Is Second Wave of MyDoom Attack Rolling In? MyDoom Variant Batters Search Engines, Opens Backdoors Sharon Gaudin
A new variant of the MyDoom worm is kicking up a small online storm, battering search engines and opening backdoors across the globe.
The variant, named by different anti-virus vendors as either MyDoom-M, MyDoom-N, or MyDoom-O, hit the wild on Monday and spread rapidly. Sporting a new twist in the way it propagates, the worm contains links to several different search engines and tries to use them to harvest email addresses.
Security analysts say some search engine sites, such as Google, reportedly experienced some slow downs and possibly even intermittent interruptions.
"This is the first time I've ever seen a worm perform a Google search to harvest email addresses for an email routine," says Ken Dunham, director of malicious code for iDefense, Inc., a security intelligence company based in Reston, Va. "It's interesting that this worm was released while Google has a pending IPO. However, it appears that the backdoor component of the worm is the real motive behind this widespread worm."
The new variant, which appears to have peaked Monday, still is circulating in high numbers, according to analysts from MessageLabs, Inc., a managed email security company based in New York. Analysts there report intercepting 599,641 copies of the virus so far.
But those numbers pale in comparison to the original MyDoom, which took the Internet by storm this past January.
Mark Sunner, chief technical officer of MessageLabs, says they intercepted more than 5 million copies of MyDoom-A in its first 24 hours in the wild.
"This is causing a fair bit of commotion, but this variant hasn't got anywhere near the numbers of the original," says Sunner. "But because of what it's done to the search engines, its ability to affect the community as a whole is quite significant. Other than that, we'd call this a medium level of aggression."
Symantec Corp., an information security company based in Cupertino, Calif., has labeled MyDoom-M as a Level 4 threat, with Level 5 being the most dangerous.
The new MyDoom variant is a mass-mailing worm with an SMTP engine that sends copies of itself out to addresses harvested from infected machines or off of search engines. The worm also carries a Trojan that is installed on TCP Port 1034.
"The Trojan is what has got us worried," says Dunham. "This backdoor has been completely changed from the one that was in earlier versions of MyDoom ... This is a very complicated backdoor. The code is very difficult to wade through."
MessageLabs' Sunner says the backdoor carries some disturbing commercial capabilities.
"This variant isn't dangerous from a traditional standpoint. It's not deleting files or amending spreadsheets," says Sunner. "But all the viruses these days have a commercial motivation to them. That Trojan can be used as an effective spam sending mechanism ... I don't think this virus' main intention was to create denial-of-service attacks on the search engines. This is about spam."
Is a Second Wave Coming?
Dunham says the new MyDoom variant is just the first line of attack in a bigger battle.
Today, Dunham's analysts report finding Zindos-A in the wild. The malware scans for randomized IP addresses with TCP port 1034 open. This is the port that the new MyDoom variant opens. Once it finds that open port, Zindos-A uploads a copy of itself, which is then executed by a mechanism inside the new MyDoom. After creating a .exe file on the infected computer and modifying the Windows registry, Zindos-A attacks the Microsoft.com web site with a denial-of-service attack.
"It appears that the release of Zindos-A is part of a multi-stage MyDoom attack against Microsoft.com and possibly to perform other actions," says Dunham.
