iNET Interactive - Online Advertising Agency
          
   Home    Authors    About    Login    Contact Us
   Search:   
Advanced Search     
  Articles

  Control Panels (6)
  E-Mail (9)
  Billing (3)
  Security (16)
  Domains & DNS (12)
  Webservers (25)
  Hardware (7)
  Products (6)
  Services (16)
  Policies (5)
  Sales & Marketing (15)
  Companies (33)
  General (1250)
  Hosting Guides (58)
  Promotion (8)
  Programming (19)
  Industry News (1211)
 
Want to receive new articles via e-mail? Click here!
/Home /Security

MyDoom and Its Aftermath 

  Views:    1245
  Votes:    0
by Roy Troxel 3/16/04 Rating: 

Synopsis:

A brief discussion of the effects of the MyDoom work attack of Monday, Jan. 26, 2004
Pages: 
The Article

The virus/worm known as MyDoom was released during prime US business hours on Monday, Jan.26. It also travelled under other names, like W32.Novarg.A., but "MyDoom" seems to have stuck.

One of the fastest-growing bugs of all time, its origins are still unknown, although some analysts suspect it was developed in Russia.

The Worm's Double Purpose: Mass Mailing and Denial of Service

MyDoom is a mass-mailing worm that arrives as an attachment with the file extension .bat, . cmd, .exe, .pif, .scr, or .zip.

According to Symantec, makers of Norton AntiVirus, the worm sets up a backdoor application in the operating system by opening TCP ports 3127 through 3198. This allows an attacker to connect to the computer and use it as a proxy to gain access to its network resources.

The worm program then:

1. Checks the system date, and if it's between February 1, 2004 and February 12, 2004,the worm will attempt a Denial of Service attack against www.sco.com. The DoS is performed by creating 63 new threads that send GET requests and use a direct connection to port 80.

2. If the DoS attack is unsuccessful,then the worm will mass-mail itself to other potential launching pads (i.e. unsuspecting users' PCs).

3. The worm can send email messages using its own SMTP engine. Although fairly rudimentary, it is quite effective in locating remote mail servers for addresses it intends to infect. First, the worm looks up the mail server that the recipient uses before sending the email. If this attempt is unsuccessful, the worm will use its own SMTP engine.

4. The emails will often use a spoofed "From" address, and the subject will be only generic words like "test," "hi," or " hello." The message itself will be vague, like "Mail transaction failed." I kept getting ones that said:"The message cannot be represented in 7-bit ASCII encoding and has been sent as a binary attachment."

In addition, the backdoor can download the files needed for the Denial of Service attacks. (The back door could potentially be used by the attackers to explore your PC, but that doesn't seem to be their intent at this point.) The worm can also copy itself to the Kazaa download folder.

MyDoom's one flaw is that the backdoor program can be detected by anti-virus software. This sets off an alarm to the systems administrator that the virus/worm is on the server.

Additionally, the growing use of always-on broadband Internet connections offers MyDoom a way to continue to spread for longer periods of time, and at higher rates than ever previously seen.

There are no real statistics available yet in regard to how many machines were attacked. This is partly because the attacks aren't scheduled to end at SCO until Feb 12 and at Microsoft on March 1. As a result, some rash claims have been made.

Some other facts about MyDoom:

Much of last week's congestion on the internet was the result of e-mail gateways getting bombarded with the infected spam, rather than the work of the worm itself.

MyDoom installed itself only on Microsoft operating systems: Windows XP, 2000, NT, etc., which meant that machines running on MS-DOS, Linux, Unix, or many other OSes were untouched.

This includes Mac OS X. Alex Salkever of Business Week Online notes that:

"[Macintosh] OS X comes with a default setting that requires a login name and password before it allows any new software to be installed on a given computer. With this default, no Mac user needs to worry about inadvertently clicking on e-mail attachments carrying virus software....any piece of code that tries to install itself on a Mac, surreptitiously or not, will elicit the login and password prompt."

The Attack on SCO

On February 1, 2004, 8:42 AM PT, The MyDoom computer virus knocked out Utah-based SCO Group's Web site.

SCO said an onslaught of data had made its Web site "completely unavailable." The attack began Saturday night and by Sunday morning the software firm's site was completely flooded with requests.

The "Revolutionary" Cause: SCO vs. Linux?

SCO has drawn the ire of the open-source programming community, which objects to the company's claims it has copyright control over key pieces of the Linux operating system. And

According to SCO's CEO Darl McBride, ranting at

Salt Lake City Weekly.com "I’ve been pounding the table here for a year or so saying there’s no free lunch, and there is going to be a day of reckoning for every company that thinks they are going to try and sell a free model.”

“Our customers that are buying [UNIX] from us today, we generally don’t have a problem with,” McBride said. “We have some former customers that have left that are running on Linux, and they are in the crosshairs.”

“[T]hose who believe ‘software should be free’ cannot prevail against the U.S. Congress and voices of seven U.S. Supreme Court justices who believe that ‘the motive of profit is the engine that ensures the progress of science...”

“You know, this is an epic battle that is going to reshape the definition of the computer operating system going forward .."

(I can't tell yet if this person is a danger, a maniac or a comedian, but his lawyers are a determined bunch who have filed lawsuits against companies like IBM, HP, and Red Hat. They have about 1,200 other companies on their list.)

The speed and severity of the attack surprised security officials. However, some of the slowness you might have experienced on the Internet last week was possibly due not to the worm, but to your local ISP's blocking certain routes, including the route to www.sco.com.)

The original virus, which only attacks the SCO site, is still spreading and will continue to do so until Feb. 12.

Even before MyDoom was released, however, SCO was being attacked.

CNET News.com reported on December 15 that "more Internet attacks cut off access to the SCO Group's servers this past weekend and again on Monday, as the Unix software company struggled to stop the hackers.

SCO quickly moved its Web site to www.thescogroup.com,instead of its normal address of www.sco.com to avoid the worm- induced DoS attack that has been pummeling the original site. (As of Feb 6, the site still can't be reached.) The company also offered a reward of $250,000 to anyone who could identify the perpetrators of the virus. Soon afterward, Microsoft offered an identical reward.

The Second Target: Microsoft

On February 4, 2004,E-Commerce Times reported that

"A variant of the MyDoom worm sparked a data flood at Microsoft's main Web site on Tuesday [Feb. 3] but had little effect. The company was able to fend off the attack because it had ample warning that the malware would strike. Also, the variant, MyDoom.B, was less widespread than the first version, which hit an estimated 2 million PCs.

"Although Microsoft would not discuss specifics on how it prevented the distributed denial-of-service (DoS) attack, the company said in a statement that administrators have been working for two days to prepare for the attack. The company also noted, "We aggressively worked with our Virus Information Alliance partners to help protect customers from this outbreak."

Microsoft has set up a new site at http://information.microsoft.com, that contains information about MyDoom for individuals who cannot access the company's homepage as a result of the worm.

Aftermath

Mydoom is a taste of viruses to come, says Mikko Hypponen of Finland-based F-Secure Corp:

"E-mail viruses like MyDoom will be the weapon of choice for future attacks on corporate and political Web sites, with one worm able to threaten thousands of big sites at once.

"We really have to take security to a higher level and take the responsibility away from the users. ... [People] have to be automatically secured by someone else." Users don't think much about security, despite warnings, and that is part of the problem.

From all indications, corporations of a size large enough to afford antivirus [software] at the e-mail gateway were unaffected.

In building an army of zombie PCs over a six-day span, the MyDoom outbreak underscores a new digital security threat for corporations, governments and news operations.

But if the perpetrators of MyDoom were striking blows against SCO in the name of Open Source, they did a poor job of it. Actually, SCO was just an excuse for their own bad behavior.

Ironically, the SCO Group can now play the role of the "injured" party.

And so can you: Think about the hundreds of useless messages you had to delete from your mail box. (In any case, I hope this brief discussion has been helpful.)

Pages: 

Similar/related articles:


 
  Sponsors

 
 
      Web Site development by AITOC Company Copyright © 2009 iNET Interactive. All rights reserved.    Privacy  Terms  Advertise   
Powered By