Establishing Digital Trust: Don't Sacrifice Security for Convenience
The author of the virulent MyDoom-A worm that raced across the Internet, infecting anestimated 500,000 to 1 million computers late last month, created the similar DoomJuice wormto mask his trail and stymie potential prosecutors, say two prominent analysts. The new wormactually drops the source code for the original MyDoom virus into infected computers,hindering investigators who might have pinned the virus writing crime on the author byshowing that the source code is on his computer.
''This is quite a sneaky trick. Rather ingenious,'' says Graham Cluley, senior technologyconsultant for Sophos, Inc., an anti-virus and anti-spam company based in Lynnfield, Mass.''Between SCO and Microsoft, there's more than half a million dollars in reward out for theauthor now, and one of the key pieces of evidence is finding the source code on hiscomputer. But now with DoomJuice, there are potentially thousands of computers around theworld that have MyDoom source code on them.
''Now he can say that he was hit by DoomJuice, just like everybody else,'' adds Cluley.''It's his attempt to hide in the crowd... It's a bit like leaving someone else's cigarettecase after you've stolen the jewels. If they ever catch the guy, the source code won't be aconvincing piece of evidence anymore.''The large bounty that is sitting on the virus author's head may be pushing him to find acreative way to hide his tracks, says Steve Sundermeier, vice president of products andservices at Central Command Inc., an anti-virus company based in Medina, Ohio.
''The ante has been raised and you're definitely not looking at a slap on the wristanymore,'' says Sundermeier. ''It's a white collar crime and it's being treated that way.''
DoomJuice was identified early on as a second variant of the MyDoom worm, initially takingthe title of MyDoom-C. However, the new worm varies enough from the original, even though itshares the same base coding, that the anti-virus community has labeled it as its own worm.
Ken Dunham, director of malicious code at iDefense, Inc., a security intelligence companybased in Reston, Va., says DoomJuice is a stripped down version of its MyDoom predecessor.Unlike MyDoom, the new worm does not spread as a mass-mailing worm. It forgoes email alltogether, traveling across the network and searching out computers already compromised byMyDoom-A.
DoomJuice can't attack a computer unless it is already compromised by MyDoom.
DoomJuice also does not contain a backdoor Trojan, a proxy, a kill date or coding to launcha distributed denial-of-service (DDOS) attack against The SCO Group, Inc., a controversialplayer in the Linux world. Instead, the new worm goes solely after Microsoft's Web site,microsoft.com.
Various security analysts report that Microsoft's site suffered from intermittent latencyproblems yesterday and was unavailable for a short time. Microsoft has not commented on it,but the problems generally are blamed on DoomJuice.
''It's my understanding that Microsoft has employed some creative techniques to divert theDDOS attacks,'' says Dunham. ''I'd imagine that after Blaster, they focused on this hard...But look at SCO. They had days to prepare for the DDOS attack from MyDoom and they werestill taken down. Microsoft has to have concerns about being the continued target of attack.
Since DoomJuice does not spread via email, it's more difficult for the anti-virus communityto gauge how swiftly and successfully the worm is spreading.