MyDoom Turns 1, Impact Grows

One year after the debut of the MyDoom worm, security experts are characterizing it as the first worm to demonstrate the staying power and technical know-how of hackers.

Gregg Keizer, Contributor

January 28, 2005

4 Min Read
InformationWeek logo in a gray background | InformationWeek

One year after the debut of the MyDoom -- one of 2004's nastiest pieces of malicious code -- security experts on Friday reviewed its impact and pegged the worm as a major milestone in malicious code.

"We'll look back ten years from now and see MyDoom as a turning point," said Scott Chasin, the chief technology officer for e-mail security vendor MX Logic.

The first MyDoom -- there have been over 30 variants appear in the last 12 months -- hit the Web Jan. 26, 2004, with results ranging from an across-the-Internet slowdown to taking the SCO Group's Web site offline for more than a month. Along the way, both Microsoft and SCO posted $250,000 bounties on the MyDoom author(s). Neither reward has been collected.

The most recent version of the worm, dubbed MyDoom.ai, appeared only a week ago.

"MyDoom represents the milestone in the motivation behind why worms are released," said Chasin. "It was the signal of the commercialization of e-mail worms."

Jimmie Kuo, a research fellow with McAfee's AVERT group, seconded that motion. "MyDoom really kicked off the 'viruses for profit' notion," he said. "It was the start of the trend in 2004 of viruses moving from annoyances to profit makers."

Before MyDoom's debut, both said, the typical motivation for a virus writer was to get 15 minutes of infamy. MyDoom, however, put the dollars into malware, since even from the beginning it included a backdoor component that allowed the sender to later access the PC. These backdoors are crucial to the creation of networks of compromised machines that are then rented out or sold to spammers or other criminals (such as cyber-extortionists that threaten a denial-of-service attack on a company's Web site if payment's not made).

Both experts also pointed to MyDoom as the first instance of a worm to demonstrate the staying power and technical know-how of hackers.

"[MyDoom has] proven that there is an underground open-source community of worm writers who are sharing source code and virus-writing techniques not only with each other, but now also with spammers and phishers," said Chasin.

"MyDoom showed that there's a professional development effort going on among malware writers," agreed Kuo. "In the past, a virus writer would write one worm, get some notoriety, but then tire of it. Now they're paid to do this, so after they release one and its eventually blocked by security firms, they write another."

That, in turn, led to viruses flying under the radar for much of the second half of the year. While the first half of 2004 was extraordinarily busy at anti-virus labs -- "We didn't get much sleep from January through May," said Kuo -- the last half has been comparatively quiet.

On the surface, that is.

"MyDoom's writers haven't been loud or egotistical or shown any signs of pride of workmanship, so to speak," said Chasin. "That's the next big trend in malicious code, that both the authors and their work are going to be stealthier."

"The more noise you make, the more people patch," said McAfee's Kuo.

Keeping quiet is important to post-MyDoom virus and worm writers. Their goal, after all, is to accumulate collections of compromised machines that they can then lease or sell. Increasingly, those PCs are attacked via operating system of Web browser vulnerabilities. Making noise, as Kuo said, only gets the attention of users, who rush to patch against the problem.

The appetitive for new zombie systems is voracious and never ending, said Kuo, because a compromised PC may be used only once or twice by a spammer or attacker before it's discarded or unavailable. "The ISPs are quick to block IP addresses they see sending out large numbers of messages," noted Kuo. "After each viral or spam run, they need more machines to replace the ones they've had to throw away."

Because bots are then disposable, that means the work of virus writers is never done; nor is the work of end-users and enterprises trying to keep hackers out.

Bottom line? MyDoom was, and is, bad news.

"I'd rank MyDoom as the worst worm of the year," said Chasin.

About the Author

Never Miss a Beat: Get a snapshot of the issues affecting the IT industry straight to your inbox.

You May Also Like


More Insights