Stripped-Down MyDoom Hits Microsoft…. Again

A new variant of the virulent MyDoom worm has been found in the wild, launching what one

analyst fears may be a vicious attack against Microsoft Corp.’s Web site.

Ken Dunham, director of malicious code at iDefense, Inc., a security and anti-virus company,

says analysts there just found the variant, which they’re calling MyDoom-C, and it’s

spreading rapidly in the wild. Early analysis of the worm, shows that it has been stripped

down and is largely, if not solely, focused on attacking the microsoft.com site.

”This variant has stripped away much of the functionality of the earlier MyDoom worms,”

says Dunham, noting that the first intercepted worm came out of Amsterdam. ”It doesn’t

spread as an email worm and it doesn’t include a backdoor component… It uploads itself and

starts and intensive distributed Denial-of-Service attack against Microsoft.”

Dunham says the microsoft.com site has been experiencing some slow downs this morning, which

he attributes to the MyDoom-C attack. Mi2g, a security analysis group based in London,

reports today that strain has been building on Microsoft’s Web site over the weekend, but

they attributed that to MyDoom-B. Dunham says he thinks that build-up is actually coming

from the first wave of the C variant.

”We saw a latency spike at microsoft.com and at first, I thought it was related to another

worm,” he notes. ”Then we saw this worm getting picked up by multiple honeypots, and it’s

gaining ground rapidly in the wild. It’s flood Microsoft with requests to its Web site and

overloading them… If this worm is successful, Microsoft will have a hard time with it.”

Dunham also notes that MyDoom-C is taking advantage of the computers already infected by

MyDoom-A. The new variant spreads by scanning for computers on a network that are listening
on TCP port 3127 — those are the machines infected with MyDoom-A. The original built up the

zombie army, which has estimates of being 500,000 to 1 million machines strong, and now the

new variant is putting them to work.

MyDoom-C also has an IP address for ford.com, the Web site of the automobile giant, but

Dunham says he hasn’t seen any attacks against that site yet.

”Other companies, such as Ford, should be concerned and should monitor their networks

accordingly,” Dunham warns. ”There’s a large quantity of computers working on this DDOS,

and without a kill date in this variant, it’ll be a while before it goes away.”

The original MyDoom first hit the Internet in the last week of January. It was a

fast-spreading mass-mailing worm that raced across the Internet, infecting computers and

setting up backdoor Trojans and proxies. At its peak, MyDoom-A accounted for one in every

six emails.

MyDoom-A focused its DDOS attack against The SCO Group, Inc., which then set a $250,000

bounty on the virus author’s head. With SCO being an embattled player in the Linux market,

many saw the attack as the latest weapon in the Linux Wars.

Then along came MyDoom-B just several days after the launch of the original.

MyDoom-B, which barely spread and was considered to be largely unsuccessful, turned on

Microsoft, trying to launch a DDOS attack against its Web site. Microsoft, reportedly,

barely even flinched.

But Dunham says this time it may be different.

”It’s hijacking the computers compromised by the original MyDoom and it’s using them to

attack Microsoft.com,” he says. ”This is an early analysis but it could be a successful

worm.”

So far, the MyDoom family of worms, according to mi2g, has inflicted $38.5 billion in

economic damages around the world.

News Around the Web