Aust MyDoom impact continues

A self propagating worm called MyDoom has spread across the globe like digital wildfire, leaving the computer world to face its greatest ever virus attack.

The email virus, also known as Norvag or Mimail-R, broke out on Monday, 26 January and took only three days to reach almost every corner of the internet -- its purpose apparently to launch attacks against Unix vendor SCO's website.

Allan Bell, marketing director at McAfee Security, estimates that MyDoom has already generated over 100 million infected emails.

Likewise, David Banes -- technical director of Message Labs Australia -- stated that one in 12 emails intercepted from around the world contained the virus, and confirmed that the worm was not slowing. "The numbers are still going up", he said.

A worm or email virus typically infects a host computer by 'tricking' a user into executing it, and then spreading to all addresses available on the user's machine. MyDoom 'tricks' or gains attention by pretending to by a system-error, and usually comes with attachments with 'double-extensions' (for example, txt.pif or .htm.zip).

The worm will then launch 'denial of service' (DoS) attacks between 1 and 12 February against Utah-based Unix vendor SCO's website, www.sco.com.

It is believed that the worm's tastes are related to SCO's unpopular move to start charging for the Linux operating system, and launch legal threats on those who don't comply.  SCO has posted a US$250K ($321K) bounty on information leading to arrests of the authors of the virus, and the worm has now attracted the attention of the US Federal Bureau of Investigation.

Though it may not appear that MyDoom poses an immediate threat to the host computers, it will also open the host machines up to hackers -- who can then take remote control of the infected system and launch more attacks or spread spam.
 
According to internet security firm F-Secure, there are a quite a few reasons as to why MyDoom has been more successful in wreaking havoc on the internet.

MyDoom demonstrates more cunning social engineering, 'scaring' users into opening the required executables by posing as error messages, where previous viruses were more transparent by offering content like pornography. McAfee's Bell commented that this method is far superior to older worms such as "Anna Kournikova" and "Love Letter", because MyDoom's email is "not a message that will stick in people's heads".

MyDoom was also launched during the working hours of America and Canada -- a time when corporate email traffic is most dense. It also avoided spreading itself to government and military organisations to avoid early detection by authorities.

FSecure also noted that MyDoom was more aggressive in the way it handled email addresses. It not only stole addresses from infected machines, but it guessed/spoofed addresses. It also copied itself into shared-folders used by the file-sharing application, KaZaa.

Another reason for its successful spread is the manner by which MyDoom disguises itself as an attachment. It uses double file extensions which, according to Bell, is used to confuse email clients that may traditionally hide or block files of certain extentions.

On top of it's spreading, much of the traffic generated by MyDoom consists of 'bounced' emails from servers rejecting emails fake addresses, and auto-responders in virus software that inform/accuse the 'senders' that a virus was detected.

In Australia, McAfee's Bell said that 1 in 10 emails intercepted within Australia were infected, placing the local estimate higher than MessageLab's global rate of 1 in 12.

McAfee does not believe that it will get any worse, Bell commenting that that the infection is currently 'sustained'.

David Banes from Messagelabs said that Australia is accounting for about 5 percent of the global infection, and also added that around 3.4 million emails had been intercepted locally.

When asked if MyDoom would slow in the near future, Bell said that it was too early to comment. Worms traditionally slow after a 24-hour peak, but MyDoom has shown no signs of slowing.

Between Wednesday and Thursday, a sequel to MyDoom (MyDoom.b) had surfaced, targeting also the Microsoft website. According to Bell, the spin-off virus also blocks users' access to anti-virus websites by corrupting how the machine resolves website names. As a consequence, infected machines have a hard time trying to access anti-virus websites.