<p><b>Service provided by:</b> <a href="http://cyberlogic.info">Cyberlogic</a>.</p>
<!-- MAXCOUNT: 5; LANG: ; OFFSET: 0; CAT: ; DISPLAY: ; NID: 624 --><p><b><font size='+1'>Deconstructing MyDoom</font></b><br><font size='-1'><b>Date:</b> 2004-02-15</font><br><font size='-1'><b>Ref:</b> <a class='MenuItem' href='http://www.integratedmar.com/ecl-usa/story.cfm?item=14294' target='_blank'>http://www.integratedmar.com/ecl-usa/story.cfm?item=14294</a></font><br><br>The new reigning champion for the world's most destructive malware, the bug known as MyDoom, has come and gone, but even two weeks after it first exploded onto the Internet, its repercussions, new and old, are still being felt. <br />
<br />
The worm has already spawned two siblings, one which copies it almost entirely while blocking a user's access to virus-fighting sites, and another that seeks out machines infected by the original, and looks to inflict more damage. <br />
<br />
The original, MyDoom.A, has set records for lost revenues due to an attack of this nature, and for number of infections. Together with its sibling, MyDoom.B, it has successfully brought one company's (SCO Group) Web site to its knees for a long period of time, while causing some hiccups in service at Microsoft..com, one of the largest and most traffic-ready Web sites in the world. <br />
<br />
So what made MyDoom, this super-worm, into the uber-virus that garnered headlines worldwide and caused sleepness nights for many IT managers and home computer users? What was different here? What was the new technology that made MyDoom so effective? <br />
<br />
According to security vendors, there's actually not a whole lot new with MyDoom. It didn't do anything terribly new or ground-breaking. Where it exceeded anyone's expectations was in its ability to get people to open the attachment in their e-mail, thus propagating it throughout the Internet. In the past, previous worms of the type have pretended to be illicit attachments from one user to another, from a love letter to the promise of nude pictures of Anna Kournikova. MyDoom took a more low-key approach, appearing to be a failed e-mail transmission, with the diagnostics of the problem contained in the attached text file. Users were lulled into a state of security, and then the worm took full advantage of that dropped guard. That shows that virus writers are adjusting to a user base that increasingly knows not to open attachments that offer illicit pictures of someone they don't know having wild sex with somebody's mom. <br />
<br />
"In the past, some of these social engineering attacks would use simple and straightforward mechanisms, but this one wasn't cheesy, it was totally innocuous," said Marcus Shields, enterprise product manager at a security specialist Soltrus. "As the education level of the population vulnerable to these attacks goes up, the predators are becoming more intelligent." <br />
<br />
The worm also points to the failings of current anti-virus technology. According to many security companies, an overwhelming percentage of the machines infected were owned by consumers, and not corporations. Corporations often have staff who stay on top of these things, and make sure that every machine on the network is regularly updated in the anti-virus signatures it uses to detect and destroy would-be attacks. But the consumer is on his or her own, and often lags behind in downloading those precious updates that can save their bacon even if they make the errant decision to double-click that doomed attachment. <br />
<br />
"It's the user's fault that they don't have up-to-date virus definitions, but it points to an inherent flaw in today's technology that requires you to have a specific signature for a specific virus before it can do anything about it," said Neel Mehta, research engineer for X-Force at security researcher Internet Security Systems. <br />
<br />
However, not all the fault can rest with the software for not updating itself. Even after intense mainstream media coverage and repeated reminders to make sure anti-virus software is up-to-date, attacks continued to run rampant for well over a week after most anti-virus vendors had their products updated to detect and kill MyDoom. Many even went as far as offering free downloads for anyone, customer or not, that specifically sought out and destroyed MyDoom. But many users were not aware, or chose not to update, believing they would not be struck. <br />
<br />
"A lot of people are not updating their signature files, and they're still opening those infected e-mails six days after the fact," said Jack Sebbag of Network Associates, producer of the McAfee line of anti-virus products. "People take the 'it's never happened to me' view, and assume that they can't be hit. But you don't wait until after a fire to buy fire insurance." <br />
<br />
And software can't be expected to keep up with the pace at which the human brain can come up with new ways to trick other human brains. The core of the problem with MyDoom was that it was the first attack to use the guise of a phony error message instead of a poorly-written and entirely over-the-top temptation. Software can't solve the problem in the first few hours, particularly when users are duped into wanting to figure out why their precious e-mail did not get to its intended recipients. <br />
<br />
"E-mail tools continue to become more sophisticated, but some things can sneak through the radar if users aren't aware of the general principals involved," said David Loomstein, group product manager for Symantec Security Response. "It's human engineering and behaviour-based. They knew how to get in under the radar." <br />
<br />
Aside from the clever psychology of the worm, the other major change with MyDoom is how fast a copycat worm -- MyDoom.B appeared on the scene. In the past, anti-virus researchers would see a pause of weeks or even months while a virus was torn down, analyzed and rebuilt by another virus writer, ready to be re-released with a slightly new wrinkle. In the case of MyDoom -- it took barely 48 hours, pointing to better tools available to those writing the code, and an increased sense of "community" among the would-be attackers, who share details, code and ideas over the Internet. <br />
<br />
"The fact that something came out as quickly as it did, shows that things are accelerating," said Brad Meehan, director of eTrust Security Management Solutions at Computer Associates. <br />
<br />
The effectiveness of the MyDoom worm's attack on SCO's Web site marks the first major success of a "politically" motivated worm. Although no one can be sure yet exactly who wrote the worm, the fact that it attacked the high-profile and controversial organization shows that its owners either have a bone to pick with the company that's looking to force Linux users to pay it for their software, or was looking to frame it on the large Linux-loving online community that does have such a bone to pick. <br />
<br />
Either way, the lesson here for companies is a simple and stark one. <br />
<br />
"You're one worm away form losing your Web presence, and that's a scary thought for a lot of businesses out there," Mehta said. <br />
<br />
However, the problems that led to MyDoom are not without their solutions. In Monday's edition, we'll outline some best-practices, tools and policies companies and individuals can use to deal with the next big Internet worm.</p><p align=center>(c) <a href=http://www.cyberlogic.ca target=_parent>Cyberlogic</a></p>