The family of MyDoom e-mail worms remains an active threat because of compromised computer systems and unprotected personal computers even though the virus was programmed to shut down last month.
As a result of the prevalent infections, the MyDoom creators still can mobilize a vast network of computers at any time. Marching orders sent to infected machines can enable them to carry out misdeeds ranging from clogging Internet traffic to wreaking large-scale financial chaos on banks and corporations, according to virus experts.
The MyDoom e-mail worm — which still is coming out in new versions roughly every week — continues to clog mail servers around the world. According to the British network security firm mi2g Intelligence Unit, the number of MyDoom infections has started to become more active again as new variants multiply.
Those in the computer security community agree that the MyDoom family has far surpassed the damage caused by any other malware, including SoBig.
“The biggest damage is the denial-of-service attacks,” Ian Hameroff, Computer Associates security strategist, told TechNewsWorld. “There is no other damage to the data. It’s more a loss of productivity so far.”
The Source of Evil
MyDoom.a, discovered on January 26, 2004, propagated through attached files with the extensions .bat, .cmd, .exe, .pif, .scr or .zip. The worm created a back door into the system by opening TCP ports 3127 through 3198.
MyDoom doesn’t own this open-port trick. Worms such as SoBig, MiMail, Bagle and others all have this capability. But the MyDoom family capitalizes on the technique, using it much more effectively than other worms.
These open ports let the worm secretly “listen” for new instructions sent out by the worm’s author. An open port also creates a back door that lets an attacker connect to the infected computer and thus control its individual and network resources.
But that’s not all it does. The back door opened by MyDoom lets an attacker remotely download and execute arbitrary files. The real threat is the fact that this malware can spring into action at any time because the TCP 3127 port remains open. The only way to close it is to detoxify the infection with antivirus software.
Tracking the Family Tree
According to numerous computer security experts and the mi2g Intelligence Unit, there is little difference among the earlier MyDoom versions and their variants. Their main purpose seems to be tweaking the code and expanding the worm’s capabilities.
MyDoom.b carried modified code that some experts described as somewhat flawed. The coding errors made this generation of the MyDoom worm less threatening.
MyDoom.c was found on February 9th and targeted computers already infected with MyDoom.a. Plus, it did not spread via e-mail but used the existing open port, said Michael Paquette, vice president of product management at Top Layer Networks.
MyDoom.d spread updated code but was otherwise identical to MyDoom.a. Also known as Doomjuice.a, MyDoom.d sent single requests for a denial-of-service (DoS) attack against Microsoft during the first 12 days of the month and then switched to a multiple-request attack strategy.
MyDoom.e, also known as Doomjuice.b, can keep up the onslaught with continuous, high-intensity DoS attacks on Microsoft’s home page in any month from February through December on any days except those between the 8th and 12th of each month. MyDoom.e creates requests to access Microsoft’s home page that resemble Internet Explorer requests.
Newest Variants Daunting
Antivirus software maker Sophos and other security firms reported MyDoom.e on the loose toward the end of February. This version of the worm spreads by e-mail. Once activated, the worm collects e-mail addresses from address books and files in infected computers. It concentrates on files with these extensions: .wab, .htm, .txt, .sht, .php, .asp, .dbx, .tbb, .adb and .pl. It uses e-mail addresses chosen at random in the sender and receiver fields, and it randomly chooses subject lines as well.
So far, the e-strain has shown a single focus. According to antivirus companies, it commanded a DoS attack in February against the SCO Web site. After that, the coding shut down the propagation but not the back-door component.
Finnish antivirus software company F-Secure reported that MyDoom.f was found on February 20th and is functionally similar to the original MyDoom worm. However, unlike MyDoom.a, it does not attack the SCO web site. It tries to perform a distributed DoS attack on the Microsoft and RIAA Web sites — and it attempts to delete certain files on infected computers.
All of the MyDoom variants leave several ports open on infected machines. These are open targets for attackers to install their hacker activated code (HAC), which can include key loggers and complex Trojan horse software. These malware enhancements let intruders steal usernames, passwords, identities, bank account details and credit card numbers, according to mi2g Intelligence Unit. They also give the perpetrators the ability to use infected machines in distributed DoS attacks, to send out new spam or to file-serve illegal pirated software.
Why MyDoom Worms Work
MyDoom doesn’t rely on innovative design. What makes it the fastest-spreading e-mail worm in history is nothing more than the structure of existing Internet protocols and careless behavior of computer users in their homes and corporate cubicles, said Top Layer’s Paquette.
Add a touch of social engineering, and it’s simple to see how easily MyDoom spreads. Infected messages resemble legitimate e-mail, with compelling header and subject lines that report undeliverable mail. An attached .zip file provides an alluring tease to open the attachment.
The goal is to convince the mail recipient to click on the attached, infected file. If the person reading the message would simply hit the delete key instead of the attached file link, the infection would be stopped cold.
The MyDoom family line has its own e-mail-generation engine. This gives MyDoom the ability to guess e-mail addresses by randomly combining common usernames with domain names. The domains msn.com, yahoo.com and hotmail.com are hard-coded into the worm code. This makes it easy for MyDoom to manufacture thousands of correct e-mail addresses by adding random number-and-letter combinations in front of the domain names.
Each bogus e-mail carries an infected attached file. When the domain mail server sends out the alert that the address is undeliverable, mail servers and Internet traffic flow can easily become gridlocked.
In similar fashion, the randomly created correct e-mail address arrives with the attached file. The message header and file name beg to be opened.
“The real problem is caused by other viruses that use the opened back door,” said Paquette. “The goal seems to be to own the compromised machines.”
Computer Associates’ Hameroff said there is always a risk that MyDoom could cause more damage in the future. His biggest concern, however, is the potential for malware infections and abuse through the back doors that remain open on compromised machines.
“Somebody is looking to profit from the virus variants,” he offered as an explanation for the prolific descendants of the MyDoom clan.
Purpose Still Unknown
Computer security experts don’t know for sure what MyDoom’s goal is, but most experts agree that criminal intent can’t be ruled out. “The original intent was to use the infected machines for e-mail spam,” Paquette told TechNewsWorld.
But the ongoing spread of related worms is forming a clearer picture of the possible intentions of those responsible for MyDoom. Paquette believes there are four overall motivations.
One is to establish a botnet to launch DoS attacks for extorting money from corporations. With the ability to shut down major corporate Web sites and e-mail traffic, the desire to get ransom from affected targets could be a root cause.
A second motivation for the malware’s code writers is simply to cause annoyance. A third reason is to facilitate mass mailing.
Paquette said the possibility of criminal intent forms the basis of his fourth perceived intention behind the MyDoom worm. “Any criminal organization needs a significant amount of compromised machines,” he said. The MyDoom worm family is achieving that goal.