MyDoom opens door for attack on Microsoft

New variant of the worm represents a troubling trend that results in PCs being "owned by the virus writers," one expert says.

David Becker
David Becker Staff Writer, CNET News.com
David Becker
covers games and gadgets.
3 min read

While the spread of the latest version of the MyDoom worm appeared to be quickly halted, the pest lived on Tuesday with a growing host of ancillary infections, including one programmed to launch a denial-of-service attack on Microsoft.

MyDoom.M, a new variant of the prolific worm, came to life Monday and quickly wreaked havoc on Google and other search sites, thanks to a novel method the worm's creator devised to propagate the pest.

But security experts said Tuesday that the worm was quickly dying out, with infections peaking a mere 12 hours after the worm was released.

MyDoom.M leaves behind significant potential for collateral damage from infected and unrepaired PCs, however. Besides propagating itself, the worm's main purpose apparently was to open a "back door" so that infected PCs could be used to host other malicious programs, according to researchers at security giant Symantec.

The first of those parasites, dubbed the Zindos.A worm, was released Tuesday with the intent of crippling Microsoft's main Web site.

According to a Symantec report, Zindos.A is programmed to probe random IP addresses in search of ports left open by Zincite.A, the destructive part of the payload left by MyDoom.M. Once Zindos finds a vulnerable PC, it installs itself and promptly launches a denial-of-service attack against the Microsoft.com domain.

Zindos.A did not appear to have gained a widespread distribution as of Tuesday morning, said Vincent Weafer, senior director for Symantec's security response center. He said Zindos appeared to be a trial bug intended to exploit MyDoom's spread. "I'd say it's an opportunistic worm from another group," rather than the MyDoom.M creator, he said.

Microsoft representatives said Tuesday the company was investigating Zindos and successfully fending off any attacks. "Microsoft has taken steps to ensure that Microsoft.com remains available to customers," according to a company statement. "The Microsoft.com network is stable and has been consistently accessible to customers."

But the situation presented a new and possibly dangerous trend of virus writers using one infection to prime the pump for others, Weafer said. MyDoom.M includes a mechanism to maintain a list of infected systems, permitting the worm's creator to upload new pests while preventing rival attackers from taking over infected PCs. A similar system was recently discovered in the last version of MyDoom, MyDoom.L, and may have been responsible for the fast spread of MyDoom.M, Weafer said.

"We're increasingly seeing infections like this where they're very aggressive during the initial propagation and you see a sharp drop off fairly quickly," he said.

Additionally, MyDoom represents a new trend among malicious code creators of focusing their attacks on known vulnerable PCs, allowing for more rapid and efficient propagation of new pests, Weafer said.

"There's a huge number of compromised machines sitting on the Internet at any one time," he said. "In many cases, these boxes are for hire--they're essentially owned by the virus writers and rented out to the highest bidder."

"It's a matter of how do we reach the people who own those PCs and let them know what's going on?" Weafer added. "It's not just MyDoom--they're wide open to anything attackers want to throw at them."

CNET News.com's Ina Fried contributed to this report.