Posted on 01/29/2004 12:57:10 PM PST by honeygrl
A new computer worm called MyDoom is spreading in the United States and abroad at a frightening rate. But that's not the really scary news.
What worries computer experts the most is the fact that MyDoom is an example of a new breed of professionally created worms that are more difficult to detect and move faster. These better-built worms also are used by criminals to turn a profit.
Experts say the creation of MyDoom was almost certainly funded by e-mail spammers. The worm takes possession of a computer -- either at a home or one used in business -- and turns the machine into a remotely controlled robot programmed to send spam e-mail messages.
With hundreds of thousands of these zombie computers sending spam, the chances of shutting down the flow are almost zero.
While the inner workings of the worm aren't a strong departure from earlier ones, the fact that it was professionally created with a criminal profit motive is a big shift. Instead of sloppily made worms from amateurs, professional software writers -- motivated by money -- can create worms that will spread faster and work more efficiently, said Roger Thompson, director of malicious-code research for TruSecure, a Herndon, Va.-based anti-virus firm.
"I don't think the worm is especially sophisticated, but the overall plot is very sophisticated," said Thompson. "The plot is to prepare a bunch of machines to send out spam, to own more and more computers that can do that."
"Yeah, it definitely has ties to spammers," said Neel Mehta, a computer scientist with Atlanta-based Internet Security Systems.
Nor is there any question that MyDoom spread like wildfire. Medina, Ohio-based Central Command, which sells anti-virus software, said the worm multiplied so quickly that, for a time, one of every nine e-mails was infected.
Atlanta-based EarthLink, which has more than 5 million Internet customers, said the worm created massive volumes of e-mail on its system. At 2 a.m. Tuesday, normally a slack time, e-mail traffic was equivalent to what "we'd expect during midday," said Dave Blumenthal, a company spokesman.
As if the news wasn't bad enough, there is a general suspicion the worm may contain what computer scientists call a keystroke-logger program. If that's true, the creator of the worm can monitor every keystroke made on every infected computer not protected by a firewall program. That provides access to everything typed, including credit card numbers and passwords.
"I think there is a link to organized crime," Thompson said. "I don't have any proof of that, but it could easily be. It could be harvesting credit card numbers ... or bank account log-ins."
Mehta said while he had seen reports the worm contained a keystroke logger, he could not confirm them. He said computers equipped with a firewall program should be safe because the anti-hacker software would intercept and stop the remote prying.
MyDoom's professional touch can be seen in the way the e-mail induces the recipient to open the attachment carrying the infection. Earlier amateur-built worms promised naked pictures and the like. MyDoom looks like an official e-mail error message you might get if an e-mail failed to transmit properly. Even worm-smart users could be fooled, said Mehta.
Once that attachment is opened, it hijacks e-mail addresses stored in infected computers. It then e-mails copies of itself using one of those names as the sender. So an infected e-mail could look like a message from a friend or relative. Since it appears to be the report of a failed e-mail message, many users may be eager to open the attachment to see which message failed.
The text for some of those messages seems properly technical. One says: "The message contains Unicode characters and has been sent as a binary attachment."
The professionalism of all that has Thompson worried. He foresees a new generation of worm creators who are better educated and more skilled.
"Most worm writers grow up and get a girlfriend, a job and then stop," he said. "If there is a profit motive involved, I would expect the acts to continue."
As professionals take charge, the construction of the worms themselves is likely to improve, making it more difficult to stop them. Mehta said professionally created worms such as MyDoom -- also known as Novarg -- have "more features ... they have more code to them, and the code is generally of better quality."
He added, "It's not the first to have ties to professional writers, but until about a year ago we didn't see worms that were tied to professionals."
While any fast-spreading worm causes congestion for computer networks inside businesses and on the Internet itself, that is a byproduct of MyDoom but not the intent, Thompson said.
"Professional hackers are getting more into this," said Mehta. "We are now seeing worms that are designed with a purpose."
Both Internet Security Systems and EarthLink believe the peak of e-mail from the worm came Monday and early Tuesday morning and that volume is now on the decline.
Given that CNN reported the anticipated cost of MyDoom at $250M, and that the virus has been classified as the fastest spreading virus ever, we must consider the possibility that the reactionary A/V and filtering model is insufficent to solve the spam/virus problem.
Sorry to hear that, but just further proof the sneaky bastards are getting better and better. Kids make it almost impossible to defend everything, too. ;-)
Sorry but I think that's the wrong conclusion. First there are always questions about the validity of these estimates, and the first ones have been from overseas sources. Second, this attack while sophisticated was not that revolutionary, and those with adequate defenses, defenses that have been raised recently due to other similar events, were therefore much better prepared to block it.
I think what the overall result is, even though hacker sophistication remains high, overall protection of critical data secured by professionals is exceptional, and suffered little damage testifying to the truths of security practice, but the mostly poorly prepared home users are receiving the brunt of virii attacks now, and will likely in the future. Before it was both receiving damage, so we are making progress, mainly by advances in technology and sophistication of operators. The current model is strong, by those who choose or can afford to enforce it.
With proper configuration, yes it's close but technology doesn't "close the loop" to use a technical term and user interaction is most often the final weakest link in the process, of which there is no ultimate protection with the currently configured landscape.
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.