RealTime IT News

Search Engine Virus Spells 'Doom'

UPDATED: A strain of the infamous MyDoom virus threat swept through inboxes around the world Monday morning, this one targeting popular search engine like Google and Yahoo.

MessageLabs, the e-mail security firm, intercepted 23,000 copies of MyDoom.O within the first five hours of discovery. The new version, in affect, perpetuates the same distributed denial of service attacks it did earlier this year to the chagrin of network administrators at Microsoft and the SCO Group.

Like those earlier iterations, MyDoom.O comes in the form of a 27 kilobyte e-mail with an innocuous subject line, opening up a backdoor Trojan through TCP port 1034 or proxy service when the attached zip file is extracted.

This time, according to Ken Durham, director of malicious code at security firm iDEFENSE, it performs a "GET" function and queries a search engine like Google for all domains in a user's address book. For example, if one of the contacts is "ken@msn.com," the virus will query the search engine to look for all contacts on the Internet with "@msn.com" as an e-mail server.

"The worm does have a relationship to Google that is unique, that I've never seen in a worm before," Durham said.

According to iDEFENSE's research, the virus spread fast enough, and created so many queries to Google's search engine, the Web site experienced a number of service outages. Yahoo, Altavista and Lycos search engines are experiencing similar problems, according to Postini officials, though the extent of the attack was unknown at press time.

Google officials released a statement earlier today, saying there weren't any serious outages resulting from the virus.

"The Google search engine experienced slowness for a short period of time early today because of the MyDoom virus, which flooded major search engines with automated searches," the statement read. "A small percentage of our users and networks that have the MyDoom virus have been affected for a longer period of time. At no point was the Google website significantly impaired, and service for all users and networks is expected to be restored shortly."

Andrew Lochart, director of product marketing for hosted e-mail security service Positini, said the virus in one day has shot to the top of their list of damaging viruses, surpassing the Netsky. Since 7 a.m. Pacific time, the company has intercepted more than 300,000 e-mails containing the virus.

He said the virus writer is also spoofing the e-mail headers (the From: line) to make it seem the e-mails are coming from Postini and other major ISPs , to trick users into thinking the e-mails are coming from a trusted source.

The original MyDoom virus targeted two highly unpopular companies in the open source community -- Microsoft and SCO. The former has declared Linux a scourge, while the former has embarked on a $5 billion lawsuit against IBM and, indirectly, the Linux kernel.

Lochart said he sees some similarities in method between the targets of Monday's virus and the original MyDoom.A virus. A part of him, he said, thinks that it can't be coincidental that a virus primarily targeting Google happens at the worst possible time, when potential investors are looking for any faults in a company getting ready to file an initial public offering through the NASDAQ stock exchange.

"The guys that write up viruses like to stir up trouble, a part of their anti-social behavior," he said. "I can see where they would say, 'hey, let's give Google a poke in the eye.' I think that's a shame, I think Google is a real good company."

Postini officials don't expect Monday's virus to be as virulent as MyDoom.A, as long as the search engines are able to safeguard their servers. On the other hand, Lochart said, the Netsky virus was released four months ago and up until yesterday, remained the No. 1 virus on the Internet.