RealTime IT News

Stripped-Down MyDoom Hits Microsoft.... Again

A new variant of the virulent MyDoom worm has been found in the wild, launching what one analyst fears may be a vicious attack against Microsoft Corp.'s Web site.

Ken Dunham, director of malicious code at iDefense, Inc., a security and anti-virus company, says analysts there just found the variant, which they're calling MyDoom-C, and it's spreading rapidly in the wild. Early analysis of the worm, shows that it has been stripped down and is largely, if not solely, focused on attacking the microsoft.com site.

''This variant has stripped away much of the functionality of the earlier MyDoom worms,'' says Dunham, noting that the first intercepted worm came out of Amsterdam. ''It doesn't spread as an email worm and it doesn't include a backdoor component... It uploads itself and starts and intensive distributed Denial-of-Service attack against Microsoft.''

Dunham says the microsoft.com site has been experiencing some slow downs this morning, which he attributes to the MyDoom-C attack. Mi2g, a security analysis group based in London, reports today that strain has been building on Microsoft's Web site over the weekend, but they attributed that to MyDoom-B. Dunham says he thinks that build-up is actually coming from the first wave of the C variant.

''We saw a latency spike at microsoft.com and at first, I thought it was related to another worm,'' he notes. ''Then we saw this worm getting picked up by multiple honeypots, and it's gaining ground rapidly in the wild. It's flood Microsoft with requests to its Web site and overloading them... If this worm is successful, Microsoft will have a hard time with it.''

Dunham also notes that MyDoom-C is taking advantage of the computers already infected by MyDoom-A. The new variant spreads by scanning for computers on a network that are listening on TCP port 3127 -- those are the machines infected with MyDoom-A. The original built up the zombie army, which has estimates of being 500,000 to 1 million machines strong, and now the new variant is putting them to work.

MyDoom-C also has an IP address for ford.com, the Web site of the automobile giant, but Dunham says he hasn't seen any attacks against that site yet.

''Other companies, such as Ford, should be concerned and should monitor their networks accordingly,'' Dunham warns. ''There's a large quantity of computers working on this DDOS, and without a kill date in this variant, it'll be a while before it goes away.''

The original MyDoom first hit the Internet in the last week of January. It was a fast-spreading mass-mailing worm that raced across the Internet, infecting computers and setting up backdoor Trojans and proxies. At its peak, MyDoom-A accounted for one in every six emails.

MyDoom-A focused its DDOS attack against The SCO Group, Inc., which then set a $250,000 bounty on the virus author's head. With SCO being an embattled player in the Linux market, many saw the attack as the latest weapon in the Linux Wars.

Then along came MyDoom-B just several days after the launch of the original.

MyDoom-B, which barely spread and was considered to be largely unsuccessful, turned on Microsoft, trying to launch a DDOS attack against its Web site. Microsoft, reportedly, barely even flinched.

But Dunham says this time it may be different.

''It's hijacking the computers compromised by the original MyDoom and it's using them to attack Microsoft.com,'' he says. ''This is an early analysis but it could be a successful worm.''

So far, the MyDoom family of worms, according to mi2g, has inflicted $38.5 billion in economic damages around the world.