MyDoom's Second Stage Strikes At Microsoft
Although the spread of MyDoom.o leveled off, a second-round attack began by using MyDoom's infected systems to launch a denial-of-service attack on Microsoft.com.
Although the spread of MyDoom.o leveled off Monday night and Tuesday morning, by mid-day Tuesday a second-round attack began by using MyDoom's infected systems to launch a denial-of-service (DoS) attack on Microsoft.com.
MyDoom.o -- also dubbed MyDoom.m and MyDoom.n -- hit the Internet Monday, and gained enough traction out of the gate that anti-virus firms raced to boost their threat assessments. Symantec, for instance, rated the newest MyDoom as a "4," the highest rating it's given.
- Mobile DevOps: Achieving continuous delivery with multiple front ends and complex backends in Banking, Financial Services, and Insurance
- Maximize the benefits of virtualization for greater ROI
White PapersMore >>
- Strategy: How Cybercriminals Choose Their Targets and Tactics
- Best Practices: 6 Security Services Every Small Business Must Have
"It was a one-day wonder," said Patrick Hinojosa, the chief technology officer of Panda Software. "Overnight it plateaued. There was just nothing technically unique about it to keep it going."
Symantec saw the same behavior, said Oliver Friedrichs, the senior manager for its security response team. Submissions of MyDoom are now running at about one-sixth the number of Monday's peak.
Even the unique tactic of sniffing for additional valid e-mail addresses by querying four search engines, primarily Google, didn't make much of a difference, said Hinojosa. "I don't think the search trick did much. It doesn't look like MyDoom was extremely successful beyond the initial spam launch."
But while MyDoom may be a one-day event, it looks like the second stage of a multi-round attack is underway.
Late Monday afternoon, Ken Dunham, the malicious code director if iDefense, noted in an e-mail alert that the Trojan horse which MyDoom.o installs -- dubbed Zincite.a -- was a much more sophisticated backdoor than used by earlier versions.
Zincite.a, said Dunham Monday, scanned random IP addresses looking for the same backdoor port -- 1034 -- that MyDoom left open, in effect scanning for itself. "This suggests that a secondary wave of attack may be pending," said Dunham then.
Tuesday morning, another worm, called Zindos.a, was discovered in the wild. Zindos has a single purpose: launch a denial-of-service (DoS) attack on Microsoft.com.
"The second wave is here," said Dunham. "This appears to be specifically designed as the second part of the attack. Call it MyDoom Reloaded."
Unlike MyDoom, however, Zindos doesn't require any human interaction, and is not delivered as a file attached to e-mail. Instead, it's a pure network threat, said Symantec's Friedrichs. "Zindos is fully automated. If your computer is infected [with MyDoom] and you're connected to the Internet, you could get infected by this new threat."
Dunham and Symantec's Friedrichs are convinced that the same hacker, or perhaps group of hackers, is behind both, due to the short span between the two. "I don't think that [information about MyDoom.o's new Trojan] could be widely published in this short of time."
According to iDefense's analysis, Zincite.a, the Trojan planted by MyDoom.o, is a two-mode backdoor. One securely downloads and executes files, while the second is as yet unclear. That first mode, which can be turned on by sending a single byte to a compromised machine, downloads files, but uses a 128-bit key and encryption on the ensuing file (and possible checksum-validation as well) to secure the download. Why?
"The backdoor component [Zincite] appears to be controlled to prevent hijacking by other coders or hackers," said Dunham. In other words, the maker(s) of MyDoom.o don't want other attackers horning in on their territory, a problem some worm writers, including the authors of the original MyDoom, suffered.
Once Zindos.a is downloaded and executed on a Zincite-infected system, it starts a DoS attack on Microsoft's main Web site, microsoft.com. According to analysis by Symantec, Zindos isn't date limited -- as have been other DoS-specific worms -- and launches the anti-Microsoft assault within minutes of installing.
"I expect that Zindos will gain ground rapidly over the next 24 hours, just as did MyDoom," said Dunham. So far, however, that's not happened. Symantec's Friedrichs reported that the number of Zindos submissions it's seen is "very low" as of mid-day Tuesday.
Nor has the worm's DoS against Microsoft.com amounted to much. Yet. Web performance metering firm AlertSite, for instance, reported that it had seen no problems accessing the site as of 1:40 p.m. EDT. Microsoft was not available for immediate comment.
In other news, Symantec reported that additional analysis of the variant just prior to Monday's MyDoom -- called MyDoom.l by Symantec -- contains a mechanism for keeping track of all known infected systems.
"MyDoom.l maintains a list of all previously infected machines coming from that parent system," said Friedrichs, and said that such lists make it easy to upload additional threats, such as MyDoom.o, to one infected host, have it read the stored IP list, and upload itself to all other still-compromised machines on that list.
"MyDoom.l may have been used as a form of peer-to-peer seed network, explaining why MyDoom.o became a high-profile worm so rapidly," said Alfred Huger, the senior director of Symantec response team, in a statement.
However it started, analysts Tuesday didn't think Zindos was the last users will see of MyDoom's most recent attack.
Dunham, for instance, said it's reasonable to expect additional attack stages, since the second mode of Zincite.a is still not understood. "It may be indicative of a peer-to-peer type communication between Zincite infected computers, or another backdoor Trojan," he said.
"It's speculative at this point," said Friedrichs, "but it's definitely possible we'll see more attacks. That's how it was with the initial stream of MyDoom back in January."