Feeds

We're all MyDoomed

On the Google-bashing Zombie virus

  • alert
  • submit to reddit

SANS - Survey on application security programs

A computer virus which affected the operation of Google yesterday is spreading like wildfire.

MyDoom-M (AKA MyDoom-O) has adopted a new trick of using search engines to find email addresses to target for infection. The worm queries search.lycos.com, search.yahoo.com, AltaVista, and Google in its attempts to harvest additional email addresses for possible distribution. Google blamed the virus after some users complained of search results turning up nothing but error messages.

User reports of problems with Google - along with problems accessing MSDN, Microsoft.com and Hotmail - poured into The Register yesterday afternoon. Netcraft, the Net monitoring firm, said it had noticed no performance problems with Microsoft.com and our inquiries to Akamai, which runs the content distribution network used by many Microsoft sites, also drew a blank. Microsoft said the worm did not affect its sites directly but may have affected the ability of some of its users to reach those sites.

Alex Shipp of email security firm MessageLabs, said early analysis of the worm has revealed nothing to suggest it targeted Microsoft sites directly. However, the volume of traffic generated by the worm may have downgraded system performance for many people, causing the problems observed by many of you.

MessageLabs blocked 23,000 copies of MyDoom-O within the first five hours of the worm's outbreak yesterday morning. Today anti-virus firm Symantec has upgraded the worm to a Level 4 threat (Level 5 is the most severe) due to increased submission rates.

Beware bogus security warning

Mydoom-O is a mass-mailing worm that opens a back door - Zincite-A - on port 1034/TCP of compromised PCs. This gives attackers remote, unauthorised access to infected PCs. MyDoom-O spreads aggressively through email, using its own SMTP engine. This mass mailing may clog mail servers and downgrade system performance.

The worm sends emails to addresses harvested from infected PCs as well as to email addresses it finds through search engines. The sender's From: email address is invariably forged, and therefore does not indicate the true identity of the sender. The subject and body of infected messages vary, but normally refer to bogus security warnings ostensibly from a user's own administrator. This social engineering ruse, although by no means new, helps explain MyDoom-O's wildfire spread.

Standard precautions apply to defending against the bug: update AV signature files and (if you're an admin) consider introducing controls to block executables at the gateway. If you're a regular user, be careful of those unsolicited attachments, even from people you know. As usual, MyDoom-O is a Windows-only menace. But security-conscious PC, Linux or Mac users are not wholly immune though, thanks to the blizzard of bounced and redirected messages generated as a result of MyDoom's spoofing behaviour. ®

Related stories

Google goes gimpy from MyDoom infection
Zombie PCs spew out 80% of spam
Mutant son of MyDoom plans three-pronged attack
Delivering the 12kb Bomb
MyDoom and NetSky cause chaos

High performance access to file storage

More from The Register

next story
Parent gabfest Mumsnet hit by SSL bug: My heart bleeds, grins hacker
Natter-board tells middle-class Britain to purée its passwords
Obama allows NSA to exploit 0-days: report
If the spooks say they need it, they get it
Mounties always get their man: Heartbleed 'hacker', 19, CUFFED
Canadian teen accused of raiding tax computers using OpenSSL bug
Web data BLEEDOUT: Users to feel the pain as Heartbleed bug revealed
Vendors and ISPs have work to do updating firmware - if it's possible to fix this
Samsung Galaxy S5 fingerprint scanner hacked in just 4 DAYS
Sammy's newbie cooked slower than iPhone, also costs more to build
Snowden-inspired crypto-email service Lavaboom launches
German service pays tribute to Lavabit
One year on: diplomatic fail as Chinese APT gangs get back to work
Mandiant says past 12 months shows Beijing won't call off its hackers
prev story

Whitepapers

Top three mobile application threats
Learn about three of the top mobile application security threats facing businesses today and recommendations on how to mitigate the risk.
Combat fraud and increase customer satisfaction
Based on their experience using HP ArcSight Enterprise Security Manager for IT security operations, Finansbank moved to HP ArcSight ESM for fraud management.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Five 3D headsets to be won!
We were so impressed by the Durovis Dive headset we’ve asked the company to give some away to Reg readers.
SANS - Survey on application security programs
In this whitepaper learn about the state of application security programs and practices of 488 surveyed respondents, and discover how mature and effective these programs are.