A new variant of the virulent MyDoom worm has been found in the wild, launching what one
analyst fears may be a vicious attack against Microsoft Corp.’s Web site.
Ken Dunham, director of malicious code at iDefense, Inc., a security and anti-virus company,
says analysts there just found the variant, which they’re calling MyDoom-C, and it’s
spreading rapidly in the wild. Early analysis of the worm, shows that it has been stripped
down and is largely, if not solely, focused on attacking the microsoft.com site.
”This variant has stripped away much of the functionality of the earlier MyDoom worms,”
says Dunham, noting that the first intercepted worm came out of Amsterdam. ”It doesn’t
spread as an email worm and it doesn’t include a backdoor component… It uploads itself and
starts and intensive distributed Denial-of-Service attack against Microsoft.”
Dunham says the microsoft.com site has been experiencing some slow downs this morning, which
he attributes to the MyDoom-C attack. Mi2g, a security analysis group based in London,
reports today that strain has been building on Microsoft’s Web site over the weekend, but
they attributed that to MyDoom-B. Dunham says he thinks that build-up is actually coming
from the first wave of the C variant.
”We saw a latency spike at microsoft.com and at first, I thought it was related to another
worm,” he notes. ”Then we saw this worm getting picked up by multiple honeypots, and it’s
gaining ground rapidly in the wild. It’s flood Microsoft with requests to its Web site and
overloading them… If this worm is successful, Microsoft will have a hard time with it.”
Dunham also notes that MyDoom-C is taking advantage of the computers already infected by
MyDoom-A. The new variant spreads by scanning for computers on a network that are listening
on TCP port 3127 — those are the machines infected with MyDoom-A. The original built up the
zombie army, which has estimates of being 500,000 to 1 million machines strong, and now the
new variant is putting them to work.
MyDoom-C also has an IP address for ford.com, the Web site of the automobile giant, but
Dunham says he hasn’t seen any attacks against that site yet.
”Other companies, such as Ford, should be concerned and should monitor their networks
accordingly,” Dunham warns. ”There’s a large quantity of computers working on this DDOS,
and without a kill date in this variant, it’ll be a while before it goes away.”
The original MyDoom first hit the Internet in the last week of January. It was a
fast-spreading mass-mailing worm that raced across the Internet, infecting computers and
setting up backdoor Trojans and proxies. At its peak, MyDoom-A accounted for one in every
six emails.
MyDoom-A focused its DDOS attack against The SCO Group, Inc., which then set a $250,000
bounty on the virus author’s head. With SCO being an embattled player in the Linux market,
many saw the attack as the latest weapon in the Linux Wars.
Then along came MyDoom-B just several days after the launch of the original.
MyDoom-B, which barely spread and was considered to be largely unsuccessful, turned on
Microsoft, trying to launch a DDOS attack against its Web site. Microsoft, reportedly,
barely even flinched.
But Dunham says this time it may be different.
”It’s hijacking the computers compromised by the original MyDoom and it’s using them to
attack Microsoft.com,” he says. ”This is an early analysis but it could be a successful
worm.”
So far, the MyDoom family of worms, according to mi2g, has inflicted $38.5 billion in
economic damages around the world.