Another day, another Doom: New variants are spreading
- By William Jackson
- Feb 11, 2004
Security analysts continue to identify new malicious code that is either a variation of the MyDoom worm or exploits computers that have been compromised by it.
'MyDoom.a computers continue to be the target of multiple attacks,' said Ken Dunham, director of malicious code for iDefense Inc. of Reston, Va. 'Uploader code to hijack MyDoom.a computers is now widespread on the Internet,' and the company's MyDoom honeynets have captured a number of new exploits.
At least one of the new worms, DoomJuice.b, targets the Microsoft Corp. Web site (at www.microsoft.com) with a denial-of-service attack. This comes on top of attacks already launched against the site by earlier worms, one day after Microsoft released security patches for critical vulnerabilities in its software.
According to Moscow-based Kaspersky Labs, the new worm spreads like its predecessor, DoomJuice.a, by scanning for MyDoom-infected computers listening on TCP port 3127. Both versions of the worm target Microsoft, but the new variant uses requests to the Microsoft site that mimic legitimate Internet Explorer requests. This could make it difficult, if not impossible, to block that attack.
A troublesome feature of the original DoomJuice is that it includes the source code for MyDoom, making it widely available.
'Anyone with basic programming skills can use the MyDoom.a source code to crate a clone,' said Eugene Kaspersky, head of Kaspersky Labs' antivirus research.
A new variant of MyDoom was discovered yesterday. It appears nearly identical to the original version, according to iDefense. That version targeted the Web site of the SCO Group Inc. of Lindon, Utah, forcing the company to move its site to a new URL until at least tomorrow, when the attacks are expected to halt.
Across the Atlantic, the Mi2g Ltd. of London has found a new worm called Deadhat that is colonizing computers infected with MyDoom by scanning for the back-door ports. The good news about Deadhat is that it removes all traces of MyDoom and closes the back-door ports opened by that worm. The bad news is that it opens its own ports to listen for new instructions.
Instructions apparently must be authenticated with a cryptographic key before the infected machine will execute them. Deadhat machines could be used to launch denial-of-service attacks, as spam relays, or for phishing expeditions or other scams, said D.K. Matai, Mi2g executive chairman.
'Deadhat has been designed to make money,' Mi2g said. 'This definitely appears to be the handiwork of organized crime.'
William Jackson is a Maryland-based freelance writer.