MyDoom's One-Two Punch Lacks Wallop

With the latest MyDoom variant largely under control, the second wave of the virus author's attack is losing steam, according to security analysts.
With the latest MyDoom variant largely under control, the second wave of the virus author's attack is losing steam, according to security analysts.

It seems that what was meant to be a digital one-two punch is lacking the necessary wallop.

''Companies pretty much have MyDoom under control and that took the steam out of Zindos,'' says Steve Sundermeier, a vice president with Medina, Ohio-based Central Command. ''If this latest version of MyDoom had been more successful, it would have been a completely different story.''

MyDoom, which caused considerable disruption when it was originally released into the Wild this past January, reappeared earlier this week in the form of a new variant. The variant, named by different anti-virus vendors as either MyDoom-M, MyDoom-N or MyDoom-O, was first detected in the United Kingdom on Monday and quickly started to spread.

Analysts at MessageLabs, Inc., a managed email security company based in New York, report that in the first 24 hours they intercepted 599,641 copies of the virus. But that pales in comparison to the original -- MyDoom-A -- which released more than 5 million copies into the Wild in its first 24 hours.

What makes the latest MyDoom variant interesting is the new twist in how it propagates. The worm contains links to several different search engines and runs 'get requests' on them to harvest email addresses. Security analysts say some search engine sites, such as Google, reportedly experienced some slow downs and possibly even intermittent interruptions.

The worm also carries a Trojan that is installed on TCP Port 1034.

And that open port ushers in what analysts say was surely a planned second wave of the attack.

On Tuesday, analysts at iDefense, a security intelligence company based in Reston, Va., reported finding Zindos-A in the Wild. The malware scans for randomized IP addresses with TCP port 1034 open. This is the port that the new MyDoom variant opens. Once it finds that open port, Zindos-A uploads a copy of itself, which is then executed by a mechanism inside the new MyDoom variant. After creating a .exe file on the infected computer and modifying the Windows registry, Zindos-A launches a denial-of-service attack against the Web site.

But Ken Dunham, director of malicious code for iDefense, notes that with the MyDoom threat being buttoned up, there isn't much opportunity for Zindos-A to take hold.

''There was a rapid response from anti-virus companies... and the sheer number of MyDoom infections has dropped dramatically over the last 24 hours,'' says Dunham. ''Corporations removed the MyDoom threat and that cuts off the potential for Zindos to have a big affect. Without the MyDoom infection, Zindos has nothing to infect.''

But Dunham says analysts are still on alert for the multi-layered attack to potentially continue.

''It's all part of a planned attack, and we're not sure the attack is over,'' he adds. ''We're definitely on alert status, recognizing the potential for additional code to be launched.''

0 Comments (click to add your comment)
Comment and Contribute


(Maximum characters: 1200). You have characters left.