Posted on 01/29/2004 12:57:10 PM PST by honeygrl
A new computer worm called MyDoom is spreading in the United States and abroad at a frightening rate. But that's not the really scary news.
What worries computer experts the most is the fact that MyDoom is an example of a new breed of professionally created worms that are more difficult to detect and move faster. These better-built worms also are used by criminals to turn a profit.
Experts say the creation of MyDoom was almost certainly funded by e-mail spammers. The worm takes possession of a computer -- either at a home or one used in business -- and turns the machine into a remotely controlled robot programmed to send spam e-mail messages.
With hundreds of thousands of these zombie computers sending spam, the chances of shutting down the flow are almost zero.
While the inner workings of the worm aren't a strong departure from earlier ones, the fact that it was professionally created with a criminal profit motive is a big shift. Instead of sloppily made worms from amateurs, professional software writers -- motivated by money -- can create worms that will spread faster and work more efficiently, said Roger Thompson, director of malicious-code research for TruSecure, a Herndon, Va.-based anti-virus firm.
"I don't think the worm is especially sophisticated, but the overall plot is very sophisticated," said Thompson. "The plot is to prepare a bunch of machines to send out spam, to own more and more computers that can do that."
"Yeah, it definitely has ties to spammers," said Neel Mehta, a computer scientist with Atlanta-based Internet Security Systems.
Nor is there any question that MyDoom spread like wildfire. Medina, Ohio-based Central Command, which sells anti-virus software, said the worm multiplied so quickly that, for a time, one of every nine e-mails was infected.
Atlanta-based EarthLink, which has more than 5 million Internet customers, said the worm created massive volumes of e-mail on its system. At 2 a.m. Tuesday, normally a slack time, e-mail traffic was equivalent to what "we'd expect during midday," said Dave Blumenthal, a company spokesman.
As if the news wasn't bad enough, there is a general suspicion the worm may contain what computer scientists call a keystroke-logger program. If that's true, the creator of the worm can monitor every keystroke made on every infected computer not protected by a firewall program. That provides access to everything typed, including credit card numbers and passwords.
"I think there is a link to organized crime," Thompson said. "I don't have any proof of that, but it could easily be. It could be harvesting credit card numbers ... or bank account log-ins."
Mehta said while he had seen reports the worm contained a keystroke logger, he could not confirm them. He said computers equipped with a firewall program should be safe because the anti-hacker software would intercept and stop the remote prying.
MyDoom's professional touch can be seen in the way the e-mail induces the recipient to open the attachment carrying the infection. Earlier amateur-built worms promised naked pictures and the like. MyDoom looks like an official e-mail error message you might get if an e-mail failed to transmit properly. Even worm-smart users could be fooled, said Mehta.
Once that attachment is opened, it hijacks e-mail addresses stored in infected computers. It then e-mails copies of itself using one of those names as the sender. So an infected e-mail could look like a message from a friend or relative. Since it appears to be the report of a failed e-mail message, many users may be eager to open the attachment to see which message failed.
The text for some of those messages seems properly technical. One says: "The message contains Unicode characters and has been sent as a binary attachment."
The professionalism of all that has Thompson worried. He foresees a new generation of worm creators who are better educated and more skilled.
"Most worm writers grow up and get a girlfriend, a job and then stop," he said. "If there is a profit motive involved, I would expect the acts to continue."
As professionals take charge, the construction of the worms themselves is likely to improve, making it more difficult to stop them. Mehta said professionally created worms such as MyDoom -- also known as Novarg -- have "more features ... they have more code to them, and the code is generally of better quality."
He added, "It's not the first to have ties to professional writers, but until about a year ago we didn't see worms that were tied to professionals."
While any fast-spreading worm causes congestion for computer networks inside businesses and on the Internet itself, that is a byproduct of MyDoom but not the intent, Thompson said.
"Professional hackers are getting more into this," said Mehta. "We are now seeing worms that are designed with a purpose."
Both Internet Security Systems and EarthLink believe the peak of e-mail from the worm came Monday and early Tuesday morning and that volume is now on the decline.
I'm running a PC and I've only seen three since Monday. Better run your Mac through a de-wormisizer.
I see nothing in this article that would indicate anyone knows who created this or for what reason (other than the DOS attacks coded against MS and SCO).
"I don't think the worm is especially sophisticated, but the overall plot is very sophisticated," said Thompson. "The plot is to prepare a bunch of machines to send out spam, to own more and more computers that can do that."
"Yeah, it definitely has ties to spammers," said Neel Mehta, a computer scientist with Atlanta-based Internet Security Systems.
Okay. What spam is being sent? Or is that just conjecture? Article doesn't say. Worms and trojans have been hijacking computers to serve as slaves in DOS attacks for years - so much for the "sophistication" of the plot.
I feel kinda left out.
For some reason, I have yet to receive this worm in an email.
Thank your lucky stars!!
The worm blocks access to popular Anti Virus Websites like McAffee, Symantec, and Trend Micro.
I ran into a Trojan with such defensive features last year...only a complete FDISK-DOS FORMAT type total software reinstall saved the day!
A true security expert could confirm or deny the existence of a keylogger.
The worm might be causing the slow download, but the problem is probably not on your end. (Unless you've opened strange attachments in the last few days). It is more likely that your ISP's mail servers are overloaded with all of the messages that the worms are sending out from infected computers.
Simply doesnt make sense for it to be a spam vehicle:
1. It's scheduled to quit replicating on Feb 12th.
2. It has a payload which targets two major websites with DDos attacks(SCO and Microsoft - depending on the variation). What possible advantage would that give it as a stealth spam program?
I get about three of those a day anyway. And there are hundreds of messages from 19 year old girls who want me to look at their web cams. Funny thing is, their pictures all look exactly the same. And when I email them to warn them they should be very careful about letting strangers watch them at home, my emails bounce.
Has anyone been looking at the full headers of their SPAM lately? At least half of it is coming from DSL and Cable Modem systems here in the U.S. Mostly from Comcast, RR, and Adelphia. At some point these companies will have to stop their customers from SPAMing the world.
Sometimes I call the toll free phone numbers that show up in the SPAM. I give the person sh_t for about 10 minutes. They tell me that they aren't sending SPAM. When they say that they actually mean that they hired another company to send SPAM for them or that they were hired by the SPAM company to take orders. Anyway, a half-truth to try and deflect criticism of themselves.
I did get a hold of a local addiction treatment center that was SPAMing my company. They swear that the salesman from the SPAM company told them that the emails would be very well directed. The SPAMmer lied to them. After my call SPAM from them stopped.
You can't trust this worm to be the same on any two machines. Its fundamental structure is that of a trojan that listens on a TCP port for arbitrary code segments that it is to execute.
For example, the supposed DDOS attack on Microsoft was not in the original worm; it was added yesterday by sending out a new worm that scans for old worms, and tells them to update themselves with this, where "this" is whatever the guy wants to add.
Yesterday he added a DDOS attack on Microsoft. But that's not supposed to occur until February 1. By then he could have changed the target two or three times, or deleted the DDOS attack altogether and replaced it with a spam relay, or a thing that formats C:, or whatever he wants. Right now this virus writer is just jerking these security guys around. "It's a DDOS attack! It'a a keystroke logger! It's a breath mint!"
You were right the first time: fundamentally, no one really knows what this thing is for. It is a remotely-piloted executor of arbitrary code. Its "real" mission, whatever that is, could be scheduled to arrive a week from now, or a month from now, and could be anything.
Based on comments I've seen elsewhere, the reason they think it has to do with spammers is two-fold. First, it seems to be a professional package; the techniques used, the way things are laid out, etc., point to a professional as opposed to a scipt kiddie or the "12-year-old genius" who writes most of these things. Secondly, this is the New Thing among spammers. The last big worm turned out to be a collector of zombies for use by spammers; here comes another one with similar capabilities and a built-in SMTP engine, and it appears to be a paid-for, professionally written item. That suggests commercial, profit-making enterprise at work, as opposed to some crank who just wants to be a vandal. They could be wrong about this of course, but they do work this problem every day and see a lot of this stuff in the course of their work. It's "conjecture" but it's educated conjecture.
Most likely open relays rather than the actual owner doing it. I get around 20 attempts a day on my mail server from people looking to see if they can relay from it.
Here is an example of the from: field with full headers on:
Received: from c-24-1-157-18.client.comcast.net (c-24-1-157-18.client.comcast.net [24.1.157.18])
Is there any way of telling whether this IP originated the e-mail or went through an open relay?
Either way, I forward the full message with headers to the system that it came from, usually at abuse@_system_.com, or wherever, asking that their system stop sending SPAM. Maybe they will terminate that IP's account. I get about 20 of these (from DSL and/or Cable Modem) per day.
It's by no means comprehensive but http://www.ordb.org/ maintains a list of open relays. I don't find that IP address in their database but I do note that it's been tested for open relay service recently, might be the owner get a dose of reality with all the spam complaints and took care of it.
Or it could be that the address was merely forged and the IP address is totally bogus.
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.