With the latest MyDoom variant largely under control, the second wave of
the virus author’s attack is losing steam, according to security
analysts.
It seems that what was meant to be a digital one-two punch is lacking
the necessary wallop.
”Companies pretty much have MyDoom under control and that took the
steam out of Zindos,” says Steve Sundermeier, a vice president with
Medina, Ohio-based Central Command. ”If this latest version of MyDoom
had been more successful, it would have been a completely different
story.”
MyDoom, which caused considerable disruption when it was originally
released into the Wild this past January, reappeared earlier this week
in the form of a new variant. The variant, named by different anti-virus
vendors as either MyDoom-M, MyDoom-N or MyDoom-O, was first detected in
the United Kingdom on Monday and quickly started to spread.
Analysts at MessageLabs, Inc., a managed email security company based in
New York, report that in the first 24 hours they intercepted 599,641
copies of the virus. But that pales in comparison to the original —
MyDoom-A — which released more than 5 million copies into the Wild in
its first 24 hours.
What makes the latest MyDoom variant interesting is the new twist in how
it propagates. The worm contains links to several different search
engines and runs ‘get requests’ on them to harvest email addresses.
Security analysts say some search engine sites, such as Google,
reportedly experienced some slow downs and possibly even intermittent
interruptions.
The worm also carries a Trojan that is installed on TCP Port 1034.
And that open port ushers in what analysts say was surely a planned
second wave of the attack.
On Tuesday, analysts at iDefense, a security intelligence company based
in Reston, Va., reported finding Zindos-A in the Wild. The malware scans
for randomized IP addresses with TCP port 1034 open. This is the port
that the new MyDoom variant opens. Once it finds that open port,
Zindos-A uploads a copy of itself, which is then executed by a mechanism
inside the new MyDoom variant. After creating a .exe file on the
infected computer and modifying the Windows registry, Zindos-A launches
a denial-of-service attack against the Microsoft.com Web site.
But Ken Dunham, director of malicious code for iDefense, notes that with
the MyDoom threat being buttoned up, there isn’t much opportunity for
Zindos-A to take hold.
”There was a rapid response from anti-virus companies… and the sheer
number of MyDoom infections has dropped dramatically over the last 24
hours,” says Dunham. ”Corporations removed the MyDoom threat and that
cuts off the potential for Zindos to have a big affect. Without the
MyDoom infection, Zindos has nothing to infect.”
But Dunham says analysts are still on alert for the multi-layered attack
to potentially continue.
”It’s all part of a planned attack, and we’re not sure the attack is
over,” he adds. ”We’re definitely on alert status, recognizing the
potential for additional code to be launched.”