As network administrators at Google and other major search engines finished
shoring up their defenses to combat the latest strain of MyDoom,
the virus’ secondary motive emerged: clearing a path for attacking
Microsoft.com and opening up a backdoor to the user’s computer.
Ken Dunham, director of malicious code at security firm iDEFENSE, released
information Tuesday morning on Zindos.A, a new virus that takes advantage of
the Trojan horse already found within the MyDoom.O virus. That Trojan,
Zincite.A, launches Zindos.A, which then launches a Denial of
Service (DoS) attack on Microsoft.com and uploads itself to random
Internet-connected computers with an open TCP port 1034.
Microsoft officials encouraged computer users to download the latest
anti-virus definitions from their vendors. The virus affects Windows
2000/95/98/ME/NT/Server 2003/XP operating systems.
The company issued a statement Tuesday morning:
“Microsoft began investigating reports of a new backdoor worm named
‘Zindos,’ which is reported to instruct infected computers to conduct a
Distributed Denial of Service (DDOS) attack against the Microsoft.com
domain. Microsoft has taken steps to ensure that Microsoft.com remains
available to customers. The Microsoft.com network is stable and has been
consistently accessible to customers.”
Zindos.A can’t do anything until it comes in contact
with computers already altered by the MyDoom.O virus. Zincite.A is the
Trojan that opens up TCP port 1034 on a user’s computer and then randomly
scans other Internet-connected computers for an opening in the same port.
If another computer with port 1034 open is found by the Trojan, it sends an
encrypted copy of itself to that computer, where it extracts itself,
conducts another random scan and launches Zindos.A, which starts the cycle
anew.
Dunham said Zincite.A also performs another function that is still unknown
but is “indicative of a peer-to-peer type communication between
Zincite-infected computers or a backdoor Trojan horse.”
He expects criminal
motives, like software that collects private information like passwords,
credit card information, etc.
According to Symantec, which labels this latest virus as MyDoom.M, rates the
virus’ potential for damage as “medium,” although the company considers it “high” in distribution
As in the case of many of the MyDoom variants that have come before, the
spread of the virus is attributable more to consumers than to enterprise
networks, whose network administrators had anti-virus and firewall measures
in place to put a stop to the proliferation of the malicious code.
“To launch MyDoom, you’ve got to click the attachment; it’s not an
auto-execute so it’s a lot of gullible end users who are clicking this
attachment,” said Peter Firstbrook, an infrastructure analyst at research
firm META Group.
He compares the variations of the MyDoom, which started at .A for the
original and is now up to .O, or .M to some security firms, to an open
source project. The source code to the original MyDoom virus was made
available to other virus writers, Firstbrook said, who had an idea for a new
virus but needed a delivery mechanism.
Firstbrook said that in talks with security experts at MessageLabs, they
were still trying to find out exactly what this latest virus is still
capable of doing, as there are encrypted parts of the code that make
investigations difficult.
Monday morning’s launch of the MyDoom.A virus caught its targets unprepared.
The virus grabs the domain addresses (e.g. @ameritech.net) of contacts
in the user’s address book and launches a query at search engines looking
for other users. It caused minor outages to Google’s Web site, but the company was able
to quickly restore service, officials said.
Web site performance
monitor Keynote Systems said the four major search engines — Google, Yahoo,
AltaVista and Lycos — had restored 97 percent availability by 7 p.m. EST.
Symantec has released a removal tool for those without anti-virus software.
It can be found here,
though it does not remove the latest Zindos.A virus.
