Remembering MyDoom, One Year Later

Remembering MyDoom, One Year Later

Prolific e-mail worm left a legacy of zombie PCs and more spam, experts say.

Paul Roberts, IDG News Service

Friday, January 28, 2005

Computer security experts remembered the MyDoom e-mail worm this week, one year after it tore through the Internet, deluged e-mail systems with infected messages, and set records for infecting vulnerable computer systems.

The new worm caused headaches for network administrators, downed The SCO Group's Web site, and spawned a short-lived three-way war of words between virus authors. But the MyDoom outbreak is being recalled one year later as an event that signaled the end of the amateur virus writers and the clear emergence of sophisticated virus authors with criminal ties and a hunger for illicit profit from spam and online extortion, experts agree.

MyDoom.A, the first version of the worm, appeared January 26, 2004, and quickly began spreading across the Internet. At the height of the MyDoom outbreak on January 26 and 27, 2004, the worm was found in one of every 12 messages intercepted by e-mail security vendor MessageLabs. The company stopped 1.2 million MyDoom messages in the first 24 hours after it was identified, MessageLabs says.

"It was one of worst viruses ever," says Graham Cluley, senior technology consultant at antivirus company Sophos.

MyDoom was a bad virus even on the heels of a year of bad viruses, including Blaster and Sobig, which ravaged computers worldwide five months before, in August 2003, he says.

What It Left Behind

However, MyDoom was notable for what it left in its wake, rather than the ferocity with which it spread, according to Alex Shipp, a senior antivirus technologist at MessageLabs.

In particular, MyDoom installed a Trojan horse program on machines it infected, which were used to launch a denial of service (DOS) attack against SCO's Web site, beginning on February 1, 2004. At the time, Network Associates (now McAfee) estimated that between 25,000 and 50,000 computers took part in the attack against SCO.com.

That network of thousands of MyDoom-infected machines became a valuable resource for the underground community because they could be used in future DOS attacks, or to distribute future MyDoom variants and spam, experts say.

"MyDoom marked the moment at which virus writing went commercial," says Shipp.

The success of MyDoom's network of zombie machines helped catch the attention of online criminals, who realized that there was money to be made from controlling virus-infected machines, according to Shipp and others.

The networks created by MyDoom and similar worms, such as Sobig, have led to a huge increase in the amount of spam, which is forwarded through the networks of infected systems. Online extortion, carried out by zombie networks against Web sites that don't pay protection money, has also become more prevalent. Virus-infected zombie machines are also a common avenue for "seeding" new viruses, says Jimmy Kuo, a fellow at McAfee.

"[MyDoom] was another clear piece of evidence that a much more malicious, commercially-oriented, and criminal element was making money from virus writing by stealing resources and selling them back to hackers, spammers, or [extortionists]," Cluley says.

New Ways to Spread

With money to be made, online criminals have also changed the way that malicious code is spread over the Internet, with splashy viruses like Slammer, Blaster, and, yes, MyDoom giving way to stealthy and silent compromises, Kuo says.

"I think the bad guys over the past year learned that there was money to be made from viruses, but in order to make money, you must do things stealthily," he says.

Today, malicious code authors are creating programs that infect computers without tipping off the machine's owners. And spam, rather than viruses, is becoming a common means of distributing the new Trojan horse programs, Kuo says.

The backing of professionals also makes it less likely that virus authors and those behind Internet threats will be caught. Despite rewards offered by SCO and Microsoft, and the capture of Sven Jaschen, who created the Netsky and Sasser families of worms, there have not been any arrests in the MyDoom case, nor are arrests likely, Cluley says.

"The person who wrote MyDoom or Sobig is not juvenile and amateurish like [Blaster.B author] Jeffrey Lee Parson," Cluley says. "You're not going to see them include clues about their identity in the worm code, or daft things like that which we've seen juvenile virus writers do in the past."

Ironically, MyDoom's success may ultimately spell the end of e-mail worms.

"My prediction for future exploits is that virus writers are going to be less likely to create a Slammer worm or a Blaster that makes a lot of noise. They're more likely to get out of control, and that forces people to clean them up and diminishes the supply [of compromised machines]," Cluley says.