transmissions to run binary code on the systems and to spoof IP addresses, which can aid spamming.

Unfortunately, a feature of antivirus software that replies to senders when a virus or worm is detected is causing confusion for some users, particularly home users, and contributing to the huge amount of traffic on networks.

The feature is meant to be beneficial; it tells users they may unknowingly be infected. But this functionality doesn't take spoofing into consideration. Mydoom-A, like many worms, spoofs the sender address in the e-mails it sends out.

Users unaware of this dynamic may waste a lot time trying to figure out whether they are infected when, in fact, their e-mail address was randomly spoofed by the worm.

Bounce-backs bogging down networks

Spoofed e-mail addresses can also create a slew of undeliverable messages that are bounced back to people who never sent them. Mydoom-A is adept at harvesting e-mail addresses from infected machines that it uses to mail itself via a self-contained SMTP engine. It pulls from the Windows address book and from other sources, such as text files and cached Web pages.

Mydoom-B goes one step further and tries to undo simple antispam techniques implemented by administrators and filtering software. For example, it will substitute "@" for "at."

The worm is also hard-coded with a variety of strings that let it create random e-mail addresses, said Ken Dunham, director of malicious code at Reston, Va.-based iDefense Inc. "As a result, you get a high volume of invalid e-mails," he said.

That high volume of bad e-mails overloads both the e-mail servers they are directed to and the machines of the spoofed senders who get the bounce-back messages.

"Companies need to consider turning off that feature" during major worm outbreaks, Dunham said.

Many enterprises are running content filters and antispam filters that can strip these messages away or not let them through the gateway, Allor said.

"Still, it does consume a lot of bandwidth and, when you add that to spam, there's a huge amount of bandwidth eaten up by something that doesn't have anything to do with business," he said.

FEEDBACK: Share your best practices for combating large outbreaks like Mydoom.
Send your feedback to the SearchSecurity.com news team.


There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: