Stripped-Down MyDoom Hits Microsoft.... Again

Share it on Twitter  
Share it on Facebook  
Share it on Linked in  
A new variant of the virulent MyDoom worm has been found in the wild, launching what oneanalyst fears may be a vicious attack against Microsoft Corp.'s Web site.

Ken Dunham, director of malicious code at iDefense, Inc., a security and anti-virus company,says analysts there just found the variant, which they're calling MyDoom-C, and it'sspreading rapidly in the wild. Early analysis of the worm, shows that it has been strippeddown and is largely, if not solely, focused on attacking the microsoft.com site.

''This variant has stripped away much of the functionality of the earlier MyDoom worms,''says Dunham, noting that the first intercepted worm came out of Amsterdam. ''It doesn'tspread as an email worm and it doesn't include a backdoor component... It uploads itself andstarts and intensive distributed Denial-of-Service attack against Microsoft.''

Dunham says the microsoft.com site has been experiencing some slow downs this morning, whichhe attributes to the MyDoom-C attack. Mi2g, a security analysis group based in London,reports today that strain has been building on Microsoft's Web site over the weekend, butthey attributed that to MyDoom-B. Dunham says he thinks that build-up is actually comingfrom the first wave of the C variant.

''We saw a latency spike at microsoft.com and at first, I thought it was related to anotherworm,'' he notes. ''Then we saw this worm getting picked up by multiple honeypots, and it'sgaining ground rapidly in the wild. It's flood Microsoft with requests to its Web site andoverloading them... If this worm is successful, Microsoft will have a hard time with it.''

Dunham also notes that MyDoom-C is taking advantage of the computers already infected byMyDoom-A. The new variant spreads by scanning for computers on a network that are listening on TCP port 3127 -- those are the machines infected with MyDoom-A. The original built up thezombie army, which has estimates of being 500,000 to 1 million machines strong, and now thenew variant is putting them to work.

MyDoom-C also has an IP address for ford.com, the Web site of the automobile giant, butDunham says he hasn't seen any attacks against that site yet.

''Other companies, such as Ford, should be concerned and should monitor their networksaccordingly,'' Dunham warns. ''There's a large quantity of computers working on this DDOS,and without a kill date in this variant, it'll be a while before it goes away.''

The original MyDoom first hit the Internet in the last week of January. It was afast-spreading mass-mailing worm that raced across the Internet, infecting computers andsetting up backdoor Trojans and proxies. At its peak, MyDoom-A accounted for one in everysix emails.

MyDoom-A focused its DDOS attack against The SCO Group, Inc., which then set a $250,000bounty on the virus author's head. With SCO being an embattled player in the Linux market,many saw the attack as the latest weapon in the Linux Wars.

Then along came MyDoom-B just several days after the launch of the original.

MyDoom-B, which barely spread and was considered to be largely unsuccessful, turned onMicrosoft, trying to launch a DDOS attack against its Web site. Microsoft, reportedly,barely even flinched.

But Dunham says this time it may be different.

''It's hijacking the computers compromised by the original MyDoom and it's using them toattack Microsoft.com,'' he says. ''This is an early analysis but it could be a successfulworm.''

So far, the MyDoom family of worms, according to mi2g, has inflicted $38.5 billion ineconomic damages around the world.

Submit a Comment

Loading Comments...