Little MyDooms May Mean Big One Coming
Four new variations of the long-running MyDoom worm -- dubbed by some anti-virus firms as MyDoom.u through MyDoom.x -- have popped up on the Internet since Thursday morning.
The new MyDooms follow the now-standard pattern of this persistent worm, spreading via e-mail with their payloads buried within attached files. The most recent editions also connect with remote Web sites, then download a backdoor Trojan which leaves the Windows PC vulnerable to later attack, or may let the hacker use the computer as a spam or denial-of-service platform. On their own, each is a relatively insignificant threat, said Sam Curry, the vice president of Computer Associates' eTrust security management group. But the pattern is suspiciously similar to one in late April and early May when a trio of low-priority Bagle worms hit one after the other, then were quickly followed by a much more dangerous variant, Bagle.aa. In that run of Bagles, Curry noted, the last in the line "went from a zero threat to medium within hours.
"This is a definite reminder of the three Bagles that were followed by a big one," said Curry. "These little shocks, so to speak, might be indicator of a bigger one coming, like pre-shocks before a big earthquake."
Other clues that users should expect a nastier MyDoom, said Curry, include the upcoming anniversary of 9-11 and the fact that the alphabet is about exhausted for naming the worm. Both are opportunities for hackers after notoriety.
"It's an ego expression thing," said Curry, of some hackers' desire to make a splash by releasing malicious code on important dates.
But what's the deal with the turn of the alphabet?
"We're close to 'z' in the naming of MyDoom," said Curry. "There are only two left ['y' and 'z'] and then it'll turn to 'aa.' We've seen this before, where hackers rush to grab the spotlight, to say 'mine's bigger and better,' and to make a splash by claiming the 'aa' spot."
Curry called the pattern "disturbing" and urged all users to update their virus definition files over the weekend.
In other news around the recent MyDooms, analysis done by several security firms, including Sophos and F-Secure, have uncovered a job pitch within the worms' code.
MyDoom.u, MyDoom.v, and MyDoom.w, said Sophos and F-Secure, include an embedded text string that reads "We searching 4 work in AV industry."
"It's hard to tell if the creators of these new versions are serious, but there is no way that anybody in the anti-virus industry would touch them with a bargepole," said Graham Cluley, senior technology consultant for Sophos, in a statement. "It's very simple -- if you write a virus, we will never ever employ you."
Probably doesn't help that the hacker applicants can't write a coherent sentence.
SOLOEnterprises is your one stop shop for computer consulting in Orange County, web site design and web site hosting.
Remember our motto "We Speak YOUR Language"
Web Hosting Orange County - SOLOEnterprises, LLC Web Hosting in Orange County
Computer Service Orange County - SOLOEnterprises, LLC Computer Service in Orange County
Web Design Orange County - SOLOEnterprises, LLC Web Design in Orange County
