Jewish World Review


Wonder why the spam won't stop? Latest computer virus mutates to prevent fixes

http://www.NewsAndOpinion.com | (KRT) A new strain of the rapidly spreading MyDoom worm surfaced Wednesday that can prevent users from downloading security patches to fix infected computers.

Known as MyDoom.B, the new worm was discovered three days after the original MyDoom began replicating itself across the Internet and infecting as much as 20 percent of all e-mail sent worldwide.

"This is the fastest-spreading e-mail virus of all time," said Craig Schmugar, a research manager at the Network Associates computer security firm. "We had a large corporate customer recording 160,000 (infected e-mails) per hour."

MyDoom.B tries to block a computer from accessing anti-virus software providers, said Schmugar, including programs from his own firm. The new worm can overwrite certain files on computers running Microsoft Corp.'s Windows software, making it difficult to download protective software.

Donate to JWR


Also, it can take over infected computers to generate spam or programs that search for credit-card numbers or other personal data.

However, despite the worm's nasty potential, MyDoom and its variants have been fairly benign so far. They don't appear intent on wrecking operating systems around the world or corrupting massive quantities of data.

Rather, the worms are planning to use the hundreds of thousands of infected computers for an attack starting Sunday on SCO Group, a controversial Utah software company that has angered some hackers. Also on Wednesday, Microsoft Corp. was cited as another target, according to security experts.

The software giant, which is frequently assaulted by hackers, would not confirm it was a target, said Christopher Budd, security program manager for Microsoft.

"Right now all of our engineering resources are focused squarely on how this thing works," Budd said.

The assault targeted at SCO for Sunday is known as a denial of service attack. If successful, thousands of computers will generate a massive number of attempts to access a Web page, causing it to collapse.

SCO Group says that someone created MyDoom to harass the company because it is trying to gain control of Linux, an alternative to Microsoft's Windows. On Tuesday, SCO offered a $250,000 reward for "information leading to the arrest and conviction of those responsible for this crime."

Schmugar, whose security firm has dissected the worm, said MyDoom.B contains a message within its code - apparently from the program's author.

"Andy: I'm just doing my job, nothing personal, sorry," the message says.

Schmugar said the message suggests that the author of both MyDoom worms was paid for his work. He also said the original MyDoom shows no sign of slowing.

The worm has slowed e-mail delivery at Schaumburg, Ill.-based tech giant Motorola Inc., said Bill Boni, chief information security officer, but has not caused major systemwide failures.

Boni said companies have become more sophisticated at rooting out worms like MyDoom, creating around-the-clock systems to stay tuned into unusual activity on their networks. But he noted that today's viruses spread significantly faster than previous versions.

"It's almost like an arms race between the virus writers and the protection professionals," Boni said.

Still, despite the minimal damage so far, MyDoom and the new variant creates a back door to allow the worm's creator to seize control of a computer, search it for passwords and credit numbers or send e-mail to thousands of people in a few minutes.

Some in the computer security industry suspect the attacks on Microsoft and SCO Group are masking the hacker's real goal - gaining control of many computers to generate unwanted e-mail, better known as spam.

Much spam is relayed through computers hijacked through a back door, said Gary Morse, president of Razorpoint Security Technologies. When a captive computer dispatches the spam, it conceals the true source of the e-mail.

"That is the only way that spam can exist," Morse said. "If you got something from Spam-R-Us, you would block it. Spammers are constantly changing relays."

The MyDoom worm is transmitted by official-looking e-mails. The e-mails might bear "system administrator" in the From Line and encourage the user to click on an icon. That opens an attached file and releases the worm.

Computer security experts say the best way to avoid infection by virus or worm is simple: Never open an e-mail attachment from a source you don't trust.

Meanwhile, the government announced a new program Wednesday to protect computer users from viruses and worms.

The Department of Homeland Security said it had established National Cyber Alert System to update users and technicians about new viruses as they are detected. Signup is at www.us-cert.gov/ and is free.

But Sen. Charles Schumer, D-N.Y., said the department's goal could backfire.

"What (the department) did today was essentially challenge computer hackers all over the world to put a virus into an e-mail that mimics the (department) warnings," Schumer said.

Appreciate this type of reporting? Why not sign-up for the daily JWR update. It's free. Just click here.

Comment by clicking here.

Up

© 2004, Chicago Tribune Distributed by Knight Ridder/Tribune Information Services