UPDATED: A strain of the infamous MyDoom virus threat swept through inboxes around
the world Monday morning, this one targeting popular search engine like
Google and Yahoo.
MessageLabs, the e-mail security firm, intercepted 23,000 copies of MyDoom.O
within the first five hours of discovery. The new version, in affect,
perpetuates the same distributed denial of service attacks it did earlier
this year to the chagrin of network administrators at Microsoft and the SCO
Group.
Like those earlier iterations, MyDoom.O comes in the form of a 27 kilobyte
e-mail with an innocuous subject line, opening up a backdoor Trojan through
TCP port 1034 or proxy service when the attached zip file is extracted.
This time, according to Ken Durham, director of malicious code at security
firm iDEFENSE, it performs a “GET” function and queries a search engine like
Google for all domains in a user’s address book. For example, if one of the
contacts is “ken@msn.com,” the virus will query the search engine to look
for all contacts on the Internet with “@msn.com” as an e-mail server.
“The worm does have a relationship to Google that is unique, that I’ve never
seen in a worm before,” Durham said.
According to iDEFENSE’s research, the virus spread fast enough, and created
so many queries to Google’s search engine, the Web site experienced a number
of service outages. Yahoo, Altavista and Lycos search engines are
experiencing similar problems, according to Postini officials, though the
extent of the attack was unknown at press time.
Google officials released a statement earlier today, saying there weren’t
any serious outages resulting from the virus.
“The Google search engine experienced slowness for a short period of time
early today because of the MyDoom virus, which flooded major search engines
with automated searches,” the statement read. “A small percentage of our
users and networks that have the MyDoom virus have been affected for a
longer period of time. At no point was the Google website significantly
impaired, and service for all users and networks is expected to be restored
shortly.”
Andrew Lochart, director of product marketing for hosted e-mail security
service Positini, said the virus in one day has shot to the top of their
list of damaging viruses, surpassing the Netsky.
Since 7 a.m. Pacific time, the company has intercepted more than 300,000
e-mails containing the virus.
He said the virus writer is also spoofing the e-mail headers (the From: line)
to make it seem the e-mails are coming from Postini and other major ISPs
trusted source.
The original MyDoom virus targeted two highly unpopular companies in the open source community — Microsoft and SCO. The former has declared Linux a scourge, while the former has embarked on a $5 billion lawsuit against IBM and, indirectly, the Linux kernel.
Lochart said he sees some similarities in method between the targets of Monday’s
virus and the original MyDoom.A virus. A part of him, he said, thinks that
it can’t be coincidental that a virus primarily targeting Google happens at
the worst possible time, when potential investors are looking for any faults
in a company getting ready to file an initial public offering through the NASDAQ stock
exchange.
“The guys that write up viruses like to stir up trouble, a part of their
anti-social behavior,” he said. “I can see where they would say, ‘hey,
let’s give Google a poke in the eye.’ I think that’s a shame, I think
Google is a real good company.”
Postini officials don’t expect Monday’s virus to be as virulent as MyDoom.A,
as long as the search engines are able to safeguard their servers. On the
other hand, Lochart said, the Netsky virus was released four months ago and
up until yesterday, remained the No. 1 virus on the Internet.