New Worm Camouflages MyDoom Writer’s Trail

The new DoomJuice worm that hit the wild Monday is the equivalent of digital camouflage,

according to security analysts.

The author of the virulent MyDoom-A worm that raced across the Internet, infecting an

estimated 500,000 to 1 million computers late last month, created the similar DoomJuice worm

to mask his trail and stymie potential prosecutors, say two prominent analysts. The new worm

actually drops the source code for the original MyDoom virus into infected computers,

hindering investigators who might have pinned the virus writing crime on the author by

showing that the source code is on his computer.

”This is quite a sneaky trick. Rather ingenious,” says Graham Cluley, senior technology

consultant for Sophos, Inc., an anti-virus and anti-spam company based in Lynnfield, Mass.

”Between SCO and Microsoft, there’s more than half a million dollars in reward out for the

author now, and one of the key pieces of evidence is finding the source code on his

computer. But now with DoomJuice, there are potentially thousands of computers around the

world that have MyDoom source code on them.

”Now he can say that he was hit by DoomJuice, just like everybody else,” adds Cluley.

”It’s his attempt to hide in the crowd… It’s a bit like leaving someone else’s cigarette

case after you’ve stolen the jewels. If they ever catch the guy, the source code won’t be a

convincing piece of evidence anymore.”

The large bounty that is sitting on the virus author’s head may be pushing him to find a

creative way to hide his tracks, says Steve Sundermeier, vice president of products and

services at Central Command Inc., an anti-virus company based in Medina, Ohio.

”The ante has been raised and you’re definitely not looking at a slap on the wrist

anymore,” says Sundermeier. ”It’s a white collar crime and it’s being treated that way.”

DoomJuice was identified early on as a second variant of the MyDoom worm, initially taking

the title of MyDoom-C. However, the new worm varies enough from the original, even though it

shares the same base coding, that the anti-virus community has labeled it as its own worm.

Ken Dunham, director of malicious code at iDefense, Inc., a security intelligence company

based in Reston, Va., says DoomJuice is a stripped down version of its MyDoom predecessor.

Unlike MyDoom, the new worm does not spread as a mass-mailing worm. It forgoes email all

together, traveling across the network and searching out computers already compromised by

MyDoom-A.

DoomJuice can’t attack a computer unless it is already compromised by MyDoom.

DoomJuice also does not contain a backdoor Trojan, a proxy, a kill date or coding to launch

a distributed denial-of-service (DDOS) attack against The SCO Group, Inc., a controversial

player in the Linux world. Instead, the new worm goes solely after Microsoft’s Web site,

microsoft.com.

Various security analysts report that Microsoft’s site suffered from intermittent latency

problems yesterday and was unavailable for a short time. Microsoft has not commented on it,

but the problems generally are blamed on DoomJuice.

”It’s my understanding that Microsoft has employed some creative techniques to divert the

DDOS attacks,” says Dunham. ”I’d imagine that after Blaster, they focused on this hard…

But look at SCO. They had days to prepare for the DDOS attack from MyDoom and they were

still taken down. Microsoft has to have concerns about being the continued target of attack.

Since DoomJuice does not spread via email, it’s more difficult for the anti-virus community

to gauge how swiftly and successfully the worm is spreading.

RELATED NEWS AND ANALYSIS

• Huawei’s AI Update: Things Are Moving Faster Than We Think

  FEATURE |  By Rob Enderle,
  December 04, 2020

• Keeping Machine Learning Algorithms Honest in the ‘Ethics-First’ Era

  ARTIFICIAL INTELLIGENCE |  By Guest Author,
  November 18, 2020

• Key Trends in Chatbots and RPA

  FEATURE |  By Guest Author,
  November 10, 2020

• Top 10 AIOps Companies

  FEATURE |  By Samuel Greengard,
  November 05, 2020

• What is Text Analysis?

  ARTIFICIAL INTELLIGENCE |  By Guest Author,
  November 02, 2020

• How Intel’s Work With Autonomous Cars Could Redefine General Purpose AI

  ARTIFICIAL INTELLIGENCE |  By Rob Enderle,
  October 29, 2020

• Dell Technologies World: Weaving Together Human And Machine Interaction For AI And Robotics

  ARTIFICIAL INTELLIGENCE |  By Rob Enderle,
  October 23, 2020

• The Super Moderator, or How IBM Project Debater Could Save Social Media

  FEATURE |  By Rob Enderle,
  October 16, 2020

• Top 10 Chatbot Platforms

  FEATURE |  By Cynthia Harvey,
  October 07, 2020

• Finding a Career Path in AI

  ARTIFICIAL INTELLIGENCE |  By Guest Author,
  October 05, 2020

• CIOs Discuss the Promise of AI and Data Science

  FEATURE |  By Guest Author,
  September 25, 2020

• Microsoft Is Building An AI Product That Could Predict The Future

  FEATURE |  By Rob Enderle,
  September 25, 2020

• Top 10 Machine Learning Companies 2020

  FEATURE |  By Cynthia Harvey,
  September 22, 2020

• NVIDIA and ARM: Massively Changing The AI Landscape

  ARTIFICIAL INTELLIGENCE |  By Rob Enderle,
  September 18, 2020

• Continuous Intelligence: Expert Discussion [Video and Podcast]

  ARTIFICIAL INTELLIGENCE |  By James Maguire,
  September 14, 2020

• Artificial Intelligence: Governance and Ethics [Video]

  ARTIFICIAL INTELLIGENCE |  By James Maguire,
  September 13, 2020

• IBM Watson At The US Open: Showcasing The Power Of A Mature Enterprise-Class AI

  FEATURE |  By Rob Enderle,
  September 11, 2020

• Artificial Intelligence: Perception vs. Reality

  FEATURE |  By James Maguire,
  September 09, 2020

• Anticipating The Coming Wave Of AI Enhanced PCs

  FEATURE |  By Rob Enderle,
  September 05, 2020

• The Critical Nature Of IBM’s NLP (Natural Language Processing) Effort

  ARTIFICIAL INTELLIGENCE |  By Rob Enderle,
  August 14, 2020